TryHackMe: Network Services write up
This room will explore common Network Service vulnerabilities and misconfigurations (https://tryhackme.com/room/networkservices)
Task 2: Understanding SMB
SMB — Server Message Block Protocol — is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.
What runs SMB? Microsoft Windows operating systems since Windows 95 have included client and server SMB protocol support. Samba, an open source server that supports the SMB protocol, was released for Unix systems.
What does SMB stand for?
Server Message Block
What type of protocol is SMB?
response-request
What do clients connect to servers using?
TCP/IP
What systems does Samba run on?
Unix
Task 3 Enumerating SMB
Enumeration —Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation. This process is essential for an attack to be successful, as wasting time with exploits that either don’t work or can crash the system can be a waste of energy. Enumeration can be used to gather usernames, passwords, network information, hostnames, application data, services, or any other information that may be valuable to an attacker.
SMB — Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. SMB can often be a great starting point for an attacker looking to discover sensitive information — you’d be surprised what is sometimes included on these shares.
Enum4Linux — Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB. It’s installed by default on Parrot and Kali, however if you need to install it, you can do so from the official github. if it isn’t installed on Kali, just use sudo apt-get install enum4linux .
The syntax of Enum4Linux is nice and simple:
“enum4linux [options] ip”
Conduct an nmap scan of your choosing, How many ports are open?
3
What ports is SMB running on?
139/445
Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
WORKGROUP
What comes up as the name of the machine?
POLOSMB
What operating system version is running?
6.1
What share sticks out as something we might want to investigate?
profiles
Task 4 Exploiting SMB
Types of SMB Exploit — While there are vulnerabilities such as CVE-2017–7494 that can allow remote code execution by exploiting SMB, you’re more likely to encounter a situation where the best way into a system is due to misconfigurations in the system. In this case, we’re going to be exploiting anonymous SMB share access- a common misconfiguration that can allow us to gain information that will lead to a shell.
We can remotely access the SMB share using the syntax:
smbclient //[IP]/[SHARE]
Followed by the tags:
-U [name] : to specify the user
-p [port] : to specify the port
What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
smbclient //10.10.10.2/secret -U suit -p 445
Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn’t require authentication to view the files. We can do this easily by:
- using the username “Anonymous”
- connecting to the share we found during the enumeration stage
- and not supplying a password.
Does the share allow anonymous access? Y/N?
Y
Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
John Cactus
What service has been configured to allow him to work from home?
ssh
Okay! Now we know this, what directory on the share should we look in?
.ssh
This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
id_rsa
Download this file to your local machine, and change the permissions to “600” using “chmod 600 [file]”. Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.
What is the smb.txt flag?
THM{smb_is_fun_eh?}
Task 5 Understanding Telnet
What is Telnet? — Telnet is an application protocol which allows you, with the use of a telnet client, to connect to and execute commands on a remote machine that’s hosting a telnet server.
The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.
Replacement — Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.
How does Telnet work? — The user connects to the server by using the Telnet protocol, which means entering “telnet” into a command prompt. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the following syntax: “telnet [ip] [port]”
What is Telnet?
application protocol
What has slowly replaced Telnet?
ssh
How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
telnet 10.10.10.3 23
The lack of what, means that all Telnet communication is in plaintext?
encryption
Task 6 Enumerating Telnet
How many ports are open on the target machine?
1
What port is this?
8012
This port is unassigned, but still lists the protocol it’s using, what protocol is this?
tcp
Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
0
Based on the title returned to us, what do we think this port could be used for?
a backdoor
Who could it belong to? Gathering possible usernames is an important step in enumeration.
Skidy
Task 7 Exploiting Telnet
Types of Telnet Exploit — Telnet, being a protocol, is in and of itself insecure for the reasons we talked about earlier. It lacks encryption, so sends all communication over plaintext, and for the most part has poor access control. There are CVE’s for Telnet client and server systems, however, so when exploiting you can check for those on:
A CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they usually mean the CVE ID number assigned to a security flaw.
