Network Services 2 — Enumerating and Exploiting More Common Network Services & Misconfigurations |…
2023-5-15 16:29:24 Author: infosecwriteups.com(查看原文) 阅读量:23 收藏

TryHackMe’s Network Services 2 Simple Writeup by Karthikeyan Nagaraj | With All Answers

Karthikeyan Nagaraj

InfoSec Write-ups

Introduction:

  • This is a Paid Room in TryHackMe that consists of Concepts like NFS, MySql, and SMTP Basics with Enumeration Techniques.
  • Make sure to Substitute the Values in the Syntax mentioned below
  • If you are using the system to access the Material on a Browser, use Ctrl+F (Find Command) to Find a Particular sentence or a command

Make sure to Connect with TryHackMe’s VPN or start the Attackbox

=======================================================

=======================================================

What is NFS?

  • NFS stands for “Network File System” and allows a system to share directories and files with others over a network.
  • By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by mounting all, or a portion of a file system on a server.

How NFS Work?

  • First, the client will request to mount a directory from a remote host on a local directory just the same way it can mount a physical device. The mount service will then act to connect to the relevant mount daemon using RPC.
  • The server checks if the user has permission to mount whatever directory has been requested. It will then return a file handle which uniquely identifies each file and directory that is on the server.

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:

  • The file handle
  • The name of the file to be accessed
  • The user’s, user ID
  • The user’s group ID

What runs NFS?

  • Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux, MacOS or UNIX.
  • A computer running Windows Server can act as an NFS file server for other non-Windows client computers. Likewise, NFS allows a Windows-based computer running Windows Server to access files stored on a non-Windows NFS server.

1. What does NFS stand for?

Ans: Network File System

2. What process allows an NFS client to interact with a remote directory as though it was a physical device?

Ans: Mounting

3. What does NFS use to represent files and directories on the server?

Ans: File Handle

4. What protocol does NFS use to communicate between the server and client?

Ans: RPC

5. What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2

Ans: user ID / Group ID

6. Can a Windows NFS server share files with a Linux client? (Y/N)

Ans: Y

7. Can a Linux NFS server share files with a MacOS client? (Y/N)

Ans: Y

8. What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.

Ans: 4.2

=======================================================

=======================================================

Basic Recon — Nmap:

┌──(cyberw1ng㉿root)-[~]
└─$ nmap -A -p- 10.10.29.192

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 73928e04de40fb9c90f9cf4270c845a7 (RSA)
| 256 6d63d6b80a67fd86f122302b2d271eff (ECDSA)
|_ 256 bd089779630f807c7fe850dc59cf395e (ED25519)

111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 51273/udp6 mountd
| 100005 1,2,3 53549/udp mountd
| 100005 1,2,3 54917/tcp mountd
| 100005 1,2,3 59775/tcp6 mountd
| 100021 1,3,4 33165/tcp nlockmgr
| 100021 1,3,4 36461/tcp6 nlockmgr
| 100021 1,3,4 39435/udp nlockmgr
| 100021 1,3,4 40194/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl

2049/tcp open nfs_acl 3 (RPC #100227)

33165/tcp open nlockmgr 1-4 (RPC #100021)

45889/tcp open mountd 1-3 (RPC #100005)

54215/tcp open mountd 1-3 (RPC #100005)

54917/tcp open mountd 1-3 (RPC #100005)

1. Conduct a thorough port scan of your choosing, how many ports are open?

Ans: 7

2. Which port contains the service we’re looking to enumerate?

Ans: 2049

3. Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

Open a Terminal and Execute the Below Command

/usr/sbin/showmount -e <MACHINE-IP>
Ans: /home

Time to mount the share to our local machine!

First, use “mkdir /tmp/mount” to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.

Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share-

4. what is the name of the folder inside?

mkdir /tmp/mount
sudo mount -t nfs <IP>:/home /tmp/mount/

cd /tmp/mount
ls

Ans: cappucino

Interesting! Let’s do a bit of research now, have a look through the folders.

5. Which of these folders could contain keys that would give us remote access to the server?

There will be some hidden files inside /home directory

Ans: .ssh

6. Which of these keys is most useful to us?

Navigate into .ssh

Ans: id_rsa

Assuming we were right about what type of directory this is, we can pretty easily work out the name of the user this key corresponds to.

7. Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)

We are In : )

Ans: Y

=======================================================

=======================================================

1. Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod?

Ans: s

2. Let’s do a sanity check, let’s check the permissions of the “bash” executable using “ls -la bash”. What does the permission set look like? Make sure that it ends with -sr-x.

