KdotWill

Oct 1, 20207 min read

TryHackMe: Network Services

#smb #telnet #ftp #netcat #enumerating #exploiting

We will start with Task #2 for this writeup

Task 2: Understanding SMB

Question 1: What does SMB stand for?

Answer 1: Server Message Block

Question 2: What type of protocol is SMB?

Answer 2: response-request

Question 3: What do clients connect to servers using?

Answer 3: TCP/IP

Question 4: What do clients connect to servers using?

Answer 4: Unix

Task 3: Enumerating SMB

Deploy your system!

Question 1: Conduct an nmap scan of your choosing, How many ports are open?

Answer 1: 3

Question 2: What ports is SMB running on?

Answer 2: 139/445

Question 3: Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?

Answer 3: WORKGROUP

Question 4: What comes up as the name of the machine?

Answer 4: POLOSMB

Question 5: What operating system version is running?

Answer 5: 6.1

Question 6: What share sticks out as something we might want to investigate?

Answer 6: profiles

Task 4: Exploiting SMB

Question 1: What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?

Our Reference:

share=secret

user=suit

IP=10.10.10.2

Answer 1: smbclient //10.10.10.2/secret -U suit -p 445

Question 2: Great! Now you've got a hang of the syntax, let's have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.

Our Reference:

Target IP=10.10.195.152

Target Workgroup=WORKGROUP

Target Name=POLOSMB

Target Shares=profiles

Target User=anonymous

Question 3: Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn't require authentication to view the files. We can do this easily by:

Answer 3:

To get this answer, conduct smbclient //10.10.195.2/profiles -U anonymous -p 139

Yes. This was successful

Question 4: Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

Answer 4:

If you were able to login at Question 3, you will see the command prompt below.

From here, use pwd to see what directory you are in. In this case, we are in "profiles". This is the target shares we were able to obtain.

Now run ls to display the content of the directory.

The .txt file stands out the most. Since this is SMB, we will use the get command to send the file to our local machine. We will create checkitout.txt.

Open up another terminal and open checkitout. txt.

This information will be displayed:

Question 5: What service has been configured to allow him to work from home?

Answer 5: SSH, you can find this information in the .txt file.

Question 6: Okay! Now we know this, what directory on the share should we look in?

Answer 6: We should look for the .ssh directory.

Question 7: This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

Answer 7: Take a look into the .ssh directory, the id_rsa is the most useful file, because this is the private key.

Question 8: Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]". Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server. What is the smb.txt flag?

Answer 8: In this directory we have id_rsa and id_rsa.pub. The id_rsa houses the private key and id_rsa.pub houses the public key. We will conduct a get command and send these two files to our local machine for viewing shortly.

We will start with the id_rsa first. The file I created here is kelsid_rsa.txt.

Now we will complete the id_rsa.pub. The file I created here is kelsid_rsapub.txt.

Open another terminal and view these two .txt files and see what we get. First we will open up kelsid_rsa.txt (Private Key).

Second we will open up kelsid_rsapub.txt (Public Key).

Take a look at the end of the kelsid_rsapub.txt. Looks like we found the username (cactus).

So we now have the id_rsa and id_rsa.pub. Lets change the rights to the id_rsa key.

chmod 600

Owner 6 - Read and Write

Group 0 - No permissions

Others 0 - No permissions

We will now use our local machine to see if we can ssh into user - cactus.

If successful, this will be the output.

Use ls command to see what's in the directory.

Now use cat to open the .txt file for your flag!

Task 5: Understanding Telnet

Question 1: What is Telnet?

Answer 1: application protocol

Question 2: What has slowly replaced Telnet?

Answer 2: ssh

Question 3: How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

Answer 3: telnet 10.10.10.3 23

Question 4: The lack of what, means that all Telnet communication is in plain-text?

Answer 4: encryption

Task 6: Enumerating Telnet

Deploy your system!

Question 1: How many ports are open on the target machine?

Answer 1: The answer is 1. You can find this by running a nmap scan on your target

nmap -A -p- 10.10.230.48

Open Ports:

8012/TCP Open Unknown Services

Fingerprint Strings Skidy's Backdoor

Question 2: What port is this?

Answer 2: 8012

Question 3: This port is unassigned, but still lists the protocol it's using, what protocol is this?

Answer 3: tcp

Question 4: Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

Answer 4: 0

Question 5: Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.

Question 6: Based on the title returned to us, what do we think this port could be used for?

Answer 6: a backdoor

Question 7: Who could it belong to? Gathering possible usernames is an important step in enumeration.

Answer 7: Skidy

Question 8: Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.

Task 7: Exploiting Telnet

Question 1: Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.

Answer 1: Telnet into the machine

telnet 10.10.230.48 23

Question 2: Great! It's an open telnet connection! What welcome message do we receive?

Answer 2: SKIDY'S BACKDOOR

Question 3: Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

Answer 3: No execution is being performed.

Question 4: Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.

Question 5: Start a tcpdump listener on your local machine using: "sudo tcpdump ip proto \\icmp -i tun0" This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.

Answer 5: Open up another terminal as your local machine and start a tcpdump listener. The instructions states tun0 but it depends on your local machine. Mine is eth0. You can find your ethernet network card by using the ip a command.

Execute the ping commands

If successful, we will see this below at our local machine.

Question 7: Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!

Question 8: We're going to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell for us. Here's our syntax:

Answer 8: mkfifo. Since we can actually run commands and reach our local machine, we are going to start a reverse shell payload using msfvenom.

Question 9: Perfect. We're nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

Answer 9: nc -lvp 4444. Now lets start up a netcat listener on our local machine

Question 10: Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!

Answer 10: copy the msfvenom payload to our telnet machine and execute. Remember, you have to use .RUN to execute.

If successful, your local machine tab will go red and you will see a connection.

Question 11: Success! What is the contents of flag.txt?

Answer 11: From the local machine, enter pwd to see your present working directory, ls to search the directory for content, and cat flag.txt to view the content.

Task 8: Understanding FTP

Question 1: What communications model does FTP use?

Answer 1: client-server

Question 2: What's the standard FTP port?\

Answer 2: 21

Question 3: How many modes of FTP connection are there?

Answer 3: 2

Task 9: Enumerating FTP

Deploy your machine!

Question 1: Run an nmap scan of your choice. How many ports are open on the target machine?

Answer 1: 2

Question 2: What port is ftp running on?\

Answer 2: 21

Question 3: What port is ftp running on?

Answer 3: vsftpd

Question 4: Great, now we know what type of FTP server we're dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing "ftp [IP]" into the console, and entering "anonymous", and no password when prompted.

What is the name of the file in the anonymous FTP directory?

Answer 4: PUBLIC_NOTICE.txt

To find the file, open up a command prompt and ftp into your target IP. We will use anonymous as the name and no password.

Question 5: What do we think a possible username could be?

Answer 5: Mike

To view the content, execute a get command for the .txt file and send it to your local machine.

Open up the .txt file to view the content.

Task 10: Exploiting FTP

Question 1: What is the password for the user “mike”?

Answer 1: password

To run hydra correctly in this exercise, we have to download the wordlist to Kali. I am going to clone a KaliList from Github that includes rockyou.txt.