eJPT - 1.3 CTF Enumeration

HmadHmad
3 min read

Table of contents

Question 1

There is a samba share that allows anonymous access. Wonder what's in there!

Firstly, after we run our Nmap scan, we can see that we have SSH and SAMBA open. We can run an enum4linux command to see what shares are open and accessible, but in this case neither of the two shares is accessible anonymously. Since we have been provided with a text file of share names, we can test these to see if any of them allow anonymous access.

To avoid having to test each one individually, I have created a bash script to automate it:

vim samba_enum.sh

#!/bin/bash
target="10.10.10.5"  # Replace with your actual target IP
wordlist="/root/Desktop/wordlists/shares.txt"
for share in $(cat "$wordlist"); do
  echo "[*] Trying anonymous access to: //$target/$share"
  smbclient "//$target/$share" -N -c 'ls' 2>/dev/null
  if [ $? -eq 0 ]; then
    echo "[+] SUCCESS: Anonymous access allowed to '$share'"
  else
    echo "[-] Access denied to '$share'"
  fi
done

We can now provide the file with executable permissions and run it.

chmod +x samba_enum.sh
./samba_enum.sh

We can now see that the share pubfiles allows anonymous access and within it is our first flag. To access it, we can use smbclient.

smbclient //target.ine.local/pubfiles -N

Question 2

One of the samba users have a bad password. Their private share with the same name as their username is at risk!

When we ran our enum4linux command earlier, we saw that it had identified 4 users. Let's create a file called users.txt with those usernames in it. We can then use Hydra with the unix_passwords.txt wordlist that's also under /root/Desktop/wordlists to brute-force the password. Alternatively, we can use the Metasploit module smb_login to brute-force the credentials (which I will be doing).

Now that we have obtained credentials, we can login to the SMB share using them.

smbclient //target.ine.local/josh -U josh

Question 3

Follow the hint given in the previous flag to uncover this one.

To check this, we can run an Nmap scan of all the ports. We can see that it's open on port 5554. We can now attempt to login to the service.

ftp target.ine.local 5554

However, upon trying to do so, we can see that you have to provide credentials. Only 3 users are mentioned. Let's create another file or update our existing one to contain those usernames. We can now use Hydra to brute-force credentials. We can now login to obtain the third flag.

Question 4

This is a warning meant to deter unauthorized users from logging in.

As we saw from our Nmap scan, we have an SSH service running on port 22. Login and we have the last flag.

That’s it for this section. Next one up is the vulnerability assessment section.

— Hmad

0
Subscribe to my newsletter

Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ejptCTFCTF Writeup#enumerationsambametasploit

Written by

Hmad
Hmad

I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.