picoCTF Solutions
picoCTF 2026General SkillsMedium

Printer Shares 3

Published: March 20, 2026

Description

I accidentally left the debug script in place... Well, I think that's fine - No one could possibly access my super secure directory.

Setup

Launch the challenge instance and note the host and port.

This is the third Printer Shares challenge -- focus on the debug script mentioned in the description.

sudo apt install smbclient

Solution

  1. Step 1Connect to the SMB share anonymously
    Despite the 'super secure directory' claim, the SMB share itself is still accessible without credentials. Use null authentication (-N flag) to enumerate and connect.
    smbclient -L //<HOST> -p <PORT_FROM_INSTANCE> -N
    smbclient //<HOST>/shares -p <PORT_FROM_INSTANCE> -N
  2. Step 2Recursively browse and find debug.sh
    Enable recursive listing to find all files including the accidentally-left debug script.
    smb: \> recurse ON
    smb: \> ls
    # Locate debug.sh in the directory tree
    smb: \> get debug.sh
  3. Step 3Read the debug script for the flag
    The debug script contains hardcoded credentials, paths, or directly echoes/prints the secret. Inspect it locally to extract the flag.
    cat debug.sh
    # The flag or credentials to the secure area are inside the script

Flag

picoCTF{pr1nt3r_shar3s_3_d3bug_...}

Despite claims of security, the SMB share allows anonymous access. A debug.sh script was accidentally left in the share -- it contains hardcoded credentials or the flag itself.