Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

--get-file and --put-file requires Admin to work on Share Folder #663

Closed
juliourena opened this issue Nov 1, 2022 · 0 comments
Closed

Comments

@juliourena
Copy link
Contributor

juliourena commented Nov 1, 2022

I'm trying to READ/WRITE a file from a share folder where my user has READ/WRITE privileges, but it doesn't work.

Looking at the code, I notice that @requires_admin flag is set to the methods get_file and put_file, but for a share folder I don't need to be admin to READ/WRITE.

crackmapexec smb 10.129.203.121 -u engels -p "Testing9!" --shares
SMB         10.129.203.121  445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:inlanefreight.htb) (signing:True) (SMBv1:False)
SMB         10.129.203.121  445    DC01             [+] inlanefreight.htb\engels:Testing9!
SMB         10.129.203.121  445    DC01             [+] Enumerated shares
SMB         10.129.203.121  445    DC01             Share           Permissions     Remark
SMB         10.129.203.121  445    DC01             -----           -----------     ------
SMB         10.129.203.121  445    DC01             ADMIN$                          Remote Admin
SMB         10.129.203.121  445    DC01             C$                              Default share
SMB         10.129.203.121  445    DC01             IPC$            READ            Remote IPC
SMB         10.129.203.121  445    DC01             IT              READ,WRITE

crackmapexec smb 10.129.203.121 -u engels -p "Testing9!" --put-file whoami.txt \\IT\whoami.txt --share IT
SMB         10.129.203.121  445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:inlanefreight.htb) (signing:True) (SMBv1:False)
SMB         10.129.203.121  445    DC01             [+] inlanefreight.htb\engels:Testing9!

crackmapexec smb 10.129.203.121 -u administrator -p XXXXX --put-file whoami.txt whoami.txt --share IT
SMB         10.129.203.121  445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:inlanefreight.htb) (signing:True) (SMBv1:False)
SMB         10.129.203.121  445    DC01             [+] inlanefreight.htb\administrator:XXXXX(Pwn3d!)
SMB         10.129.203.121  445    DC01             [*] Copy whoami.txt to \IT\whoami.txt
SMB         10.129.203.121  445    DC01             [+] Created file whoami.txt on \\ITwhoami.txt

The solution would be to remove the @requires_admin flag from those methods. I'll submit a PR.

@mpgn mpgn closed this as completed in c0753e7 Nov 1, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant