What Does It Mean When an App Has Write and Read Com.sec Permissions

In this article, I tried to set up a write-up for the "Network Services" room ontryhackme.

[Task 1] Expanding Your Knowledge

This room will explore mutual Network Service vulnerabilities and misconfigurations, but in order to do that, nosotros'll need to do a few things get-go!

#1 Ready? Permit's get going!

Respond: No answer needed

[Task 2] Understanding SMB

SMB – Server Bulletin Block Protocol – is a client-server advice protocol used for sharing access to files, printers, serial ports and other resources on a network.

#1 What does SMB stand for?

SMB – Server Bulletin Cake Protocol – is a client-server communication protocol used for sharing access to files, printers, serial ports and other resource on a network.

Answer: Server Message Block

#2 What type of protocol is SMB?

The SMB protocol is known as a response-asking protocol.

Respond: response-asking

#3 What do clients connect to servers using?

Clients connect to servers using TCP/IP.

ANSWER: TCP/IP

#4 What systems does Samba run on?

Samba, an open source server that supports the SMB protocol, was released for Unix systems.

Answer: Unix

[Job three] Enumerating SMB

Before we begin, make sure to deploy the room and give it some time to boot. Please be enlightened, this can accept upwardly to v minutes so be patient!

I ran the nmap query below. Merely this query took more than 20 minutes.

nmap -A -T4 -p- <machine IP>

We will reply the questions co-ordinate to the results in the pictures below.

#1 Conduct annmap scan of your choosing, How many ports are open?

Port 22, Port 139 and Port 445 are open.

ANSWER: 3

#2 What ports isSMB running on?

You lot can see the answer in the first picture in a higher place. SMB appears to be open on 2 ports.

ANSWER: 139/445

#iii Let's get started with Enum4Linux, conduct a total bones enumeration. For starters, what is theworkgroupname?

Allow's run this control.

enum4linux -A <machine IP>

The event of the command executed is every bit follows:

Answer: WORKGROUP

#4 What comes upwardly every bit thename of the machine?

ANSWER: POLOSMB

#5 What operating arrangementversion is running?

Answer: six.1

#6 What share sticks out as something nosotros might desire to investigate?

Reply: profiles

[Task 4] Exploiting SMB

While in that location are vulnerabilities such as CVE-2017-7494 that can permit remote code execution by exploiting SMB, you're more probable to encounter a situation where the best way into a system is due to misconfigurations in the system. In this case, we're going to be exploiting anonymous SMB share access- a common misconfiguration that can allow us to gain information that will pb to a shell.

#ane What would exist the correct syntax to access an SMB share called "underground" as user "suit" on a machine with the IP 10.10.x.2 on the default port?

Respond: smbclient //ten.10.10.ii/secret -U suit -p 445

#ii Keen! Now you lot've got a hang of the syntax, let'southward have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.

ANSWER: No respond needed

#three Does the share allow anonymous admission? Y/Due north?

Let's run this command to access "Anonymous" user. When the system inquire the password, then just click "enter". Yous don't need to enter the "password" value.

smbclient //10.10.10.two/profiles -U anonymous -p 445

ANSWER: Y

#iv Great! Have a look around for any interesting documents that could incorporate valuable information. Who can nosotros assume this profile folder belongs to?

You tin can meet the "interesting document". Let'southward get this document. You can run this command in smb.

go "Working From Home Information.txt" [output proper noun]

Allow'south read the downloaded file on our own computer. The proper name at the beginning of the text is the reply to our question.

ANSWER: John Cactus

#5 What service has been configured to let him to work from home?

The ".ssh" file is an SSH configuration file.

Respond: ssh

#6 Okay! At present we know this, what directory on the share should we look in?

Respond: .ssh

#seven This directory contains authentication keys that allow a user to authenticate themselves on, so access, a server. Which of these keys is nigh useful to usa?

Allow's cheque what is in the ".ssh" file.

Answer: id_rsa

#8 Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]". Now, utilize the information you have already gathered to piece of work out the username of the account. And then, utilise the service and key to log-in to the server. What is the smb.txt flag?

