Network Services WriteUp – TryHackMe

In this article, I tried to prepare a write-up for the “Network Services” room on tryhackme.


[Task 1]  Expanding Your Knowledge

This room will explore common Network Service vulnerabilities and misconfigurations, but in order to do that, we’ll need to do a few things first!

#1 Ready? Let’s get going!

ANSWER: No answer needed


[Task 2] Understanding SMB

SMB – Server Message Block Protocol – is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

#1 What does SMB stand for?

SMB – Server Message Block Protocol – is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

ANSWER: Server Message Block

#2 What type of protocol is SMB?  

The SMB protocol is known as a response-request protocol.

ANSWER: response-request

#3 What do clients connect to servers using? 

 Clients connect to servers using TCP/IP.

ANSWER: TCP/IP

#4 What systems does Samba run on?

Samba, an open source server that supports the SMB protocol, was released for Unix systems.

ANSWER: Unix


[Task 3] Enumerating SMB

Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

I ran the nmap query below. But this query took more than 20 minutes.

nmap -A -T4 -p- <machine IP>

We will answer the questions according to the results in the pictures below.

#1 Conduct an nmap scan of your choosing, How many ports are open?

Port 22, Port 139 and Port 445 are open.

ANSWER: 3

#2 What ports is SMB running on?

You can see the answer in the first picture above. SMB appears to be open on 2 ports.

ANSWER: 139/445

#3 Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?  

Let’s run this command.

enum4linux -A <machine IP>

The result of the command executed is as follows:

ANSWER: WORKGROUP

#4 What comes up as the name of the machine?

ANSWER: POLOSMB

#5 What operating system version is running?

ANSWER: 6.1

#6 What share sticks out as something we might want to investigate? 

ANSWER: profiles


[Task 4] Exploiting SMB

While there are vulnerabilities such as CVE-2017-7494 that can allow remote code execution by exploiting SMB, you’re more likely to encounter a situation where the best way into a system is due to misconfigurations in the system. In this case, we’re going to be exploiting anonymous SMB share access- a common misconfiguration that can allow us to gain information that will lead to a shell.

#1 What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?

ANSWER: smbclient //10.10.10.2/secret -U suit -p 445

#2 Great! Now you’ve got a hang of the syntax, let’s have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.

ANSWER: No answer needed

#3 Does the share allow anonymous access? Y/N?

Let’s run this command to access “Anonymous” user. When the system ask the password, then just click “enter”. You don’t need to enter the “password” value.

smbclient //10.10.10.2/profiles -U anonymous -p 445

ANSWER: Y

#4 Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

You can see the “interesting document”. Let’s get this document. You can run this command in smb.

get “Working From Home Information.txt” [output name]

Let’s read the downloaded file on our own computer. The name at the beginning of the text is the answer to our question.

ANSWER: John Cactus

#5 What service has been configured to allow him to work from home?

The “.ssh” file is an SSH configuration file.

ANSWER: ssh

#6 Okay! Now we know this, what directory on the share should we look in?

ANSWER: .ssh

#7 This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

Let’s check what is in the “.ssh” file.

cd .ssh
ls

ANSWER: id_rsa

#8 Download this file to your local machine, and change the permissions to “600” using “chmod 600 [file]”. Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server. What is the smb.txt flag?

First, let’s download the “id_rsa” and “id_rsa.pub” files to our own computer.

get id_rsa [outputname]

get id_rsa.pub [outputname]

Change the permissions of the “my_id_rsa” file to 600 using:

chmod 600 [your id_rsa file]

We can connect with ssh because we have “id_rsa” file of “cactus” user.

ssh -i [your id_rsa file] cactus@<targer IP>

ANSWER: THM{smb_is_fun_eh?}


[Task 5] Understanding Telnet

#1 What is Telnet?

Telnet is an application protocol.

ANSWER: application protocol

#2 What has slowly replaced Telnet?

Telnet has been replaced by SSH in most implementations.

ANSWER: ssh

#3 How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

ANSWER: telnet 10.10.10.3 23

#4 The lack of what, means that all Telnet communication is in plaintext?

ANSWER: encryption


[Task 6] Enumerating Telnet

You can use this nmap scan:

nmap -T4 -p- <machine IP>
Image for post
Image for post

#1 How many ports are open on the target machine?

