TryHackMe: Network Services
#smb #telnet #ftp #netcat #enumerating #exploiting
We will start with Task #2 for this writeup
Task 2: Understanding SMB
Question 1: What does SMB stand for?
Answer 1: Server Message Block
Question 2: What type of protocol is SMB?
Answer 2: response-request
Question 3: What do clients connect to servers using?
Answer 3: TCP/IP
Question 4: What do clients connect to servers using?
Answer 4: Unix
Task 3: Enumerating SMB
Deploy your system!
Question 1: Conduct an nmap scan of your choosing, How many ports are open?
Answer 1: 3
Question 2: What ports is SMB running on?
Answer 2: 139/445
Question 3: Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
Answer 3: WORKGROUP
Question 4: What comes up as the name of the machine?
Answer 4: POLOSMB
Question 5: What operating system version is running?
Answer 5: 6.1
Question 6: What share sticks out as something we might want to investigate?
Answer 6: profiles
Task 4: Exploiting SMB
Question 1: What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?
Answer 1: smbclient //10.10.10.2/secret -U suit -p 445
Question 2: Great! Now you've got a hang of the syntax, let's have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.
Question 3: Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn't require authentication to view the files. We can do this easily by:
To get this answer, conduct smbclient //10.10.195.2/profiles -U anonymous -p 139
Login as anonymous without a password.
Yes. This was successful
Question 4: Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
If you were able to login at Question 3, you will see the command prompt below.
From here, use pwd to see what directory you are in. In this case, we are in "profiles". This is the target shares we were able to obtain.
Now run ls to display the content of the directory.
The .txt file stands out the most. Since this is SMB, we will use the get command to send the file to our local machine. We will create checkitout.txt.
Open up another terminal and open checkitout. txt.
This information will be displayed:
Question 5: What service has been configured to allow him to work from home?
Answer 5: SSH, you can find this information in the .txt file.
Question 6: Okay! Now we know this, what directory on the share should we look in?
Answer 6: We should look for the .ssh directory.
Question 7: This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
Answer 7: Take a look into the .ssh directory, the id_rsa is the most useful file, because this is the private key.
Question 8: Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]". Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server. What is the smb.txt flag?
Answer 8: In this directory we have id_rsa and id_rsa.pub. The id_rsa houses the private key and id_rsa.pub houses the public key. We will conduct a get command and send these two files to our local machine for viewing shortly.
We will start with the id_rsa first. The file I created here is kelsid_rsa.txt.
Now we will complete the id_rsa.pub. The file I created here is kelsid_rsapub.txt.
Open another terminal and view these two .txt files and see what we get. First we will open up kelsid_rsa.txt (Private Key).
Second we will open up kelsid_rsapub.txt (Public Key).
Take a look at the end of the kelsid_rsapub.txt. Looks like we found the username (cactus).
So we now have the id_rsa and id_rsa.pub. Lets change the rights to the id_rsa key.
Owner 6 - Read and Write
Group 0 - No permissions
Others 0 - No permissions
We will now use our local machine to see if we can ssh into user - cactus.
If successful, this will be the output.
Use ls command to see what's in the directory.
Now use cat to open the .txt file for your flag!
Task 5: Understanding Telnet
Question 1: What is Telnet?
Answer 1: application protocol
Question 2: What has slowly replaced Telnet?
Answer 2: ssh
Question 3: How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
Answer 3: telnet 10.10.10.3 23
Question 4: The lack of what, means that all Telnet communication is in plain-text?
Answer 4: encryption
Task 6: Enumerating Telnet
Deploy your system!
Question 1: How many ports are open on the target machine?
Answer 1: The answer is 1. You can find this by running a nmap scan on your target
nmap -A -p- 10.10.230.48
8012/TCP Open Unknown Services
Fingerprint Strings Skidy's Backdoor
Question 2: What port is this?
Answer 2: 8012
Question 3: This port is unassigned, but still lists the protocol it's using, what protocol is this?
Answer 3: tcp
Question 4: Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
Answer 4: 0
Question 5: Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.
Question 6: Based on the title returned to us, what do we think this port could be used for?
Answer 6: a backdoor
Question 7: Who could it belong to? Gathering possible usernames is an important step in enumeration.
Answer 7: Skidy
Question 8: Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.
Task 7: Exploiting Telnet
Question 1: Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.
Answer 1: Telnet into the machine
telnet 10.10.230.48 23
Question 2: Great! It's an open telnet connection! What welcome message do we receive?
Answer 2: SKIDY'S BACKDOOR
Question 3: Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
Answer 3: No execution is being performed.
Question 4: Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.
Question 5: Start a tcpdump listener on your local machine using: "sudo tcpdump ip proto \\icmp -i tun0" This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.
Answer 5: Open up another terminal as your local machine and start a tcpdump listener. The instructions states tun0 but it depends on your local machine. Mine is eth0. You can find your ethernet network card by using the ip a command.
Execute the ping commands
If successful, we will see this below at our local machine.
Question 7: Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!
Question 8: We're going to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell for us. Here's our syntax:
Answer 8: mkfifo. Since we can actually run commands and reach our local machine, we are going to start a reverse shell payload using msfvenom.
Question 9: Perfect. We're nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:
Answer 9: nc -lvp 4444. Now lets start up a netcat listener on our local machine
Question 10: Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!
Answer 10: copy the msfvenom payload to our telnet machine and execute. Remember, you have to use .RUN to execute.
If successful, your local machine tab will go red and you will see a connection.
Question 11: Success! What is the contents of flag.txt?
Answer 11: From the local machine, enter pwd to see your present working directory, ls to search the directory for content, and cat flag.txt to view the content.
Task 8: Understanding FTP
Question 1: What communications model does FTP use?
Answer 1: client-server
Question 2: What's the standard FTP port?\
Answer 2: 21
Question 3: How many modes of FTP connection are there?
Answer 3: 2
Task 9: Enumerating FTP
Deploy your machine!
Question 1: Run an nmap scan of your choice. How many ports are open on the target machine?
Answer 1: 2
Question 2: What port is ftp running on?\
Answer 2: 21
Question 3: What port is ftp running on?
Answer 3: vsftpd
Question 4: Great, now we know what type of FTP server we're dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing "ftp [IP]" into the console, and entering "anonymous", and no password when prompted.
What is the name of the file in the anonymous FTP directory?
Answer 4: PUBLIC_NOTICE.txt
To find the file, open up a command prompt and ftp into your target IP. We will use anonymous as the name and no password.
Question 5: What do we think a possible username could be?
Answer 5: Mike
To view the content, execute a get command for the .txt file and send it to your local machine.
Open up the .txt file to view the content.
Task 10: Exploiting FTP
Question 1: What is the password for the user “mike”?
Answer 1: password
To run hydra correctly in this exercise, we have to download the wordlist to Kali. I am going to clone a KaliList from Github that includes rockyou.txt.
So I ran into an issue with the rockyou.txt but corrected it by adding on the .gz to the end of it.
As you can see, we pulled in credentials for Mike.
Question 2: Bingo! Now, let's connect to the FTP server as this user using "ftp [IP]" and entering the credentials when prompted.
Answer 2: Now lets login with the credentials.
Question 3: What is ftp.txt?
We are successful. Browse around to see what we can find that is interesting.
We have a .txt file here so let's send the file to our local machine.
Now open the file from the local machine with cat command for the flag.