picoCTF Solutions
picoCTF 2026General SkillsEasy

Printer Shares picoCTF 2026 Solution

Published: March 20, 2026

Description

Oops! Someone accidentally sent an important file to a network printer - can you retrieve it from the print server?

Setup

Install smbclient - it is the only tool needed for this challenge.

Launch the challenge instance and note the host and port.

bash
sudo apt install -y smbclient

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Enumerate SMB shares
    Observation
    I noticed the challenge description referenced a network printer and print server, which suggested the file was stored on an SMB share, so listing available shares with a null session was the natural first move.
    List shares using smbclient -L. The -N flag performs a null/anonymous bind - no username or password needed.
    bash
    smbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -N

    Expected output

    picoCTF{5mb_pr1nter_5h4re5_...}
    What didn't work first

    Tried: Run nmap with smb-enum-shares against the host and port before trying smbclient.

    nmap's SMB scripts target port 445 by default and do not accept an arbitrary -p override in the same way smbclient does. On a non-standard port the script probes the wrong socket and reports no SMB service, giving a false negative. smbclient -L with -p passes the port directly to the TCP connection, so it reaches the challenge server correctly.

    Tried: Omit -N and let smbclient prompt for a password, then press Enter for a blank password.

    Without -N, smbclient still attempts authentication but may negotiate a different security level and send an empty-string credential rather than a true null session. Some Samba configurations reject blank passwords while permitting genuine null binds. Using -N explicitly signals a null session and is the reliable way to enumerate anonymous shares.

    Learn more

    SMB (Server Message Block) is the file-sharing protocol used by Windows and Linux (via Samba). Network printers frequently use SMB to receive print jobs - documents are sent to a shared print queue folder, and the printer processes them in order. This "print spooler" mechanism means print jobs may temporarily exist as files on the server before printing.

    The smbclient -L command lists all shares advertised by the server. A typical output includes share names, types (Disk, Printer, IPC), and comments. The IPC$ share (Inter-Process Communication) is always present and used for management; ADMIN$ and C$ are administrative shares requiring admin credentials; custom shares like "shares" or "print" are application-specific.

    Network discovery tools for SMB include: nmap -p 445 --script smb-enum-shares (structured enumeration), enum4linux (comprehensive SMB info gathering), and crackmapexec smb HOST (modern all-in-one SMB tool). These provide more information than bare smbclient -L but are blocked by many enterprise firewalls and IDS systems. For more on the broader recon toolkit see Networking tools for CTF.

  2. Step 2
    Connect to the 'shares' share
    Observation
    I noticed the share enumeration output listed a share named 'shares' alongside the standard IPC$ management share, which suggested 'shares' was the application-level share where print job files would actually reside.
    Connect anonymously to the share named 'shares' that appeared in the listing.
    bash
    smbclient //<HOST>/shares -p <PORT_FROM_INSTANCE> -N
    What didn't work first

    Tried: Connect to IPC$ instead of 'shares' because IPC$ always appears in the -L listing.

    IPC$ is the inter-process communication share used for named pipes and management calls, not for file storage. Connecting to it succeeds but ls returns nothing useful because it holds no files. The flag lives in the application share named 'shares' that also appeared in the listing.

    Tried: Use the Windows UNC path format with backslashes (\\HOST\shares) directly in the Linux terminal.

    Unquoted backslashes in bash are escape characters, so \\HOST\shares is interpreted as \HOST\shares and then as HOSTshares by the shell before smbclient ever sees it. The fix is to either quote the path or use the forward-slash format //HOST/shares that smbclient also accepts natively.

    Learn more

    Allowing anonymous (null session) SMB access to a share means anyone on the network can read its contents without authentication. This was acceptable on isolated internal networks in the 1990s but is a serious misconfiguration in any modern environment. Many IoT devices, printers, and NAS boxes still ship with anonymous SMB enabled by default.

    The SMB share path format is //hostname/sharename (Unix) or \\hostname\sharename (Windows notation). smbclient accepts either format. When connecting to a non-standard port, -p PORT is required - standard SMB ports are 445 (modern SMB over TCP) and 139 (legacy NetBIOS-over-TCP).

    From a defender's perspective, SMB shares should always require authentication, use least-privilege access control, and be monitored for unusual access patterns. Network segmentation (preventing workstations from directly reaching print servers) and firewall rules blocking SMB from external interfaces are foundational controls.

  3. Step 3
    Download and read the flag file
    Observation
    I noticed after connecting to the 'shares' share that an ls command would reveal any files stored there, and a file named flag.txt is the standard CTF artifact to retrieve and read.
    List the files in the share and download flag.txt.
    bash
    smb: \> ls
    bash
    smb: \> get flag.txt
    bash
    smb: \> exit
    bash
    cat flag.txt
    Learn more

    In real incidents, files accidentally sent to network printers are a significant data leakage risk. Sensitive documents - tax forms, employee records, contracts, medical records - are often printed without people realising that print jobs persist on the print server before and after printing. If the print server is accessible on the network with weak security, anyone can read these files.

    The get command in smbclient transfers the file from the remote share to your local current directory. For investigating all files in a share, mget * (with prompt OFF) downloads everything at once. After downloading, use file and strings to identify file types and search for flags - print jobs may be in PDF, PCL, PostScript, or other printer-specific formats rather than plain text.

    This challenge is an introduction to a real attack technique. In penetration tests, finding sensitive files on misconfigured SMB shares is extremely common - it's one of the first things to check after gaining network access. Password files, configuration backups, HR documents, and source code are frequent finds.

Interactive tools
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{5mb_pr1nter_5h4re5_...}

The print server exposes an SMB share with no authentication required. Anonymous access via smbclient -N reveals flag.txt directly in the 'shares' share.

Key takeaway

SMB shares that permit anonymous (null session) access expose all their contents to anyone who can reach the server, with no credentials required. Network printers and NAS devices commonly ship with anonymous SMB enabled by default, making them a reliable first stop during internal network penetration tests for harvesting sensitive documents left in print queues. Proper defense requires requiring authentication on every share, restricting SMB to trusted network segments, and auditing share permissions regularly.

Related reading

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for General Skills

What to try next