Beyond the Read-Only Label: Precision SMB Exploitation
In Kioptrix-style labs, a read-only SMB share is often just the first misleading layer. The true vulnerability frequently lives one or two folders deeper, hidden beneath the surface of a restrictive share summary.
“Share permissions and NTFS ACLs do not always agree. Writable pockets can hide inside an otherwise restrictive tree.”
Stop the “brute-force wandering” and noisy testing that thins out your reports. Our method focuses on a low-noise, tactical approach to separating what looks read-only from what is truly unwritable.
- โ Assume: The label may be wrong.
- โ Narrow: Target the tree through bounded recursion.
- โ Validate: Use tiny, reversible probes for access.
- โ Prove: Document exactly one thing with clean evidence.
No drama. No static. Just defensible results.
- Share permissions and NTFS ACLs can create โwrite pocketsโ deeper in the tree.
- Bounded recursion finds those pockets without turning your session into a noise festival.
- A tiny create/rename/delete probe is enough proof without leaving scars.
Apply in 60 seconds: Decide your depth limit (e.g., 3) and your skip rules before you enumerate anything.
Table of Contents
Who this is for / not for
Who this is for
- US-based pentest students doing Kioptrix-style labs (authorized only)
- Blue teamers validating SMB misconfig paths for a hardening report
- Anyone who wants low-noise write-check logic thatโs repeatable and documented
Who this is not for
- Anything without explicit authorization (no โproduction curiosityโ)
- Credential spraying, lateral movement, or persistence workflows (out of scope)
- Anyone looking for โone magic commandโ instead of evidence-driven checking
Quick gut-check: if you canโt answer โWho owns this system?โ and โWhere is scope written down?โ without sweating, stop. In real work, the fastest way to fail is to be vague about permission. That is also why a clear penetration test statement of work template matters so much before you ever touch enumeration.
- Scope keeps your testing lawful.
- Scope keeps your data usable in a report.
- Scope prevents โI only meant toโฆโ moments.
Apply in 60 seconds: Write a single sentence in your notes: โAuthorized lab target, date, and goal: find one writable subpath only.โ
Scope first: what โread-only shareโ really means in SMB
Share permissions vs NTFS ACLs
SMB shares are a layered sandwich. The share permission is the โfront door policy.โ NTFS ACLs are the room-by-room locks inside. When you connect over the network, effective access is typically the most restrictive combination of the two. Microsoftโs own guidance on configuring share and NTFS permissions highlights that both layers matter, and you should expect the file system permissions to shape real access.
Thatโs how a share can look โread-onlyโ in a tool summary, yet still contain a deeper folder where a delegated group was granted Modify, or inheritance was broken, or a single subfolder was treated like an upload drop. This is also why summaries from utilities can mislead you in the same way that CME can report the wrong OS version: the first line of output is not always the final truth.
Inheritance gotchas: where ACLs stop inheriting and weirdness begins
Hereโs the plot twist that steals afternoons: ACL inheritance is not guaranteed to behave like your intuition. A folder can explicitly block inheritance or carry a custom ACL that doesnโt resemble its parent at all. In labs, that can be intentional misconfiguration. In production, itโs often the fossil record of an old migration, a rushed โtemporaryโ exception, or a service account that was granted too muchโฆ and never un-granted.
The three outcomes you must label distinctly
- Listable: you can see the folder name (directory listing succeeds)
- Readable: you can open/download a file inside
- Writable: you can create or change content (even if delete is blocked)
I learned this the embarrassing way. Early in my lab days, I celebrated because I could list a directory called โupload.โ Five minutes later, I was staring at โAccess deniedโ like it had personally insulted my family. Listing is not writing. Listing is flirting. Writing is a committed relationship. If youโve ever hit that exact wall, the pattern rhymes with smbclient listing without true access.
Show me the nerdy details
SMB โshare permissionsโ are evaluated at the share boundary, while NTFS ACLs are evaluated on each object (folder/file). If inheritance is blocked or an ACE is explicitly set on a child object, the child can behave differently than its parent. Tools that summarize โwritable: falseโ at the share root may not traverse and evaluate every child path, so they can miss pockets of effective Modify/Create permissions deeper in the tree.
