# CTF - Enumeration

***

### Question 1

> There is a samba share that allows anonymous access. Wonder what's in there!

Firstly, after we run our Nmap scan, we can see that we have SSH and SAMBA open. We can run an `enum4linux` command to see what shares are open and accessible, but in this case neither of the two shares is accessible anonymously. Since we have been provided with a text file of share names, we can test these to see if any of them allow anonymous access.

To avoid having to test each one individually, I have created a bash script to automate it:

```bash
vim samba_enum.sh

#!/bin/bash
target="10.10.10.5"  # Replace with your actual target IP
wordlist="/root/Desktop/wordlists/shares.txt"
for share in $(cat "$wordlist"); do
  echo "[*] Trying anonymous access to: //$target/$share"
  smbclient "//$target/$share" -N -c 'ls' 2>/dev/null
  if [ $? -eq 0 ]; then
    echo "[+] SUCCESS: Anonymous access allowed to '$share'"
  else
    echo "[-] Access denied to '$share'"
  fi
done
```

We can now provide the file with executable permissions and run it.

```bash
chmod +x samba_enum.sh
./samba_enum.sh
```

We can now see that the share `pubfiles` allows anonymous access and within it is our first flag. To access it, we can use `smbclient`.

```bash
smbclient //target.ine.local/pubfiles -N
```

### Question 2

> One of the samba users have a bad password. Their private share with the same name as their username is at risk!

When we ran our `enum4linux` command earlier, we saw that it had identified 4 users. Let's create a file called `users.txt` with those usernames in it. We can then use Hydra with the `unix_passwords.txt` wordlist that's also under `/root/Desktop/wordlists` to brute-force the password. Alternatively, we can use the Metasploit module `smb_login` to brute-force the credentials (which I will be doing).

Now that we have obtained credentials, we can login to the SMB share using them.

```bash
smbclient //target.ine.local/josh -U josh
```

### Question 3

> Follow the hint given in the previous flag to uncover this one.

To check this, we can run an Nmap scan of all the ports. We can see that it's open on port 5554. We can now attempt to login to the service.

```bash
ftp target.ine.local 5554
```

However, upon trying to do so, we can see that you have to provide credentials. Only 3 users are mentioned. Let's create another file or update our existing one to contain those usernames. We can now use Hydra to brute-force credentials. We can now login to obtain the third flag.

### Question 4

> This is a warning meant to deter unauthorized users from logging in.

As we saw from our Nmap scan, we have an SSH service running on port 22. Login and we have the last flag.