Download the File Here into the /tmp/mount

Ans: -rwSr-Sr-x

3. Great! If all’s gone well you should have a shell as root! What’s the root flag?

Now Let’s get into the machine using ssh

we have the bash now

Ans: THM{nfs_got_pwned}

=======================================================

=======================================================

What is SMTP?

  • SMTP stands for “Simple Mail Transfer Protocol”. It is utilised to handle the sending of emails. In order to support email services, a protocol pair is required, comprising of SMTP and POP/IMAP. Together they allow the user to send outgoing mail and retrieve incoming mail, respectively.

The SMTP server performs three basic functions:

  • It verifies who is sending emails through the SMTP server.
  • It sends the outgoing mail
  • If the outgoing mail can’t be delivered it sends the message back to the sender

Process of SMTP:

  1. The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain, e.g. smtp.google.com. This initiates the SMTP handshake.This connection works over the SMTP port- which is usually 25. Once these connections have been made and validated, the SMTP session starts.
  2. The process of sending mail can now begin. The client first submits the sender, and recipient’s email address- the body of the email and any attachments, to the server.
  3. The SMTP server then checks whether the domain name of the recipient and the sender is the same.
  4. The SMTP server of the sender will make a connection to the recipient’s SMTP server before relaying the email. If the recipient’s server can’t be accessed, or is not available- the Email gets put into an SMTP queue.
  5. Then, the recipient’s SMTP server will verify the incoming email. It does this by checking if the domain and user name have been recognised. The server will then forward the email to the POP or IMAP server, as shown in the diagram above.
  6. The E-Mail will then show up in the recipient’s inbox.

What runs SMTP?

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP being available to run on Linux.

1. What does SMTP stand for?

Ans: Simple Mail Transfer Protocol

2. What does SMTP handle the sending of? (answer in plural)

Ans: Emails

3. What is the first step in the SMTP process?

Ans: smtp handshake

4. What is the default SMTP port?

Ans: 25

5. Where does the SMTP server send the email if the recipient’s server is not available?

Ans: smtp queue

6. On what server does the Email ultimately end up on?

Ans: pop/imap

7. Can a Linux machine run an SMTP server? (Y/N)

Ans: Y

8. Can a Windows machine run an SMTP server? (Y/N)

Ans: Y

=======================================================

=======================================================

Basic Recon — Nmap:

nmap -sC <MACHINE-IP>

Nmap scan report for 10.10.218.140 (10.10.218.140)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 62a7031339085a07801ae527ee9b225d (RSA)
| 256 89d0409215093970176ec5de5b59eecb (ECDSA)
|_ 256 567cd0c4952b77dd53d6e6739924f686 (ED25519)

25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=polosmtp
| Subject Alternative Name: DNS:polosmtp
| Not valid before: 2020-04-22T18:38:06
|_Not valid after: 2030-04-20T18:38:06
|_smtp-commands: polosmtp.home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time

Service Info: Host: polosmtp.home; OS: Linux; CPE: cpe:/o:linux:linux_kernel

1. First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?

Ans: 25

2. Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?

Ans: msfconsole

3. Let’s search for the module “smtp_version”, what’s it’s full module name?

Ans: auxiliary/scanner/smtp/smtp_version

4. Great, now- select the module and list the options. How do we do this?

Ans: options

5. Have a look through the options, does everything seem correct? What is the option we need to set?

Ans: RHOSTS

6. Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?

Research On Google about It

Ans: polosmtp.home

7. What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

Ans: postfix

8. Good! We’ve now got a good amount of information on the target system to move onto the next stage. Let’s search for the module “smtp_enum”, what’s it’s full module name?

Ans: auxilary/scanner/smtp/smtp_enum

We’re going to be using the “top-usernames-shortlist.txt” wordlist from the Usernames subsection of seclists (/usr/share/wordlists/SecLists/Usernames if you have it installed).

Seclists is an amazing collection of wordlists. If you’re running Kali or Parrot you can install seclists with: “sudo apt install seclists” Alternatively, you can download the repository from here.

9. What option do we need to set to the wordlist’s path?

Ans: USER_FILE

10. Once we’ve set this option, what is the other essential parameter we need to set?

Ans: RHOSTS

11. Okay! Now that’s finished, what username is returned?

  1. Set the RHOST
  2. Run the module
Ans: administrator

=======================================================

=======================================================

1. What is the password of the user we found during our enumeration stage?

hydra -l administrator -P /usr/share/wordlists/rockyou.txt <MACHINE-IP> ssh
Ans: alejandro

2. Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt

Let’s Connect with SSH

Ans: THM{who_knew_email_servers_were_c00l?}

=======================================================

=======================================================

What is MySQL?

