💡 Enum4linux is a software utility designed to extract information from both Windows and Samba systems. Its primary objective is to provide comparable functionality to the now-defunct enum.exe tool, which was previously accessible at www.bindview.com. Enum4linux is coded in PERL and essentially functions as an interface for the Samba toolset, including smbclient, rpclient, net, and nmblookup.
CHALLENGE OVERVIEW
- CTF Creator: John Hammond
- Link: Basic Pentesting
- Difficulty: Easy
- Target: user flag and final flag
- Highlight: extracting credentials from an SMB server with SMBmap
- Tools used:
nmap,dirb,enum4linux,john,hydra,linpeas,ssh - Tags: security, boot2root, cracking, webapp
BACKGROUND
This is a pretty standard type of CTF challenge that involves some recon, gaining an initial foothold, lateral privilege escalation, and discovery of the flags.
It was a great way to review how to use the standard pentesting tools (i.e., nmap, dirb, smbmap, john, hydra).
If you are just starting with CTF challenges, you may find some of the tools and concepts to be a bit more technical. Please check out the video walkthrough if anything is unclear in this write-up!
ENUMERATION/RECON
IP ADRESSES
export targetIP=10.10.192.10 export myIP=10.6.2.23
ENUMERATION
NMAP SCAN
nmap -A -p- -T4 -oX nmap.txt $targetIP
-AEnable OS detection, version detection, script scanning, and traceroute-p-scan all ports-T4speed 4 (1-5 with 5 being the fastest)-oXoutput as an XML-type file
DIRB SCAN
dirb http://$targetIP -o dirb.txt
-ooutput as<filename>
WALK THE WEBSITE
Check our dev note section if you need to know what to work on. (I found a hint in sourcecode)
http://10.10.192.10/development/
Reading through these two documents, we learn the following interesting things:
- User “J” has a weak password hash in /etc/shadow that can be cracked easily!
- We may be able to find an exploit for REST version 2.5.12
Searching through exploit-db we find two possibilities:
- https://www.exploit-db.com/exploits/45068
- https://www.exploit-db.com/exploits/42627 (this one is probably it!)
I tried out this python exploit, but didn’t have any luck. Let’s move forward for now and enumerate the SMB server.
ENUMERATING SMB
smbmap -a $targetIP
We see a listing for an anonymous login in our results. However, we aren’t able to log in as anonymous.
USING ENUM4LINUX TO EXTRACT SSH LOGIN CREDENTIALS
enum4linux -a 10.10.192.10
-a Do all simple enumeration (-U -S -G -P -r -o -n -i)
found users: kay and jan
My guess is that our first user credential with the easy hash will be for user jan because the hidden file j.txt in the /development folder was written to “J”.
USING HYDRA TO BRUTEFORCE A PASSWORD FOR JAN/KAY
hydra -l jan -t 4 -P /home/kalisurfer/hacking-tools/rockyou.txt ssh://10.10.192.10 hydra -l kay -P /home/kalisurfer/hacking-tools/rockyou.txt ssh://10.10.192.10 discovered password for jan: armando
LOCAL RECON – LOG IN AS JAN VIA SSH
We’ll automate our local recon with linpeas.sh
To get the script on our target system, we spin up a simple python3 HTTP server on our attack box and use wget to copy it to the /tmp directory of our target system.
After running linpeas.sh we review our results and found a hidden ssh key for user kay. Our next step is to prep and crack the hash to discover the hash password needed for logging in as user kay.
LATERAL PRIVILEGE ESCALATION TO USER KAY
First we’ll use ssh2john to prep the hash to use with John the RIpper.
Next, we’ll crack the password for the hash with john.
Now that we’ve brute-forced the password with hashes of the wordlist rockyou.txt, we can go ahead and switch users to kay with the password beeswax.
POST-EXPLOITATION
Locate pass.bak file
Cat to find “final password”
FINAL THOUGHTS
This box showed the power of enum4linux for enumerating Linux machines. We were able to extract two usernames that helped us to brute force our way into the server and gain our initial foothold.
Linpeas also can do similar things, but the big difference between the two is that Linpeas is for local enumeration, and enum4linux is for initial enumeration before gaining a foothold.
👉 Recommended: Web Hacking 101: Solving the TryHackMe Pickle Rick “Capture The Flag” Challenge
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.