Assessment Methodologies: Enumeration CTF 1 (EJPT INE)

Hii all.

Our next CTF is Enumeration.

Q.1 There is a samba share that allows anonymous access. Wonder what’s in there!

For Samba enumeration, to determine which shares allow anonymous login, we can use the enum4linux command. This will provide information about the available shares and their access permissions.

Run the following command:

enum4linux -a target.ine.local

From the results, we can see that this server has two shares, both of which do not allow anonymous login. Therefore, we can proceed with brute-forcing the shares.

We can create our own Python script to accomplish this task. Using the wordlist located at /root/Desktop/wordlists/shares.txt, we can save the script with the filename shares.sh.

#!/bin/bash

# Define the target and wordlist location
TARGET="target.ine.local"
WORDLIST="/root/Desktop/wordlists/shares.txt"

# Check if the wordlist file exists
if [ ! -f "$WORDLIST" ]; then
    echo "Wordlist not found: $WORDLIST"
    exit 1
fi

# Loop through each share in the wordlist
while read -r SHARE; do
    echo "Testing share: $SHARE"
    smbclient //$TARGET/$SHARE -N -c "ls" &>/dev/null

    if [ $? -eq 0 ]; then
        echo "[+] Anonymous access allowed for: $SHARE"
    else
        echo "[-] Access denied for: $SHARE"
    fi
done < "$WORDLIST"

After providing executable permissions for this file, we can run it. This script will identify which shares allow anonymous access.

As we can see, the pubfiles share has anonymous access.

We can access this share using the following command:

smbclient //target.ine.local/pubfiles -N

After downloading the file to our local system, we can read its contents using the cat command. Our first flag is:

Flag 1: ec16bc35f93d4e93a9b48ca747e331d4

Q.2 One of the samba users have a bad password. Their private share with the same name as their username is at risk!

In enum4linux, we identified a few usernames: josh, bob, nancy, and alice.

As the question suggests, one of these accounts has a weak password. We can use Metasploit for password enumeration.

To do this, we can use the scanner/smb/smb_login module. We will create our own users.txt file, which includes these four usernames, and set it as the USER_FILE path."

Now, for the PASS_FILE, set the location to /root/Desktop/wordlists/unix_passwords.txt.

After that, run the command using the run keyword.

We now know the correct username and password. Log in using these credentials, and since the question mentions that the share name is the same as the username, the command will be:

smbclient //target.ine.local/josh -U josh

After downloading the file to our local system, we can read its contents using the cat command. Our second flag is:

Flag 2: 2ea59c892e6343b78273aba7ce4140ec

Q.3 Follow the hint given in the previous flag to uncover this one.

While capturing the flag2.txt, we noticed a hint indicating that the FTP service is running. Let's use nmap to check where the FTP service is running.

From the results, we see that the FTP service is running on port 5554. Let’s try to connect.

Upon attempting the connection, we find that the accounts for ashley, alice, and amanda have weak passwords, and the system suggests changing the passwords. Let's try to brute-force these accounts using Hydra. The command will be : “hydra -L users.txt -P /root/Desktop/wordlists/unix_passwords.txt ftp://target.ine.local:5554”

I’ve added the three usernames (ashley, alice, and amanda) to the users.txt file.

We can log in to the FTP server using the username and password.

After downloading the file to our local system, we can read its contents using the cat command. Our third flag is:

Flag 3: dc6ea4029bfd42548c2bf19be77d8498

Q.4 This is a warning meant to deter unauthorized users from logging in.

After reviewing the nmap results, we found that another service, SSH, is running. Let’s try to connect to it.

And here is our last flag, which is:

Flag 4: 4a03de945ffb4bc0947c3dfe5d4e507b

Thank you for reading!

Happy Hacking!