ACLs of every file inside a share

[syrull]

I wondered whenever we have a case where the share isn't writable but some files are actually writable, can we have an option to check for every file inside a share or would it be too much?

Here is the specific case:

SMB         xxx   445    DC               SYSVOL          READ            Logon server share

It is specified that you cannot WRITE to this share, however If I pull the smbcacls on a specific file on the share

$ smbcacls //xxx/SYSVOL /xxx/scripts/login.vbs -U 'x%x'
Password for [xxx]:
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:xxx\Domain Users 
ACL:BUILTIN\Administrators:ALLOWED/I/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/I/FULL
ACL:Everyone:ALLOWED/I/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/I/FULL
ACL:BUILTIN\Server Operators:ALLOWED/I/READ

We can see that we actually can WRITE to this file. If you are up for it I am willing to create an eventual PoC of this.

[ILightThings]

If I remember correctly, they way that netexec tests for Write Access is by actually writing and deleting a file to the remote share. Its not a true enumeration of permissions. Just a warning.

[ILightThings]

Source code for SMBCacls

https://github.com/samba-team/samba/blob/master/source3/utils/smbcacls.c

[Marshall-Hallenbeck]

I actually found out how to get ACEs of folders without writing to them. One issue I see is that you'd have to recursively check each group if the user is a part of them with the ACE method, but there might be another way to do it.

@syrull would you just want to see READ/WRITE privileges, or entire ACEs?