First, let'due south download the "id_rsa" and "id_rsa.pub" files to our own computer.

get id_rsa [outputname]  get id_rsa.pub [outputname]

Change the permissions of the "my_id_rsa" file to 600 using:

chmod 600 [your id_rsa file]

We tin connect with ssh considering we have "id_rsa" file of "cactus" user.

ssh -i [your id_rsa file] cactus@<targer IP>

Answer: THM{smb_is_fun_eh?}

[Chore 5] Understanding Telnet

#1What is Telnet?

Telnet is an awarding protocol.

Respond: application protocol

#twoWhat has slowly replaced Telnet?

Telnet has been replaced by SSH in most implementations.

ANSWER: ssh

#3How would you connect to a Telnet server with the IP 10.10.10.three on port 23?

Answer: telnet 10.10.10.3 23

#ivThe lack of what, means that all Telnet advice is in plaintext?

ANSWER: encryption

[Task half dozen] Enumerating Telnet

You tin can utilise this nmap scan:

nmap -T4 -p- <automobile IP>

#1How manyports are open up on the target motorcar?

ANSWER: 1

#iiWhatport is this?

ANSWER: 8012

#3This port is unassigned, only nevertheless lists theprotocol it's using, what protocol is this?

You tin encounter the reply in the second picture above.

Respond: tcp

#4Now re-run thenmap scan, without the-p- tag, how many ports show up as open up?

Answer: 0

#vHere, we encounter that past assigning telnet to anot-standard port, it is not role of the mutual ports listing, or meridian 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather hither will inform your exploitation stage.

Reply: No reply needed

#half-dozenBased on the title returned to u.s.a., what practise we retrieve this port could beused for?

According to the Nmap browse, only i port appears to be open. All other ports are airtight. In this instance, we can call the "backdoor" port only for the open up port.

Y'all tin too see the text "SKIDY'Due south Backstairs" conspicuously in the flick above.

ANSWER: a backdoor

#7Who could information technology belong to? Gathering possibleusernames is an of import step in enumeration.

You can see the name in movie to a higher place.

ANSWER: Skidy

#eightEver go along a note of data you find during your enumeration phase, so you tin refer back to it when you move on to try exploits.

Respond: No respond needed.

[Task seven] Exploiting Telnet

#1Okay, let'south try and connect to this telnet port! If you get stuck, have a expect at the syntax for connecting outlined above.

Reply: No answer needed

#2Nifty! Information technology'south an open up telnet connection! What welcome message practise we receive?

Telnet Connection = telnet <IP> <port number>

ANSWER: SKIDY'S Backdoor.

#3Allow's try executing some commands, practise we get a render on any input we enter into the telnet session? (Y/N)

ANSWER: N

#4Hmm… that's foreign. Let's check to run across if what we're typing is existence executed equally a organization control.

Answer: No answer needed

#5Start a tcpdump listener on your local machine using:"sudo tcpdump ip proto \\icmp -i tun0" This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.

ANSWER: No respond needed

#6Now, utilize the command"ping [local tun0 ip] -c 1"through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/Due north)

ANSWER: Y

#viiGreat! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!

Answer: No answer needed

#8 What word does the generated payload start with?

Answer: mkfifo

#ixPerfect. We're nearly there. Now all we demand to practice is start a netcat listener on our local machine. What would the command look like for the listening port we selected in our payload?

Answer: nc -lvp 4444

#tenNifty! At present that's running, nosotros need to copy and paste our msfvenom payload into the telnet session and run it every bit a command. Hopefully- this will give u.s.a. a shell on the target machine!

Reply: No answer needed

#xiSuccess! What is the contents of flag.txt?

Respond: THM{y0u_g0t_th3_t3ln3t_fl4g}

[Task viii] Understanding FTP

#1What communications model does FTP apply?

FTP operates using a client-server protocol.

Answer: client-server

#2What's the standard FTP port?

Answer: 21

#3How many modes of FTP connection are there?

The FTP server may support either Active or Passive connections, or both.

ANSWER: two

[Chore nine] Enumerating FTP

#iRun annmap browse of your choice. How manyports are open on the target auto?

ANSWER: 2

#iiWhatport is ftp running on?