Part of the OSAI Prep series → — HTB writeups mapped to OWASP LLM Top 10.
Machine Summary
| Field | Value |
|---|---|
| Platform | HackTheBox |
| Difficulty | Very Easy |
| OS | Windows |
| Vulnerability | Unauthenticated SMB share access |
| OWASP Mapping | A01 — Broken Access Control |
Reconnaissance
nmap -sC -sV -oN nmap.txt 10.129.19.44Several open ports, but port 445 — SMB — immediately stands out. The host script results show a security mode of 3:1:1: user-level authentication, challenge-response enabled, but message signing disabled. Disabled message signing means the server won’t verify the integrity of SMB packets, which opens the door to relay attacks. More immediately: the server is advertising guest or null session access — we can enumerate shares without credentials.
Listing available shares reveals at least one accessible without a password. We connect using smbclient with the -N flag (no password) and retrieve the flag from within.
Privilege Escalation
Not required. The flag was accessible directly from the unauthenticated SMB share — no foothold, no lateral movement needed.
Root Cause
SMB was configured to allow guest or null session access to one or more shares, with no password required. Message signing was also disabled, compounding the risk. An attacker reaching port 445 can enumerate every share, browse their contents, and exfiltrate any readable file — without providing a credential.
This is not a subtle misconfiguration. It is a complete absence of access control on a network file service.
The AI Equivalent
OWASP LLM Top 10 Mapping: LLM06 — Sensitive Information Disclosure
SMB guest access is a storage layer that forgot it was supposed to be gated. The LLM parallel is the unprotected vector database or RAG retrieval endpoint — Chroma, Weaviate, Qdrant, and Milvus instances routinely deployed in development mode without authentication, then promoted to production without anyone locking them down.
Anyone who can reach the port can query the entire corpus: user documents, embedded PII, retrieved context chunks, cached tool call results. An attacker running smbclient -L //host -N is doing the same thing as an attacker curling http://vector-db:8080/api/v1/collections — both get a full directory listing of what’s inside, and both can pull the contents without a password.
In agentic deployments, the exposure is worse: the vector store often holds the agent’s working memory — conversation history, retrieved documents, user-specific context. Unauthenticated read access to that store means an attacker doesn’t need to break the model; they can read everything the model knows.
Lessons Learned
- Never expose SMB shares without authentication. Guest and null sessions should be explicitly disabled in production:
RestrictNullSessAccess = 1in the Windows registry, ormap to guest = neverin Samba config. - Enable SMB message signing. Disabled signing allows relay attacks (NTLM relay, Pass-the-Hash) even when credentials are required. Require signing on all domain-joined Windows hosts.
- Audit share permissions separately from filesystem permissions. A share that “requires a password” but has world-readable NTFS ACLs underneath still exposes data once the share is accessed. Defense in depth means both layers hold.
- Apply the same logic to AI storage layers. Vector databases, Redis instances, and object stores used by LLM pipelines need the same access control discipline as any file server. Default open is default exploitable.