THM-Network Services 2-Writeup

Enumerating and Exploiting More Common Network Services & Misconfigurations

↓↓↓ Click here and earn $5 TryHackMe credit ↓↓↓

TryHackMe | Cyber Security Training

Find This Room: Network Services 2

#Task 1 : Ready? Let’s get going!

no answer need !

#Task 2 Understanding NFS :

read to documentation and try to answer to those questions :

#Task 3 Enumerating NFS

Conduct a thorough port scan scan of your choosing, how many ports are open?

so let’s use nmap :

nmap -sc -sN IP_add

Answer : 7

Which port contains the service we’re looking to enumerate?

when we try to enumurate we find intresting port :

Answer : 2049

Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

Answer : /home

Time to mount the share to our local machine!

First, use “mkdir /tmp/mount” to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.

Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside?

so that’s it we find the folder

Answer : cappucino

Have a look inside this directory, look at the files. Looks like we’re inside a user’s home directory…

“ls” returns nothing. But if we add the “-a” flag to list hidden files, we see we’ve got plenty to work with. Based on the work we did in the last Network Services room, we know that “.ssh” could contain keys that give us remote access to the server.

Interesting! Let’s do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?

Answer : .ssh

Which of these keys is most useful to us?

thanks to the knowledge gained in the previous room we know the key’s default name is id_rsa

Answer : id_rsa

Copy this file to a different location your local machine, and change the permissions to “600” using “chmod 600 [file]”.

Assuming we were right about what type of directory this is, we can pretty easily work out the name of the user this key corresponds to.

Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)

With that info, we can now attempt to access the ssh server with the information we gathered.

Answer : Y

#Task 4 : Exploiting NFS

First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user’s home directory.

The first two questions are just directions that don’t require answers. Follow them

Download the bash executable to your Downloads directory. Then use “cp ~/Downloads/bash .” to copy the bash executable to the NFS share. The copied bash shell must be owned by a root user, you can set this using “sudo chown root bash”

Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod?

Answer : s

Let’s do a sanity check, let’s check the permissions of the “bash” executable using “ls -la bash”. What does the permission set look like? Make sure that it ends with -sr-x.

Answer : -rwSr-Sr — 1

Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with “./bash -p”. The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.

don’t forget to add +x permission for th bash :

chmod +x bash

Great! If all’s gone well you should have a shell as root! What’s the root flag?

Answer : thm{nfs_got_pwned}

#Task 5 Understanding SMTP

just read the blog and some research to answer :

#Task 6 Enumerating SMTP :

First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?

Answer : 25

Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?

If you would like some more help or practice using Metasploit, TryHackMe has a module on Metasploit that you can check out here:

TryHackMe | Metasploit

The Metasploit framework is a set of open-source tools used for network enumeration, identifying vulnerabilities…

tryhackme.com

Answer : msfconsole

Let’s search for the module “smtp_version”, what’s it’s full module name?

Answer : auxialiry/scanner/smtp/smtp_version

Great, now- select the module and list the options. How do we do this?

let’s use help in console we got

Answer : options

Have a look through the options, does everything seem correct? What is the option we need to set?

use smtp_version to set it as active:

now let’s use options :

so as we see that RHOSTS has no current setting, so we need to set it.

Answer : RHOSTS

Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?

let’s use :

set rhost ip_target

let’s use run :

here we goooo!!!!

Answer : polosmtp.home

What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

Answer : Postfix

Good! We’ve now got a good amount of information on the target system to move onto the next stage. Let’s search for the module “smtp_enum”, what’s it’s full module name?

let’s use :

search smtp_enum

Answer : auxialiry/scanner/smtp/smtp_enum

We’re going to be using the “top-usernames-shortlist.txt” wordlist from the Usernames subsection of seclists (/usr/share/wordlists/SecLists/Usernames if you have it installed).

Seclists is an amazing collection of wordlists. If you’re running Kali or Parrot you can install seclists with: “sudo apt install seclists” Alternatively, you can download the repository from here.

What option do we need to set to the wordlist’s path?

use :

use auxiliary/scanner/smtp/smtp_enum

Answer : user_file

Once we’ve set this option, what is the other essential paramater we need to set?

We can do that with:

set USER_FILE /usr/share/seclists/Usernames/top-usernames-shortlist.txt 
set RHOSTS IP_ADres

i use this username_list in /seclists just use the right directory

you can find it here :

https://github.com/danielmiessler/SecLists

and run .

we have a user “administrator”.

Okay! Now that’s finished, what username is returned?

Answer : administrator

#Task 7 Exploiting SMTP:

What is the password of the user we found during our enumeration stage?

hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV ip_add ssh

Answer : alejandro

Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt

ssh administrator@ip-add

Answer :THM{who_knew_email_servers_were_c00l?}

#Task 8 Understanding MySQL

just read and some research

#Task 9 Enumerating MySQL :

As always, let’s start out with a port scan, so we know what port the service we’re trying to attack is running on. What port is MySQL using?

nmap -A -p- ip_add -vv

Answer : 3306

Good, now- we think we have a set of credentials. Let’s double check that by manually connecting to the MySQL server. We can do this using the command “mysql -h [IP] -u [username] -p”

credentials: “root:password”

mysql -h ip -h root -p

Okay, we know that our login credentials work. Lets quit out of this session with “exit” and launch up Metasploit.

We’re going to be using the “mysql_sql” module.

Search for, select and list the options it needs. What three options do we need to set? (in descending order).

search mysql_sql

use auxiliary/admin/mysql/mysql_sql

Answer : password/rhosts/username

Run the exploit. By default it will test with the “select version()” command, what result does this give you?

first we need to set PASSWORD, RHOSTS, and USERNAME. :

set password password
set rhosts ip
set username root

aaaaaaanddddd run !!!!

Answer : 5.7.29–0ubuntu0.18.04.1

Great! We know that our exploit is landing as planned. Let’s try to gain some more ambitious information. Change the “sql” option to “show databases”. how many databases are returned?

Answer : 4

#Task 10 Exploiting MySQL :

First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name?

search mysql_schemadump

Answer : auxiliary/scanner/mysql/mysql_schemadump

Great! Now, you’ve done this a few times by now so I’ll let you take it from here. Set the relevant options, run the exploit. What’s the name of the last table that gets dumped?

Answer : x$waits_global_by_latency

Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better… search for and select the “mysql_hashdump” module. What’s the module’s full name?

search mysql_hashdump

Answer : auxiliary/scanner/mysql/mysql_hashdump

Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?

the same thing like the previous question :

set password password
set rhosts ip
set username root
run

Answer : carl

Answer : carl:*EA031893AA21444B170FC2162A56978B8CEECE18

Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found?

echo "carl:*EA031893AA21444B170FC2162A56978B8CEECE18">hash.txt
john hash.txt

Answer : diggie

Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service?

What’s the contents of MySQL.txt

ssh carl@ip_addresse

Answer : THM{congratulations_you_got_the_mySQL_flag}

Task 11 Further Learning

Follow Me: Linkedin