TryHackMe: Cyber Defense Learning Path P1D2

02 May, 2021

Moving foward with the Cyber Defense path, the next two rooms are all about Network Services. Here, we will see how protocols and services can be exploited. The goal for this day is to complete both rooms. The first room introduces us with three well known protocols, the SMB, Telnet and FTP, while the second room continues with the NFS and SMTP protocol, as long as with MySQL.

Network Services

Task 2
Say your computer needs to communicate with a server. With the SMB protocol, it will establish a connection with the server while trading a number of messages. It may be sound extremelly usefull, but why don't you check an article about how vulnerable has been proved.
  • What does SMB stand for?
    A protocol by which your computer exchanges messages with a server. A Server Message Block protocol.
  • What type of protocol is SMB?
    Computer and server will continuously communicating with response and request messages. The answer is response-request.
  • What do clients connect to servers using?
    Try to remember what you learned from the previous room. With SMB, two machines are establishing a session so that they transfer data. They are using TCP/IP.
  • What systems does Samba run on?
    Who could say, Unix have a taste for Brazilian music.
Task 3
Before trying to exploit, gather some information. This process is called enumeration and in this task we will enumerate the SMB.
  • Conduct an nmap scan of your choosing, How many ports are open?
    Bring it on, nmap! I can clearly see 3 open ports.
  • What ports is SMB running on?
    Two default ports where SMB runs, 139/445 is the right answer.
  • Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
    Oh, the irony. WORKGROUP.
  • What comes up as the name of the machine?
    Check through the results to find POLOSMB.
  • What operating system version is running?
    6.1
  • What share sticks out as something we might want to investigate?
    Don't you think, profiles seems like an interesting investigation option.
Task 4
Exploitation time! We have already gathered some information about our target and we are ready to try some attacks on it.
  • What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?
    To access an SMB share you need to run an SMB client. The tool we'll use is called smbclient. Our target's IP is 10.10.10.2. We want to take a look of secret's contents as the user suit. Also, SMB's service runs on port 445.
    smbclient //10.10.10.2/secret -U suit -p 445
  • Does the share allow anonymous access? Y/N?
    Actually by a missconfiguration and not a vulnerability, this share allows anonymous access.
  • Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
    Take a look around to find mr. John Cactus.
  • What service has been configured to allow him to work from home?
    It's really common for professionals to use SSH as a work-from-home solution.
  • Okay! Now we know this, what directory on the share should we look in?
    Note down .ssh, you will meet again with this directory.
  • This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
    An id_rsa key file for free.
  • What is the smb.txt flag?
    SSH keys and privilege escalation. Finding the flag is now a piece of cake.
    THM{smb_is_fun_eh?}
Task 5
Lack of encryption does not fit to modern networks. That's why Telnet got replaced by SSH.
  • What is Telnet?
    Telnet is also a protocol and, actually, an application protocol.
  • What has slowly replaced Telnet?
    The way more trustful SSH.
  • How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
    You need a telnet command line tool to connect with the IP 10.10.10.3 via port 23.
    telnet 10.10.10.3 23
  • The lack of what, means that all Telnet communication is in plaintext?
    Without encryption do not expect any ciphertexts.
Task 6
Lets see what can we find in here.
  • How many ports are open on the target machine?
    Nmap says 1 port is open.
  • What port is this?
    And the port number is... 8012.
  • This port is unassigned, but still lists the protocol it's using, what protocol is this?
    At least we know it runs on TCP.
  • Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
    0 of the most popular ports.
  • Based on the title returned to us, what do we think this port could be used for?
    Oh no, it's a backdoor.
  • Who could it belong to? Gathering possible usernames is an important step in enumeration.
    I guess, Skidy placed the backdoor in there.
Task 7
Now we become aggressive.
  • Great! It's an open telnet connection! What welcome message do we receive?
    SKIDY'S BACKDOOR, how obvious.
  • Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
    Sadly, or not, N.
  • Now, use the command "ping [local THM ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
    Y, we have pings.
  • What word does the generated payload start with?
    mkfifo
  • What would the command look like for the listening port we selected in our payload?
    Previously, we set the port 4444 as the one we want to listen to. You have to set netcat to listen on this port.
    nc -lvp 4444
  • Success! What is the contents of flag.txt?
    Wasn't that hard, right?
    THM{y0u_g0t_th3_t3ln3t_fl4g}
Task 8
You will encounter this protocol often. FTP is one of the most preferred ways for file transfering over a network.
  • What communications model does FTP use?
    Once more, is the client-server model.
  • What's the standard FTP port?
    21
  • How many modes of FTP connection are there?
    We have Active and Passive FTP connection. The answer is 2.
Task 9
Nothing new here, just use nmap to gather intelligence.
  • How many ports are open on the target machine?
    2
  • What port is ftp running on?
    On it's default port, 21.
  • What variant of FTP is running on it?
    The vsftpd, the default FTP server for Linux.
  • What is the name of the file in the anonymous FTP directory?
    PUBLIC_NOTICE.txt
  • What do we think a possible username could be?
    Why not mike?
Task 10
Action!
  • What is the password for the user "mike"?
    Mike should have tried something harder than just password.
  • What is ftp.txt?
    THM{y0u_g0t_th3_ftp_fl4g}

Network Services 2

Task 2
One more protocol that allows us to transfer files, you may have noticed NFS as an option of an Android device.
  • What does NFS stand for?
    Network File System
  • What process allows an NFS client to interact with a remote directory as though it was a physical device?
    In order to accomplish the directory and file transfers, NFS mounts at least a portion of a file system on a server. This process is known as mounting.
  • What does NFS use to represent files and directories on the server?
    If you wanted to access a file, the NFS would return to you a unique identifier of it, meaning a file handle.
  • What protocol does NFS use to communicate between the server and client?
    One more extremely helpful protocol, RPC, standing for Remote Procedure Call, offers functionality when we have to call a procedure on a remote computer.
  • What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2
    Two things that define a user, it's user id and the group id the user belongs to.
  • Can a Windows NFS server share files with a Linux client? (Y/N)
    Yes, of course.
  • Can a Linux NFS server share files with a MacOS client? (Y/N)
    Yes, again.
  • What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.
    Good old friend, google. The answer is 4.2.
Task 3
Here we go again. You now know how enumartion goes.
  • Conduct a thorough port scan scan of your choosing, how many ports are open?
    Some more ports than usual. I can see 7 open ports.
  • Which port contains the service we're looking to enumerate?
    We are looking for NFS. It's running on port 2049.
  • Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?
    /home sweet /home.
  • Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside?
    Close to a favorite Italian coffee, the answer is cappucino.
  • Interesting! Let's do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?
    Remember what I told you about the .ssh dir?
  • Which of these keys is most useful to us?
    You got it, id_rsa.
  • Can we log into the machine using ssh -i {key-file} {username}@{ip} ? (Y/N)
    Same procedure, Yes, we can.
Task 4
Moving on to the next phase.
  • Now, we're going to add the SUID bit permission to the bash executable we just copied to the share using "sudo chmod +[permission] bash". What letter do we use to set the SUID bit set using chmod?
    SUID bit, sudo, s is the answer.
  • Let's do a sanity check, let's check the permissions of the "bash" executable using "ls -la bash". What does the permission set look like? Make sure that it ends with -sr-x.
    It should look like -rwsr-sr-x.
  • Great! If all's gone well you should have a shell as root! What's the root flag?
    THM{nfs_got_pwned}
Task 5
The "Simple Mail Transfer Protocol" is one of those responsible for transfering emails through networks.
  • What does SMTP stand for?
    Easy to remember, SImple Mail Transfer Protocol.
  • What does SMTP handle the sending of?
    What else than emails.
  • What is the first step in the SMTP process?
    SMTP handshake's the best way for an email to start it's journey.
  • What is the default SMTP port?
    Google it. The answer is 25.
  • Where does the SMTP server send the email if the recipient's server is not available?
    If you were an email, you would have to wait at a smtp queue.
  • On what server does the Email ultimately end up on?
    POP/IMAP
  • Can a Linux machine run an SMTP server? (Y/N)
    Why not? The correct answer is Y.
  • Can a Windows machine run an SMTP server? (Y/N)
    Same as before, Yes, it can.
Task 6
Start your machine!
  • First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?
    Do you remember? Port 25.
  • Okay, now we know what port we should be targeting, let's start up Metasploit. What command do we use to do this?
    Metasploit starts with the msfconsole command.
  • Let's search for the module "smtp_version", what's it's full module name?
    You need to "search smtp_version". There's only one response after, auxiliary/scanner/smtp/smtp_version.
