Description
Oops! Someone accidentally sent an important file to a network printer - can you retrieve it from the print server?
Setup
Install smbclient and (optionally) enum4linux up front - both are needed for SMB recon.
Launch the challenge instance and note the host and port.
sudo apt install -y smbclient enum4linuxSolution
Walk me through it- Step 1Enumerate SMB sharesUse SMB-aware recon, not a plain port check. nmap's smb-enum-shares script (or enum4linux) gives you share names, types, and access flags in one shot. The -N flag in smbclient performs a null/anonymous bind - no username or password needed.bash
nmap -p <PORT_FROM_INSTANCE> --script smb-enum-shares,smb-enum-users <HOST>bashenum4linux -a -p <PORT_FROM_INSTANCE> <HOST>bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -NLearn more
SMB (Server Message Block) is the file-sharing protocol used by Windows and Linux (via Samba). Network printers frequently use SMB to receive print jobs - documents are sent to a shared print queue folder, and the printer processes them in order. This "print spooler" mechanism means print jobs may temporarily exist as files on the server before printing.
The
smbclient -Lcommand lists all shares advertised by the server. A typical output includes share names, types (Disk, Printer, IPC), and comments. TheIPC$share (Inter-Process Communication) is always present and used for management;ADMIN$andC$are administrative shares requiring admin credentials; custom shares like "shares" or "print" are application-specific.Network discovery tools for SMB include:
nmap -p 445 --script smb-enum-shares(structured enumeration),enum4linux(comprehensive SMB info gathering), andcrackmapexec smb HOST(modern all-in-one SMB tool). These provide more information than baresmbclient -Lbut are blocked by many enterprise firewalls and IDS systems. For more on the broader recon toolkit see Networking tools for CTF. - Step 2Connect to the 'shares' shareConnect anonymously to the share named 'shares' that appeared in the listing.bash
smbclient //<HOST>/shares -p <PORT_FROM_INSTANCE> -NLearn more
Allowing anonymous (null session) SMB access to a share means anyone on the network can read its contents without authentication. This was acceptable on isolated internal networks in the 1990s but is a serious misconfiguration in any modern environment. Many IoT devices, printers, and NAS boxes still ship with anonymous SMB enabled by default.
The SMB share path format is
//hostname/sharename(Unix) or\\hostname\sharename(Windows notation). smbclient accepts either format. When connecting to a non-standard port,-p PORTis required - standard SMB ports are 445 (modern SMB over TCP) and 139 (legacy NetBIOS-over-TCP).From a defender's perspective, SMB shares should always require authentication, use least-privilege access control, and be monitored for unusual access patterns. Network segmentation (preventing workstations from directly reaching print servers) and firewall rules blocking SMB from external interfaces are foundational controls.
- Step 3Download and read the flag fileList the files in the share and download flag.txt.bash
smb: \> lsbashsmb: \> get flag.txtbashsmb: \> exitbashcat flag.txtLearn more
In real incidents, files accidentally sent to network printers are a significant data leakage risk. Sensitive documents - tax forms, employee records, contracts, medical records - are often printed without people realising that print jobs persist on the print server before and after printing. If the print server is accessible on the network with weak security, anyone can read these files.
The
getcommand in smbclient transfers the file from the remote share to your local current directory. For investigating all files in a share,mget *(withprompt OFF) downloads everything at once. After downloading, usefileandstringsto identify file types and search for flags - print jobs may be in PDF, PCL, PostScript, or other printer-specific formats rather than plain text.This challenge is an introduction to a real attack technique. In penetration tests, finding sensitive files on misconfigured SMB shares is extremely common - it's one of the first things to check after gaining network access. Password files, configuration backups, HR documents, and source code are frequent finds.
Flag
picoCTF{...}
The print server exposes an SMB share with no authentication required. Anonymous access via smbclient -N reveals flag.txt directly in the 'shares' share.