Hello or welcome back, depending on whether you read my past article. This one will detail another CTF along my learning path. It focused on enumeration techniques to identify and analyze running sevices on the target machine. The challenge required me to apply my knowledge of network and system enumeration to identify misconfigurations, weak credentials and potential security vulnerabilities. I had to capture the following 4 flags, and this article details how I went about that.
Flag 1
Hint: There is a samba share that allows anonymous access. Wonder what's in there!
My first step was to ping the target to confirm that it was reachable, then an nmap scan to discover the ports on which samba was running. I also used a few NSE scripts to further enumerate the ports. To enumerate the shares, I used enum4linux to determine which shares allowed anonymous login.
The results showed that there were two shares, but none of them allowed anonymous access. This meant that to find the share containing the flag, brute forcing the shares was needed. There was wordlist provided that we could use, and with a little help from ChatGPT, I came up with a simple script to loop through each share in the wordlist and test if anonymous access was allowed.
for share in $(cat your_wordlist.txt); do smbclient -N \\\\TARGET_IP\\$share -c "ls" 2>/dev/null && echo "[+] FOUND SHARE: $share"; done
Here's a brief explanation of the script:
-
for share in...:loops through every line in your wordlist. -
smbclient ... \\$share: attempts to connect to that specific share name. -
2>/dev/null: silences the "Bad Network Name" errors so the screen isn't flooded with failures. -
&& echo ...: Only prints the name if the connection is successful.
After saving the script in a file and providing executable permissions, run the script to identify the share that allowed anonymous access. The share found is pubfiles, and has the first flag.
Access the share using the smbclient tool, using the command
smbclient //target.ine.local/pubfiles -N
After dowloading the file to our local system using the get command, we can view its contents and find the first flag.
Flag 2
Hint: One of the samba users have a bad password. Their private share with the same name as their username is at risk!
In the enum4linux results in the previous step, I found a few usernames, and as the hint suggests, one of these users has a weak password.
I used Metasploit to brute force passwords on the samba users, using the smb_login module. I created a simple text file containing the usernames found to set it as the user_file. The file containing the passwords to be tried was also provided. After setting all the required options and executing the exploit, the results provided the user and the weak password
The hint says that the share with the same name as their username is the one at risk, so access the share using smbclient:
smbclient //target.ine.local/josh -U josh
Again, download the file found and view its contents to get the second flag.
Flag 3
Hint: Follow the hint given in the previous flag to uncover this one.
The hint for this flag was left in the previous flag, which suggested that there's an FTP service running, and we should check the banner. To find the service and the port its running on, I used nmap and found the service running on port 5554.
Trying to connect using the ftp command reveals that the accounts of ashley, alice and amanda have weak passwords and they should be changed.
The next step is to bruteforce these users, and the tool I used is Hydra.
I added the newly discovered usernames to the users.txt file I had created earlier and found the weak password:
I found a module on metasploit, ftp_login that can be used to do the same. I tried it out and the results were the same.
Now having the credentials, connecting to the ftp service and getting the flag was simple.
Flag 4
Hint: This is a warning meant to deter unauthorized users from logging in.
Some research revealed that the SSH banner is the administrative message configured on a server to warn users before authentication. This hinted that the flag is in the banner. Trying to connect to the SSH service revealed the banner and the final flag.
Top comments (0)