ANSWER: 1

#2 What port is this?

ANSWER: 8012

#3 This port is unassigned, but still lists the protocol it’s using, what protocol is this?

You can see the answer in the second picture above.

ANSWER: tcp

#4 Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

Image for post

ANSWER: 0

#5 Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It’s important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.

ANSWER: No answer needed

#6 Based on the title returned to us, what do we think this port could be used for?

Image for post

According to the Nmap scan, only 1 port appears to be open. All other ports are closed. In this case, we can call the “backdoor” port only for the open port.

You can also see the text “SKIDY’S BACKDOOR” clearly in the picture above.

ANSWER: a backdoor

#7 Who could it belong to? Gathering possible usernames is an important step in enumeration.

You can see the name in picture above.

ANSWER: Skidy

#8 Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.

ANSWER: No answer needed.


[Task 7] Exploiting Telnet

#1 Okay, let’s try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.

ANSWER: No answer needed

#2 Great! It’s an open telnet connection! What welcome message do we receive?

Image for post

Telnet Connection = telnet <IP> <port number>

ANSWER: SKIDY’S BACKDOOR.

#3 Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

Image for post

ANSWER: N

#4 Hmm… that’s strange. Let’s check to see if what we’re typing is being executed as a system command.

ANSWER: No answer needed

#5 Start a tcpdump listener on your local machine using: “sudo tcpdump ip proto \\icmp -i tun0” This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.

Image for post

ANSWER: No answer needed

#6 Now, use the command “ping [local tun0 ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

Image for post
Image for post

ANSWER: Y

#7 Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let’s have some fun!

ANSWER: No answer needed

#8 What word does the generated payload start with?

Image for post

ANSWER: mkfifo

#9 Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. What would the command look like for the listening port we selected in our payload?

ANSWER: nc -lvp 4444

#10 Great! Now that’s running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!

Image for post

ANSWER: No answer needed

#11 Success! What is the contents of flag.txt?

Image for post

ANSWER: THM{y0u_g0t_th3_t3ln3t_fl4g}


[Task 8] Understanding FTP

#1 What communications model does FTP use?

FTP operates using a client-server protocol.

ANSWER: client-server

#2 What’s the standard FTP port?

ANSWER: 21

#3 How many modes of FTP connection are there?

The FTP server may support either Active or Passive connections, or both.

ANSWER: 2


[Task 9] Enumerating FTP

Image for post

#1 Run an nmap scan of your choice. How many ports are open on the target machine?

ANSWER: 2

#2 What port is ftp running on?

ANSWER: 21

#3 What variant of FTP is running on it?

Image for post

ANSWER: vsftpd

Image for post

What is the name of the file in the anonymous FTP directory?

You will be asked for a username and password. For “anonymous” user ;

  • username: anonymous
  • password: anonymous

ANSWER: PUBLIC_NOTICE.txt

#5 What do we think a possible username could be?

Image for post

ANSWER: mike

#6 Great! Now we’ve got details about the FTP server and, crucially, a possible username. Let’s see what we can do with that…

ANSWER: No answer needed


[Task 10] Exploiting FTP

#1 What is the password for the user “mike”?

We should run this command:

hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV <Machine IP> ftp
Image for post

ANSWER: password

#2 Bingo! Now, let’s connect to the FTP server as this user using “ftp [IP]” and entering the credentials when prompted

ANSWER: No answer needed

#3 What is ftp.txt?

Image for post
Image for post

ANSWER: You can capture the flag by yourself 🙂


[Task 11] Expanding Your Knowledge

#1 Well done, you did it!

ANSWER: No answer needed


So far, I have tried to explain the solutions of the questions as detailed as I can. I hope it helped you. See you in my next write-up.

Network Services WriteUp – TryHackMe’ için 2 yanıt

Add yours

  1. Hello Brother,

    Thank you for taking the time to write this article.

    It was really helpful.

    Regards

    Beğen

Bir Cevap Yazın

Aşağıya bilgilerinizi girin veya oturum açmak için bir simgeye tıklayın:

WordPress.com Logosu

WordPress.com hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Google fotoğrafı

Google hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Twitter resmi

Twitter hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Facebook fotoğrafı

Facebook hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Connecting to %s

WordPress.com'da Blog Oluşturun.

Yukarı ↑

%d blogcu bunu beğendi: