{"id":131934,"date":"2023-02-18T18:50:49","date_gmt":"2023-02-18T18:50:49","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1146071"},"modified":"2023-02-18T18:50:49","modified_gmt":"2023-02-18T18:50:49","slug":"how-i-used-enum4linux-to-gain-a-foothold-into-the-target-machine-tryhackme","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/02\/18\/how-i-used-enum4linux-to-gain-a-foothold-into-the-target-machine-tryhackme\/","title":{"rendered":"How I used Enum4linux to Gain a Foothold Into the Target Machine (TryHackMe)"},"content":{"rendered":"\n<div class=\"kk-star-ratings kksr-auto kksr-align-left kksr-valign-top\" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1146071&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\\\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\\\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>\n<div class=\"kksr-stars\">\n<div class=\"kksr-stars-inactive\">\n<div class=\"kksr-star\" data-star=\"1\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"2\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"3\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"4\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"5\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"kksr-stars-active\" style=\"width: 142.5px;\">\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"kksr-legend\" style=\"font-size: 19.2px;\"> 5\/5 &#8211; (1 vote) <\/div>\n<\/p><\/div>\n<p class=\"has-global-color-8-background-color has-background\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/1f4a1.png\" alt=\"\ud83d\udca1\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <strong>Enum4linux<\/strong> is a software utility designed to extract information from both Windows and Samba systems. Its primary objective is to provide comparable functionality to the now-defunct enum.exe tool, which was previously accessible at www.bindview.com. Enum4linux is coded in PERL and essentially functions as an interface for the Samba toolset, including smbclient, rpclient, net, and nmblookup.<\/p>\n<\/p>\n<h2>CHALLENGE OVERVIEW<\/h2>\n<\/p>\n<ul>\n<li><strong>CTF Creator: <\/strong><a href=\"https:\/\/www.youtube.com\/@_JohnHammond\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>John Hammond<\/strong><\/a><\/li>\n<li><strong>Link<\/strong>: <a href=\"https:\/\/tryhackme.com\/room\/basicpentestingjt\" target=\"_blank\" rel=\"noreferrer noopener\">Basic Pentesting<\/a><\/li>\n<li><strong>Difficulty<\/strong>: Easy&nbsp;<\/li>\n<li><strong>Target<\/strong>: user flag and final flag<\/li>\n<li><strong>Highlight<\/strong>: extracting credentials from an SMB server with SMBmap<\/li>\n<li><strong>Tools used<\/strong>: <code>nmap<\/code>, <code>dirb<\/code>, <code>enum4linux<\/code>, <code>john<\/code>, <code>hydra<\/code>, <code>linpeas<\/code>, <code>ssh<\/code><\/li>\n<li><strong>Tags<\/strong>: <em>security, boot2root, cracking, webapp<\/em><\/li>\n<\/ul>\n<h2>BACKGROUND<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"684\" height=\"453\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-267.png\" alt=\"\" class=\"wp-image-1146093\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-267.png 684w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-267-300x199.png 300w\" sizes=\"auto, (max-width: 684px) 100vw, 684px\" \/><\/figure>\n<\/div>\n<p>This is a pretty standard type of CTF challenge that involves some recon, gaining an initial foothold, lateral privilege escalation, and discovery of the flags. <\/p>\n<p>It was a great way to review how to use the standard pentesting tools (i.e., <code>nmap<\/code>, <code>dirb<\/code>, <code>smbmap<\/code>, <code>john<\/code>, <code>hydra<\/code>). <\/p>\n<p>If you are just starting with CTF challenges, you may find some of the tools and concepts to be a bit more technical. Please check out the video walkthrough if anything is unclear in this write-up!\u00a0<\/p>\n<h2>ENUMERATION\/RECON<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"622\" height=\"928\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-268.png\" alt=\"\" class=\"wp-image-1146094\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-268.png 622w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-268-201x300.png 201w\" sizes=\"auto, (max-width: 622px) 100vw, 622px\" \/><\/figure>\n<\/div>\n<p><code>IP ADRESSES<\/code><\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">export targetIP=10.10.192.10\nexport myIP=10.6.2.23\n<\/pre>\n<h2>ENUMERATION<\/h2>\n<p><code>NMAP SCAN<\/code><\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nmap -A -p- -T4 -oX nmap.txt $targetIP\n<\/pre>\n<ul>\n<li><code>-A<\/code> Enable OS detection, version detection, script scanning, and traceroute<\/li>\n<li><code>-p-<\/code> scan all ports<\/li>\n<li><code>-T4<\/code> speed 4 (1-5 with 5 being the fastest)<\/li>\n<li><code>-oX<\/code> output as an XML-type file<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"416\" height=\"462\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-255.png\" alt=\"\" class=\"wp-image-1146077\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-255.png 416w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-255-270x300.png 270w\" sizes=\"auto, (max-width: 416px) 100vw, 416px\" \/><\/figure>\n<\/div>\n<h2>DIRB SCAN<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">dirb http:\/\/$targetIP -o dirb.txt<\/pre>\n<ul>\n<li><code>-o<\/code> output as <code>&lt;filename><\/code><\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"399\" height=\"433\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-256.png\" alt=\"\" class=\"wp-image-1146078\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-256.png 399w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-256-276x300.png 276w\" sizes=\"auto, (max-width: 399px) 100vw, 399px\" \/><\/figure>\n<\/div>\n<h2>WALK THE WEBSITE<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"686\" height=\"545\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-269.png\" alt=\"\" class=\"wp-image-1146095\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-269.png 686w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-269-300x238.png 300w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/figure>\n<\/div>\n<p>Check our dev note section if you need to know what to work on. (I found a hint in sourcecode)<\/p>\n<p><code><em>http:\/\/10.10.192.10\/development\/<\/em><\/code><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"502\" height=\"303\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-257.png\" alt=\"\" class=\"wp-image-1146079\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-257.png 502w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-257-300x181.png 300w\" sizes=\"auto, (max-width: 502px) 100vw, 502px\" \/><\/figure>\n<\/div>\n<p>Reading through these two documents, we learn the following interesting things:<\/p>\n<ul>\n<li>User \u201cJ\u201d has a weak password hash in \/etc\/shadow that can be cracked easily!<\/li>\n<li>We may be able to find an exploit for REST version 2.5.12\u00a0<\/li>\n<\/ul>\n<p>Searching through <code>exploit-db<\/code> we find two possibilities:<\/p>\n<ol>\n<li><a href=\"https:\/\/www.exploit-db.com\/exploits\/45068\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.exploit-db.com\/exploits\/45068<\/a><\/li>\n<li><a href=\"https:\/\/www.exploit-db.com\/exploits\/42627\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.exploit-db.com\/exploits\/42627<\/a> (this one is probably it!)<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"773\" height=\"898\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-258.png\" alt=\"\" class=\"wp-image-1146081\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-258.png 773w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-258-258x300.png 258w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-258-768x892.png 768w\" sizes=\"auto, (max-width: 773px) 100vw, 773px\" \/><\/figure>\n<\/div>\n<p>I tried out this python exploit, but didn\u2019t have any luck. Let\u2019s move forward for now and enumerate the SMB server.<\/p>\n<h2>ENUMERATING SMB\u00a0\u00a0\u00a0\u00a0<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">smbmap -a $targetIP<\/pre>\n<p>We see a listing for an anonymous login in our results. However, we aren\u2019t able to log in as <code>anonymous<\/code>.<\/p>\n<h2>USING ENUM4LINUX TO EXTRACT SSH LOGIN CREDENTIALS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"681\" height=\"838\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-270.png\" alt=\"\" class=\"wp-image-1146097\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-270.png 681w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-270-244x300.png 244w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n<\/div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">enum4linux -a 10.10.192.10<\/pre>\n<p><code>-a<\/code>\u00a0 Do all simple enumeration (<code>-U -S -G -P -r -o -n -i<\/code>)<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"674\" height=\"364\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-259.png\" alt=\"\" class=\"wp-image-1146083\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-259.png 674w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-259-300x162.png 300w\" sizes=\"auto, (max-width: 674px) 100vw, 674px\" \/><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"698\" height=\"255\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-260.png\" alt=\"\" class=\"wp-image-1146084\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-260.png 698w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-260-300x110.png 300w\" sizes=\"auto, (max-width: 698px) 100vw, 698px\" \/><\/figure>\n<\/div>\n<p>found users: <code>kay<\/code> and <code>jan<\/code><\/p>\n<p>My guess is that our first user credential with the easy hash will be for user <code>jan<\/code> because the hidden file <code>j.txt<\/code> in the <code>\/development<\/code> folder was written to \u201c<code>J<\/code>\u201d.<\/p>\n<h2>USING HYDRA TO BRUTEFORCE A PASSWORD FOR JAN\/KAY<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\nhydra -l jan -t 4 -P \/home\/kalisurfer\/hacking-tools\/rockyou.txt ssh:\/\/10.10.192.10\nhydra -l kay -P \/home\/kalisurfer\/hacking-tools\/rockyou.txt ssh:\/\/10.10.192.10 discovered password for jan: armando<\/pre>\n<h2>LOCAL RECON &#8211; LOG IN AS JAN VIA SSH<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"681\" height=\"456\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-271.png\" alt=\"\" class=\"wp-image-1146099\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-271.png 681w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-271-300x201.