In its simplest definition, MySQL is a Relational Database Management System (RDBMS) based on Structured Query Language (SQL). Too many acronyms? Let’s break it down:

SQL:

  • MYSQL is just a brand name for one of the most popular RDBMS software implementations.
  • As we know, it uses a client-server model. But how do the client and server communicate? They use a language, specifically the Structured Query Language (SQL).
  • Many other products, such as PostgreSQL and Microsoft SQL server, have the word SQL in them. This similarly signifies that this is a product utilising the Structured Query Language syntax.

What runs MySQL?

  • MySQL can run on various platforms, whether it’s Linux or windows.
  • It is commonly used as a back end database for many prominent websites and forms an essential component of the LAMP stack, which includes: Linux, Apache, MySQL, and PHP.

************************************************************

1. What type of software is MySQL?

Ans: Relational database management system

2. What language is MySQL based on?

Ans: SQL

3. What communication model does MySQL use?

Ans: client-server

4. What is a common application of MySQL?

Ans: back end databases

5. What major social network uses MySQL as their back-end database? This will require further research.

Ans: Facebook

=======================================================

=======================================================

The Scenario

  • Typically, you will have gained some initial credentials from enumerating other services that you can then use to enumerate and exploit the MySQL service.
  • As this room focuses on exploiting and enumerating the network service, for the sake of the scenario, we’re going to assume that you found the credentials: “root:password while enumerating subdomains of a web server.
  • After trying the login against SSH unsuccessfully, you decide to try it against MySQL.

Basic Recon — Nmap:

nmap -sC -sV <Machine-IP>

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 0636562ff0d4a4d2ab6a433ec0f99b2d (RSA)
| 256 30bdbe28bd32dcf6ff28b2575731d9cf (ECDSA)
|_ 256 f23b824a5cd21819891fcd920ac7cf65 (ED25519)

3306/tcp open mysql MySQL 5.7.29-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.29-0ubuntu0.18.04.1
| Thread ID: 4
| Capabilities flags: 65535
| Some Capabilities: ODBCClient, SupportsCompression, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, SwitchToSSLAfterHandshake, LongPassword, ConnectWithDatabase, FoundRows, Speaks41ProtocolOld, LongColumnFlag, SupportsTransactions, DontAllowDatabaseTableColumn, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, Support41Auth, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: 3\x0FXEZM\x1F\x1DP\x7F"GL<\x1BXs\x7Fl3
|_ Auth Plugin Name: mysql_native_password
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_5.7.29_Auto_Generated_Server_Certificate
| Not valid before: 2020-04-23T10:13:27
|_Not valid after: 2030-04-21T10:13:27

1. As always, let’s start out with a port scan, so we know what port the service we’re trying to attack is running on.

What port is MySQL using?

Ans: 3306
  • Good, now- we think we have a set of credentials. Let’s double-check that by manually connecting to the MySQL server. We can do this using the command “mysql -h [IP] -u [username] -p
  • Okay, we know that our login credentials work. Let's quit this session with “exit” and launch up Metasploit.

2. We’re going to be using the “mysql_sql” module. Search for, select, and list the options it needs. What three options do we need to set? (in descending order).

Ans: PASSWORD/RHOSTS/USERNAME

3. Run the exploit. By default, it will test with the “select version()” command, what result does this give you?

set USERNAME root
set PASSWORD password
set RHOST <Machine-IP>
Ans: 5.7.29-0ubuntu0.18.04.1

4. Great! We know that our exploit is landing as planned. Let’s try to gain some more ambitious information. Change the “SQL” option to “show databases”. how many databases are returned?

Ans: 4

=======================================================

=======================================================

1. First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name?

Ans: auxiliary/scanner/mysql/mysql_schemadump

2. Great! Now, you’ve done this a few times by now so I’ll let you take it from here. Set the relevant options, run the exploit. What’s the name of the last table that gets dumped?

Last Table
Ans: x$waits_global_by_latency

3. Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better… search for and select the “mysql_hashdump” module. What’s the module’s full name?

Ans: auxiliary/scanner/mysql/mysql_hashdump

4. Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?

Ans: carl

5. Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called “hash.txt”.

What is the user/hash combination string?

Ans: carl:*EA031893AA21444B170FC2162A56978B8CEECE18

6. Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found?

Ans: doggie

7. Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service?

What’s the contents of MySQL.txt

We know that the machine is running ssh, so let’s login with the credentials we got

Ans: THM{congratulations_you_got_the_mySQL_flag}

Feel Free to Ask Queries via LinkedIn and to Buy me Coffee : )

Thank you for Reading!!

Happy Learning and Enumeration ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

文章来源: https://infosecwriteups.com/network-services-2-enumerating-and-exploiting-more-common-network-services-misconfigurations-e1625e1dd604?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh