[TryHackMe][CompTIA_Pentest+][Network_Services_2]

- 8 mins
TryHackMe CompTIA_Pentest+ Network-based vulnerabilities

Summary:

Enumerating and Exploiting More Common Network Services & Misconfigurations.

Tasks

Understanding NFS

Question : What does NFS stand for ?

Answer : Network File System

Question : What process allows an NFS client to interact with a remote directory as though it was a physical device ?

Answer : Mounting

Question : What does NFS use to represent files and directories on the server ?

Answer : file handle

Question : What protocol does NFS use to communicate between the server and client ?

Answer : RPC

Question : What two pieces of user data does the NFS server take as parameters for controlling user permissions ? Format: parameter 1 / parameter 2

Answer : user id / group id

Question : Can a Windows NFS server share files with a Linux client ? (Y/N)

Answer : Y

Question : Can a Linux NFS server share files with a MacOS client ? (Y/N)

Answer : Y

Question : What is the latest version of NFS ?

Answer : 4.2

Enumerating NFS

image

Question : Conduct a thorough port scan scan of your choosing, how many ports are open ?

Answer : 7

Question : Which port contains the service we’re looking to enumerate ?

Answer : 2049

image

Question : Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share ?

Answer : /home

image

Question : Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside ?

Answer : cappucino

image

Question : Interesting! Let’s do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server ?

Answer : .ssh

Question : Which of these keys is most useful to us ?

Answer : id_rsa

image

Question : Can we log into the machine using ssh -i @ ? (Y/N)

Answer : Y

Exploiting NFS

image

Question : Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod ?

Answer : s

Question : What does the permission set look like? Make sure that it ends with -sr-x.

Answer : -rwsr-sr-x

image

Question : Great! If all’s gone well you should have a shell as root! What’s the root flag ?

Answer : THM{nfs_got_pwned}

Understanding SMTP

Question : What does SMTP stand for ?

Answer : Simple Mail Transfer Protocol

Question : What does SMTP handle the sending of ? (answer in plural)

Answer : emails

Question : What is the first step in the SMTP process ?

Answer : SMTP handshake

Question : What is the default SMTP port ?

Answer : 25

Question : Where does the SMTP server send the email if the recipient’s server is not available ?

Answer : smtp queue

Question : On what server does the Email ultimately end up on ?

Answer : POP/IMAP

Question : Can a Linux machine run an SMTP server ? (Y/N)

Answer : Y

Question : Can a Windows machine run an SMTP server ? (Y/N)

Answer : Y

Enumerating SMTP

image

Question : First, lets run a port scan against the target machine, same as last time. What port is SMTP running on ?

Answer : 25

image

Question : What command do we use to do this ?

Answer : msfconsole

image

Question : Let’s search for the module “smtp_version”, what’s it’s full module name ?

Answer : auxiliary/scanner/smtp/smtp_version

Question : Great, now- select the module and list the options. How do we do this ?

Answer : options

Question : Have a look through the options, does everything seem correct? What is the option we need to set ?

Answer : RHOSTS

image

Question : Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name ?

Answer : polosmtp.home

Question : What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

Answer : Postfix

image

Question : Let’s search for the module “smtp_enum”, what’s it’s full module name ?

Answer : auxiliary/scanner/smtp/smtp_enum

image

Question : What option do we need to set to the wordlist’s path ?

Answer : USER_FILE

Question : Once we’ve set this option, what is the other essential paramater we need to set ?

Answer : RHOSTS

Question : Okay! Now that’s finished, what username is returned ?

Answer : administrator

Exploiting SMTP

image

image

Question : What is the password of the user we found during our enumeration stage ?

Answer : alejandro

image

Question : Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt

Answer : THM{who_knew_email_servers_were_c00l?}

Understanding MySQL

Question : What type of software is MySQL ?

Answer : relational database management system

Question : What language is MySQL based on ?

Answer : SQL

Question : What communication model does MySQL use ?

Answer : client-server

Question : What is a common application of MySQL ?

Answer : back end database

Question : What major social network uses MySQL as their back-end database ? This will require further research.

Answer : Facebook

Enumerating MySQL

image

Question : As always, let’s start out with a port scan, so we know what port the service we’re trying to attack is running on. What port is MySQL using ?

Answer : 3306

image

image

Question : Search for, select and list the options it needs. What three options do we need to set? (in descending order).

Answer : PASSWORD/RHOSTS/USERNAME

Question : Run the exploit. By default it will test with the “select version()” command, what result does this give you ?

Answer : 5.7.29-0ubuntu0.18.04.1

image

Question : Change the “sql” option to “show databases”. how many databases are returned ?

Answer : 4

Exploiting MySQL

image

Question : First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name ?

Answer : auxiliary/scanner/mysql/mysql_schemadump

image

image

Question : What’s the name of the last table that gets dumped ?

Answer : x$waits_global_by_latency

image

Question : Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better… search for and select the “mysql_hashdump” module. What’s the module’s full name ?

Answer : auxiliary/scanner/mysql/mysql_hashdump

Question : Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you ?

Answer : carl

Question : What is the user/hash combination string ?

Answer : carl:*EA031893AA21444B170FC2162A56978B8CEECE18

image

Question : Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found ?

Answer : doggie

image

Question : What’s the contents of MySQL.txt

Answer : THM{congratulations_you_got_the_mySQL_flag}

Related Posts