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n<\/div>\n<p>We\u2019ll automate our local recon with <code>linpeas.sh<\/code><\/p>\n<p>To get the script on our target system, we spin up a simple <a rel=\"noreferrer noopener\" href=\"https:\/\/blog.finxter.com\/how-to-check-your-python-version\/\" data-type=\"post\" data-id=\"1371\" target=\"_blank\">python3<\/a> HTTP server on our attack box and use <code>wget<\/code> to copy it to the <code>\/tmp<\/code> directory of our target system.<\/p>\n<p>After running <code>linpeas.sh<\/code> we review our results and found a hidden ssh key for user kay. Our next step is to prep and crack the hash to discover the hash password needed for logging in as user kay.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"556\" height=\"232\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-261.png\" alt=\"\" class=\"wp-image-1146085\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-261.png 556w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-261-300x125.png 300w\" sizes=\"auto, (max-width: 556px) 100vw, 556px\" \/><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"493\" height=\"124\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-262.png\" alt=\"\" class=\"wp-image-1146086\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-262.png 493w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-262-300x75.png 300w\" sizes=\"auto, (max-width: 493px) 100vw, 493px\" \/><\/figure>\n<\/div>\n<h2>LATERAL PRIVILEGE ESCALATION TO USER KAY<\/h2>\n<p>First we\u2019ll use <code>ssh2john<\/code> to prep the hash to use with John the RIpper.\u00a0<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"494\" height=\"321\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-263.png\" alt=\"\" class=\"wp-image-1146087\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-263.png 494w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-263-300x195.png 300w\" sizes=\"auto, (max-width: 494px) 100vw, 494px\" \/><\/figure>\n<\/div>\n<p>Next, we\u2019ll crack the password for the hash with john.&nbsp;<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"726\" height=\"252\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-264.png\" alt=\"\" class=\"wp-image-1146088\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-264.png 726w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-264-300x104.png 300w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\" \/><\/figure>\n<\/div>\n<p>Now that we\u2019ve brute-forced the password with hashes of the wordlist <code>rockyou.txt<\/code>, we can go ahead and switch users to kay with the password <code>beeswax<\/code>.<\/p>\n<h2>POST-EXPLOITATION<\/h2>\n<p>Locate <code>pass.bak<\/code> file<\/p>\n<p>Cat to find \u201cfinal password\u201d<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"412\" height=\"93\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-265.png\" alt=\"\" class=\"wp-image-1146089\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-265.png 412w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-265-300x68.png 300w\" sizes=\"auto, (max-width: 412px) 100vw, 412px\" \/><\/figure>\n<\/div>\n<h2>FINAL THOUGHTS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"684\" height=\"454\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-272.png\" alt=\"\" class=\"wp-image-1146100\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-272.png 684w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-272-300x199.png 300w\" sizes=\"auto, (max-width: 684px) 100vw, 684px\" \/><\/figure>\n<\/div>\n<p>This box showed the power of <code>enum4linux<\/code> for enumerating Linux machines. We were able to extract two usernames that helped us to brute force our way into the server and gain our initial foothold. <\/p>\n<p>Linpeas also can do similar things, but the big difference between the two is that Linpeas is for local enumeration, and <code>enum4linux<\/code> is for initial enumeration before gaining a foothold.\u00a0<\/p>\n<p class=\"has-base-background-color has-background\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/1f449.png\" alt=\"\ud83d\udc49\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <strong>Recommended<\/strong>: <a href=\"https:\/\/blog.finxter.com\/web-hacking-101-tryhackme-pickle-rick-capture-the-flag-challenge\/\" data-type=\"URL\" data-id=\"https:\/\/blog.finxter.com\/web-hacking-101-tryhackme-pickle-rick-capture-the-flag-challenge\/\" target=\"_blank\" rel=\"noreferrer noopener\">Web Hacking 101: Solving the TryHackMe Pickle Rick \u201cCapture The Flag\u201d Challenge<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>5\/5 &#8211; (1 vote) Enum4linux is a software utility designed to extract information from both Windows and Samba systems. Its primary objective is to provide comparable functionality to the now-defunct enum.exe tool, which was previously accessible at www.bindview.com. Enum4linux is coded in PERL and essentially functions as an interface for the Samba toolset, including smbclient, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-131934","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131934","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=131934"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131934\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=131934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=131934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=131934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}