Notes
  • Welcome!
  • Windows Shells
    • Introduction
    • Command Prompt
      • Basics
      • Host Enumeration
      • Files & Directories
      • Environment Variables
      • Managing Services
      • Scheduled Tasks
      • Help
    • PowerShell
      • PowerShell vs. CMD
      • Basics
      • CmdLets & Modules
      • User & Group Management
      • Files & Dirs
      • Finding & Filtering
      • Services
      • Registry
      • Windows Event Log
      • Networking Management
      • Web Interaction
      • Scripting
      • Help
  • Windows
    • Commands
    • NTFS
  • APISEC
    • API Testing
      • Recon
      • Endpoint Analysis
      • Finding Security Misconfigurations
      • Authentication Attacks
      • Exploiting API Authorization
        • BOLA
        • BFLA
      • Improper Assets Management
      • Mass Assignment Attacks
      • SSRF
      • Injection Attacks
      • Evasion & Chaining
    • API Authentication
      • Authentication Types
      • OAuth Actors
      • OAuth Interaction Patterns
      • JSON Web Tokens
      • Claims
      • APIs & Gateways
  • PostSwigger
    • Web LLM Attacks
      • Overview
      • Exploiting LLM APIs, function, & Plugins
      • Indirect Prompt Injection
      • Leaking Sensitive Data
      • Defending Against LLM Attacks
    • JWT Attacks
      • JWTs
      • Attacks
        • Flawed Signature Verfication
        • Brute-forcing Secret Keys
        • JWT Header Parameter Injections
        • Algorithm Confusion
      • Prevention
    • OAuth
      • General Information
      • Exploiting OAuth Authentication Flaws
        • Flaws in Client Application
        • Flaws in the OAuth Service
      • OpenID
  • Red Teaming LLM Applications
    • LLM Vulnerabilities
    • Red Teaming LLMs
    • Red Teaming at Scale
    • Red Teaming LLMs with LLMs
    • Red Teaming Assessment
  • Fin
    • Course 1: Basics
      • Stocks
        • General Information
        • Shares
        • Stock Basics
      • Bonds
        • General Information
        • Components
        • Valuation
      • Markets
        • What is the Stock Market
        • What is the FED
    • Course 2: Stock Investing
  • Other
    • Learning Resources
Powered by GitBook
On this page
  • Permissions
  • icacls
  • NTFS vs Share
  • Example
  1. Windows

NTFS

NTFS is the default Windows file system.

Permissions

Permission
Description

F

full access

D

delete access

N

no access

M

modify access

RX

read and execute access

R

read-only access

W

write-only acces

icacls

icacls stands for Integrity Control Access Control List.

# check folder's permissions
icacls c:\windows\myfolder
# grant full permissions
icacls c:\windows\myfolder /grant <USER>:f
# remove permissions
icacls c:\users /remove <USER>

NTFS vs Share

  • NTFS permissions apply to the system where the folder and files are hosted.

  • Share permissions apply when the folder is accessed through SMB, typically remotely.

Someone logged in locally or via RDP only need to consider NTFS permissions.

Example

Create a folder, turn it into share, and review permissions for htb-student (Figure 1).

Although Everyone has READ access, this does not show below. This is because Windows Defender blocks access from any device that is not joined to the same workgroup, and proper inbound rules must be in place.

smbclient -L <TARGET-IP> -U htb-student
Enter WORKGROUP\htb-student's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	My Folder       Disk      
	IPC$            IPC       Remote IPC

Once inbound rules are in place, and because the account htb-student is part of the Everyone group, we will be able to inherit its permissions and access the share. We can then create a mount point; this is where the NTFS permissions must be considered alongside share permissions. A grey checkmark means that it was inherited from a parent directory (Figure 2).

sudo mount -t cifs -o username=htb-student,password=Academy_WinFun! //<TARGET-IP>/"My Folder" /home/user/Desktop/

If we check all the shared folders on the system, we will notice that more than just the My Folder share are actually shared. The C:\ directory is shared via SMB at install which means anyone with proper access could remotely access it!

C:\Users\htb-student> net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\WINDOWS                      Remote Admin
My Folder    C:\Users\htb-student\Desktop\My Folder

The command completed successfully.

PreviousCommandsNextAPI Testing

Last updated 1 year ago

Figure 1: Turning a folder into a share and reviewing SMB permissions.
Figure 2: NTFS permissions of the My Folder directory.