However, you’re far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow you to exploit it.
Method Breakdown — So, from our enumeration stage, we know:
- There is a poorly hidden telnet service running on this machine
- The service itself is marked “backdoor”
- We have possible username of “Skidy” implicated
Using this information, let’s try accessing this telnet port, and using that as a foothold to get a full reverse shell on the machine!
Connecting to Telnet — You can connect to a telnet server with the following syntax:
“telnet [ip] [port]”
We’re going to need to keep this in mind as we try and exploit this machine.
Great! It’s an open telnet connection! What welcome message do we receive?
SKIDY’S BACKDOOR.
Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
N
Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
Y
What word does the generated payload start with?
mkfifo
What would the command look like for the listening port we selected in our payload?
nc -lvp 4444
Success! What is the contents of flag.txt?
THM{y0u_g0t_th3_t3ln3t_fl4g}
Task 8 Understanding FTP
What is FTP? — File Transfer Protocol (FTP) is, as the name suggests , a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this, and- as we’ll come on to later- relays commands and data in a very efficient way.
How does FTP work? — A typical FTP session operates using two channels:
- a command (sometimes called the control) channel
- a data channel.
As their names imply, the command channel is used for transmitting commands as well as replies to those commands, while the data channel is used for transferring data.
FTP operates using a client-server protocol. The client initiates a connection with the server, the server validates whatever login credentials are provided and then opens the session.
While the session is open, the client may execute FTP commands on the server.
Active vs Passive — The FTP server may support either Active or Passive connections, or both.
- In an Active FTP connection, the client opens a port and listens. The server is required to actively connect to it.
- In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.
What communications model does FTP use?
client-server
What’s the standard FTP port?
21
How many modes of FTP connection are there?
2
Task 9 Enumerating FTP
Method — We’re going to be exploiting an anonymous FTP login, to see what files we can access- and if they contain any information that might allow us to pop a shell on the system. This is a common pathway in CTF challenges, and mimics a real-life careless implementation of FTP servers.
Resources — As we’re going to be logging in to an FTP server, we’re going to need to make sure therre is an ftp client installed on the system. There should be one installed by default on most Linux operating systems, such as Kali or Parrot OS. You can test if there is one by typing “ftp” into the console. If you’re bought to a prompt that says: “ftp>” Then you have a working FTP client on your system. If not, it’s a simple matter of using “sudo apt install ftp” to install one.
Alternative Enumeration Methods — It’s worth noting that some vulnerable versions of in.ftpd and some other FTP server variants return different responses to the “cwd” command for home directories which exist and those that don’t. This can be exploited because you can issue cwd commands before authentication, and if there’s a home directory- there is more than likely a user account to go with it. While this bug is found mainly within legacy systems, it’s worth knowing about, as a way to exploit FTP.
How many ports are open on the target machine?
2
What port is ftp running on?
21
What variant of FTP is running on it?
vsftpd
What is the name of the file in the anonymous FTP directory?
PUBLIC_NOTICE.txt
What do we think a possible username
could be?
mike
Task 10 Exploiting FTP
Types of FTP Exploit — Similarly to Telnet, when using FTP both the command and data channels are unencrypted. Any data sent over these channels can be intercepted and read.
With data from FTP being sent in plaintext, if a man-in-the-middle attack took place an attacker could reveal anything sent through this protocol (such as passwords). An article written by JSCape demonstrates and explains this process using APR-Poisoning to trick a victim into sending sensitive information to an attacker, rather than a legitimate source.
When looking at an FTP server from the position we find ourselves in for this machine, an avenue we can exploit is weak or default password configurations.
Method Breakdown — So, from our enumeration stage, we know:
- There is an FTP server running on this machine
- We have a possible username
Using this information, let’s try and bruteforce the password of the FTP Server.
Hydra — Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more.
What is the password for the user “mike”?
password
What is ftp.txt?
THM{y0u_g0t_th3_ftp_fl4g}