Recursive path hunting: the low-noise algorithm that actually works
Letโs make this boring in the best way. Your goal is not โexploit everything.โ Your goal is: find one defensible writable subpath and prove it with minimal impact. Thatโs it. One clean win beats a hundred chaotic maybes.
The recursion strategy
Use bounded recursion: a depth limit plus skip rules. Think of it like exploring a library with a flashlight. You donโt need to scan every book spine to find the one shelf that has a sticky note saying โDROP FILES HERE.โ
- Breadth-first: you check many sibling folders early. Great when upload folders tend to live near the top.
- Depth-first: you follow one branch deeper. Great when shares are organized by department/project with nested ACL quirks.
In Kioptrix-style labs, breadth-first often finds โincoming/โ or โpublic/โ sooner. But if the share looks like โDepartments/HR/โฆโ, depth-first can be faster because ACL oddities often live in the โreal workโ leaf folders.
Skip rules: avoid the noise traps without missing gold
- Skip folders that are obviously huge (e.g., backups, ISO dumps, media archives)
- Skip โsystem-yโ paths unless your lab goal requires them (e.g., printer driver shares)
- Skip deep recursion once you have one confirmed writable path
Personal note: I used to โjust recurse everythingโ because it felt thorough. It also felt like watching paint dry, except the paint was my patience. Guardrails are kindness. The same principle shows up in safe CrackMapExec SMB reconnaissance flags: tight controls beat noisy enthusiasm.
Write-test primitives (minimal impact)
Your write test should be tiny, reversible, and obvious in a report. In authorized labs, the safest primitives usually look like:
- Create a tiny temp file (0โ1 KB)
- Rename it (proves Modify-like behavior)
- Delete it (cleanup and proof)
If delete fails, you might be in a โwrite-but-not-deleteโ pocket. Thatโs still a meaningful finding. Document it cleanly and donโt escalate your behavior to โforce cleanup.โ
Handling confusing errors without spiraling
- Access denied: youโre blocked by permissions at that path
- Read-only attribute: can be a file attribute or an interpretation by a client tool (does not always equal ACL denial)
- Bad network name: path/share mismatch, alias confusion, or a mapping issue
When the error message is vague, your job is to be structured, not dramatic. Change one variable at a time. Write down what changed. Future-you will thank you with snacks. If the whole problem starts one step earlier at connection time, check your assumptions against common smbclient tree connect failures before blaming the folder itself.
Evidence output you want (report-friendly)
Make a โwritable path tableโ as you go. Donโt wait until the end when your terminal scrollback becomes an archaeological dig.
| Path | Probe | Result | Notes |
|---|---|---|---|
| \\TARGET\SHARE\candidate\subfolder | create โ rename โ delete | PASS / PARTIAL / FAIL | error text, timestamp, user context |
- Bound recursion prevents โinfinite treeโ pain.
- Small probes prevent accidental damage.
- A table turns chaos into evidence.
Apply in 60 seconds: Create a single note template with columns: Path, Probe, Result, Notes.
๐ก Read the official smbclient guidance
Tooling menu: pick one lane and stay consistent
Tools are opinions with flags. The mistake is bouncing between three tools without a consistent definition of โwritable,โ then blaming the target for being โweird.โ Choose one primary lane, then use a second method only to resolve contradictions.
smbclient recursion workflow (Linux)
smbclient (from Samba) behaves like an FTP-style client for SMB shares. It can list directories and interact with files in a way thatโs easy to log. In a lab, itโs a strong choice because itโs transparent: you see exactly what you tried and what the server replied.
Lab-safe posture: keep your actions to listing and tiny temp-file probes. Avoid bulk downloads. Avoid overwriting anything you didnโt create.
smbmap / CrackMapExec checks (lab-safe posture)
Tools like smbmap and CrackMapExec can summarize shares quickly, but summaries often reflect root-level assumptions. The tricky part is that โshare writable: falseโ can still coexist with โsubpath writable: true.โ Thatโs not the tool lying, itโs the tool being a tool.