  • Great, now- select the module and list the options. How do we do this?
    Type use and the module's name to select it. Type options to list the available options.
  • Have a look through the options, does everything seem correct? What is the option we need to set?
    Almost everything is ready, you just have to set the RHOSTS with the target's IP address.
  • Set that to the correct value for your target machine. Then run the exploit. What's the system mail name?
    polosmtp.home
  • What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.
    Postfix
  • Good! We've now got a good amount of information on the target system to move onto the next stage. Let's search for the module "smtp_enum", what's it's full module name?
    Search again. The answer is auxiliary/scanner/smtp/smtp_enum.
  • What option do we need to set to the wordlist's path?
    A different module requires different setups. USER_FILE, first.
  • Once we've set this option, what is the other essential paramater we need to set?
    After that, RHOSTS.
  • Okay! Now that's finished, what username is returned?
    We got the administrator.
Task 7
  • What is the password of the user we found during our enumeration stage?
    Brute force the authentication once more. The answer is alejandro.
  • Great! Now, let's SSH into the server as the user, what is contents of smtp.txt
    THM{who_knew_email_servers_were_c00l?}
Task 8
Not just protocols can be exploited.
  • What type of software is MySQL?
    Important to know, MySQL is a relational database management system software.
  • What language is MySQL based on?
    Easy, SQL.
  • What communication model does MySQL use?
    Typical, client-server model.
  • What is a common application of MySQL?
    Hidding behind e-shops, a back end database.
  • What major social network uses MySQL as their back-end database? This will require further research.
    Some researching, or just read the hint, Facebook is the correct answer.
Task 9
Lets see what we can find.
  • As always, let's start out with a port scan, so we know what port the service we're trying to attack is running on. What port is MySQL using?
    The default port, 3306.
  • Search for, select and list the options it needs. What three options do we need to set? (in descending order).
    PASSWORD/RHOSTS/USERNAME
  • Run the exploit. By default it will test with the "select version()" command, what result does this give you?
    5.7.29-0ubuntu0.18.04.1
  • Great! We know that our exploit is landing as planned. Let's try to gain some more ambitious information. Change the "sql" option to "show databases". how many databases are returned?
    4 databases.
Task 9
Type msfconsole and hit enter for this part.
  • First, let's search for and select the "mysql_schemadump" module. What's the module's full name?
    auxiliary/scanner/mysql/mysql_schemadump
  • Great! Now, you've done this a few times by now so I'll let you take it from here. Set the relevant options, run the exploit. What's the name of the last table that gets dumped?
    Strange name for a table? x$waits_global_by_latency
  • Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better... search for and select the "mysql_hashdump" module. What's the module's full name?
    How many modules. This time use auxiliary/scanner/mysql/mysql_hashdump.
  • Again, I'll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?
    carl is definitely a non-default user.
  • What is the user/hash combination string?
    Just copy-paste it. carl:*EA031893AA21444B170FC2162A56978B8CEECE18
  • Now, we need to crack the password! Let's try John the Ripper against it using: "john hash.txt" what is the password of the user we found?
    Time for some cracking. The answer is doggie.
  • What's the contents of MySQL.txt
    You have everything you need to find the flag. THM{congratulations_you_got_the_mySQL_flag}

And with that, two rooms about Network Services were completed!