Rule of thumb: use these tools to discover candidate paths, then validate with a direct probe at the specific folder you care about. If you get blocked before that stage, compare with patterns from smbmap access denied troubleshooting and SMBMap NT_STATUS_LOGON_FAILURE fixes.
Windows-native options (PowerShell + mapped paths)
If your lab scenario includes a Windows foothold, native access can reduce friction. You can test create/rename/delete in a single folder without introducing extra binaries. This also tends to be easier to explain to defenders later because it resembles normal admin behavior.
One of my favorite โoperator sanityโ tricks: name your temp file like _write_probe_dont_panic.txt. It sounds silly, but it makes cleanup obvious and intent easy to explain.
Show me the nerdy details
Different tools may evaluate writability differently: some test creating a file, others test directory creation, and others infer access from metadata. SMB servers can also enforce permissions via share settings, NTFS ACLs, and sometimes additional controls (e.g., policies/auditing). When tools disagree, default to the simplest direct evidence: an actual create/rename/delete probe in the target folder, using minimal bytes and immediate cleanup.
Curiosity gap: why โone writable folderโ is enough
Thereโs a particular kind of lab adrenaline that whispers: โIf I found one writable folder, there must be five.โ That voice is not your friend. The professional move is to stop at sufficient proof.
The leverage principle
One writable subpath can enable safe lab actions like:
- Uploading a harmless test artifact to validate misconfiguration
- Diffing configs or leaving a proof file that supports a finding
- Demonstrating how inconsistent ACLs create unintended write access
In real engagements, this is where youโd pivot into a scoped next step thatโs explicitly authorized. In labs, itโs where you earn your โclean notesโ badge. That reporting discipline also makes your findings easier to translate into a polished deliverable later, whether you use a Kali pentest report template or a more professional OSCP-style report format.
Hereโs what no one tells youโฆ
The first writable folder you find is often the worst one to use. It might be busy, sensitive, or full of legitimate files that you risk touching by accident. Choose the least disruptive path: empty, low-traffic, easy to justify.
- One confirmed writable pocket is enough to prove the issue.
- Choosing a quiet folder reduces accidental impact.
- Evidence beats exploration.
Apply in 60 seconds: Write down your stopping rule: โStop after first PASS path with clean cleanup.โ
Common mistakes that waste hours (and spike noise)
Mistake #1: treating listing success as write success
Listing is cheap and flattering. It makes you feel like youโre โin.โ But โinโ is not the same as โable to change.โ If you treat listable as writable, youโll chase phantom paths for an hour and then blame the lab image.
Mistake #2: recursion without guardrails
Unbounded recursion is how you end up enumerating a folder tree the size of a small continent. Worse, it can generate noisy access attempts that clutter logs and slow the server. Depth limit. Skip rules. Breathe.
Mistake #3: write tests that leave scars
Uploading binaries, overwriting existing files, or creating lots of artifacts is not โtesting,โ itโs vandalism with better vocabulary. If your proof requires cleanup drama, your method is wrong.
Letโs be honestโฆ
โIโll clean it up laterโ is a magical sentence that turns into โWhy is my temp file still there?โ The easiest cleanup is the one you do immediately, every time. The same habit applies to screenshots and notes too, which is why a sensible screenshot naming pattern saves so much post-lab pain.
Donโt do this: the โaccidental exploitationโ traps in read-only shares
This is the section where we keep your lab write-up from sounding like you swung a sledgehammer at a locked door.
The trap list (with safer substitutes)
- Donโt overwrite files: use a unique temp filename you created
- Donโt mass-test every folder: sample intelligently, then stop after proof
- Donโt assume a single toolโs summary: verify with a direct probe on the exact path
When your tool contradicts itself
If one tool says โno,โ and another says โyes,โ it usually means they tested different things (root vs subpath, file create vs directory create, or โinferredโ vs โobservedโ). Reconcile it like an adult: repeat a tiny direct probe in the specific folder and record the exact server response.
Show me the nerdy details
Tool disagreement is often a methodology mismatch: some utilities only check share-level flags, some test a single create operation at the share root, and some rely on parsing listing metadata. SMB servers can return different errors depending on whether the client attempts to create a file, create a directory, rename an object, or delete it. Thatโs why a 4-step probe (create, list, rename, delete) yields clearer evidence than a single โwritable?โ boolean.
Curiosity gap: signals that a writable subpath is hiding nearby
Breadcrumbs in directory structure
Some folder names are basically neon signs. Not guarantees, but good candidates to check early:
- incoming/, upload/, drop/, public/
- temp/, staging/, transfer/
- Department/project folders where delegated write is common
ACL smell tests
- Permissions that appear non-inherited (child behaves differently than parent)
- Odd ownership on a folder compared to its neighbors
- โModifyโ style behavior without delete (a classic โpartial writeโ pocket)
Anecdote: I once ignored a folder called โstaging_oldโ because it sounded irrelevant. It was the only place with write access. The folder name was basically the lab author whispering, โLook here.โ I was the one being stubborn. Naming clues can be just as revealing elsewhere too, whether you are interpreting what nmblookup output really means or figuring out why nbtscan shows a hostname but no shares.
Validation: prove writability without causing damage
The minimal proof package
Your proof should fit on one screen:
- Create a tiny temp file
- List the directory and show it exists
- Rename the file (proves you can change state)
- Delete the file (cleanup and proof)
If youโre writing a lab report, capture the exact error messages. No theatrics, no guesses. Just โI attempted X in folder Y and got response Z.โ Thatโs the kind of sentence that survives peer review and late-night self-doubt.
If delete is blocked
โWrite-but-not-deleteโ happens. Document it as PARTIAL PASS, include the exact server response, and stop. In a real org, that pattern can still be risky (it allows file planting and clutter). In a lab, itโs a valid finding and a lesson in how nuanced permissions can be.
Mini calculator: how long will your bounded recursion take?
This is not a prophecy. Itโs a sanity check so you donโt start a 40-minute walk when you only have 8 minutes.
Estimated time: โฆ
Neutral next step: If the estimate feels too long, tighten depth or add a skip rule before you start.
Documentation: turn messy output into a clean finding
This is where you go from โI think I saw somethingโ to โI can defend this finding in one paragraph.โ And yes, this is also where your future self stops hating your past self.
The one-page โWritable Subpathsโ section
Write it in two layers:
- Executive summary: plain-English statement of what you found and why it matters
- Technical appendix: exact folder path, probe method, and server response
Severity and remediation mapping (lab-to-real-world thinking)
In real environments, the remediation story often includes:
- Fixing overly broad NTFS ACLs and restoring sane inheritance where appropriate
- Aligning share permissions with intended access (and documenting the model)
- Enabling auditing where itโs appropriate for your orgโs risk posture
Microsoft documents the mechanics of share vs NTFS permissions and also explains how file share auditing can be enabled, which is useful context when youโre writing remediation recommendations for defenders. If you want to frame that remediation in a more business-ready way, it helps to think in the language of vulnerability remediation SLAs and how stakeholders actually read a penetration test report.
Decision card: Breadth-first vs Depth-first recursion
| Pick this whenโฆ | You wantโฆ | Trade-off |
|---|---|---|
| Breadth-first | Fast discovery of obvious upload/drop folders near the top | More directory listings early |
| Depth-first | Finding โweird ACL pocketsโ deep in project/department trees | Risk of going deep into a dead branch |
Neutral next step: Choose one approach and write down why, before you touch the share.
Quote-prep list: what to gather before you compare or report
- Exact share and subpath (copy/paste, no typos)
- Account context (user/service/guest) and how you authenticated in the lab
- Probe method used (create / rename / delete) and outcomes
- Any tool disagreement notes (what each tool actually tested)
- Cleanup status (confirmed deleted, or delete denied with error)
Neutral next step: Put these five bullets into your lab template so you donโt reinvent documentation every time.
Infographic: the low-noise writable subpath workflow
Depth limit + skip rules + stopping rule.
List folders calmly. Record candidates.
Create โ rename โ delete (or document delete denied).
One confirmed path is enough proof.
๐ก Read the official Microsoft share and NTFS permissions guidance
๐ก Read the official Windows file share auditing guidance
FAQ
1) Can an SMB share be read-only but still have writable folders inside?
Yes. Effective access can vary by subpath because share permissions and NTFS ACLs are evaluated differently. A tool may summarize the share root as read-only while a deeper folder has a custom ACL that permits creation or modification.
2) Whatโs the difference between share permissions and NTFS permissions?
Share permissions are applied at the share boundary for network access. NTFS permissions are applied to folders and files on disk. In practice, your effective permission over SMB is constrained by both layers, and the most restrictive combination often wins.
3) Whatโs the safest way to test if a subfolder is writable in a lab?
A tiny, reversible probe: create a uniquely named temp file, rename it, then delete it immediately. If delete fails, document that outcome and stop. Avoid overwriting or uploading anything you didnโt create.
4) Why do smbmap or CME sometimes miss writable subpaths?
Many tools check share-level conditions or test a single path (often the share root) and then present a summary. If the writable permissions live deeper in the tree, a root-level test wonโt see them. Direct probing at the exact folder is the clean tie-breaker.
5) How do I handle a folder that allows create but denies delete?
Treat it as โpartial write.โ Document the create success and delete denial with the exact error. Donโt attempt aggressive cleanup methods. In real environments, this is still a meaningful misconfiguration because it can allow clutter or file planting.
6) Is recursive enumeration โnoisyโ on Windows event logs?
It can be, depending on server auditing configuration. Listing and access attempts may generate logs if file share auditing is enabled. Thatโs one reason bounded recursion and stopping rules matter even in labs: good habits transfer.
7) What directory names commonly indicate upload-style write permissions?
Names like incoming, upload, drop, public, temp, staging, or transfer are common candidates. They are not guarantees, but they are efficient places to check early, especially in training labs.
8) How do I log evidence of write access for a pentest report?
Use a table with: path, probe type, result (pass/partial/fail), and notes including timestamps and exact error messages. One screenshot of the probe sequence plus the table is often stronger than pages of raw output.
9) Should I use breadth-first or depth-first recursion for SMB trees?
Breadth-first is often faster for finding obvious โdropโ folders near the top. Depth-first can be better for nested department/project trees where ACL weirdness hides deep. Pick one and record why, then stick to your guardrails.
10) Whatโs the quickest way to stop once Iโve found a usable writable path?
Confirm the path with a single clean probe (create/rename/delete or document delete denied), record the evidence, and stop enumerating. The goal is sufficient proof, not maximum discovery.
Conclusion
So hereโs the quiet truth behind the โread-onlyโ label: itโs often just the headline, not the full story. In Kioptrix-style labs, the real lesson is path nuance. Share permissions and NTFS ACLs can create little permission islands, and your job is to find one, prove it gently, and document it like a professional.
My favorite outcome is when your notes read like a calm lab report instead of an emotional diary. One bounded recursion pass. One tiny probe. One clean table. Then you stop, because you already got the proof you came for. If you want that whole workflow to feel even more disciplined, it pairs nicely with a Kali lab logging routine and a reusable enumeration template.
Eligibility checklist (lab-safe)
- Yes/No: You have explicit authorization for this lab target.
- Yes/No: You defined depth limit + skip rules + stopping rule.
- Yes/No: Your probe is tiny, unique, and immediately cleaned up.
- Yes/No: Youโre recording evidence in a table as you go.
Neutral next step: If any answer is โNo,โ fix that first before touching the share again.
Coverage tier map: how strong is your permission evidence?
- Tier 1: Listing only (weak evidence)
- Tier 2: Read confirmed (open/download a file)
- Tier 3: Create confirmed (tiny temp file)
- Tier 4: Modify confirmed (rename succeeds)
- Tier 5: Full hygiene confirmed (delete succeeds or delete-denied documented)
Neutral next step: Aim for Tier 4 or Tier 5 on exactly one folder, then stop.
Your next 15-minute step: pick a depth limit (2โ4), choose breadth-first or depth-first, enumerate only until you have 3โ5 candidate folders, then run a single tiny create/rename/delete probe on the best candidate. Record the outcome in your table and end the session while itโs still clean.
Last reviewed: 2026-03-07