Conduct an nmap scan of your choosing, How many ports are open?
What ports is SMB running on?
For the first two questions, we look at the output below.
"3"
"139/445"
Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
For the next question, we use the command "enum4linux 10.10.42.92".
"workgroup"
What comes up as the name of the machine?
"POLOSMB"
What operating system version is running?
"6.1"
What share sticks out as something we might want to investigate?
"Profiles"
Task 4 Exploiting SMB
What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?
“smbclient //10.10.10.2/secret -U suit -p”
Great! Now you've got a hang of the syntax, let's have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.
No answer needed
Does the share allow anonymous access? Y/N?
"Y"
The only file we have permission is "Working From".
Let's throw this file on our own machine to read it.
Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
“John Cactus”
What service has been configured to allow him to work from home?
“ssh”
Okay! Now we know this, what directory on the share should we look in?
“.ssh”
This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
“id_rsa”
What is the smb.txt flag?
“THM{smb_is_fun_eh?}”
Task 5 Understanding Telnet
What is Telnet?
“application protocol”
What has slowly replaced Telnet?
“ssh”
How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
“telnet ip 10.10.10.3 -p 23”
The lack of what, means that all Telnet communication is in plaintext?
“Encryption”
Task 6 Enumerating Telnet
How many ports are open on the target machine?
“1”
What port is this?
“8012”
This port is unassigned, but still lists the protocol it's using, what protocol is this?
“tcp”
Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
“0”
No answer needed
Based on the title returned to us, what do we think this port could be used for?
For this and the following questions, we can look at the old scan results.
“a backdoor”
Who could it belong to? Gathering possible usernames is an important step in enumeration.
“skidy”
Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.
No answer needed
Task 7 Exploiting Telnet
Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.
No answer needed
Great! It's an open telnet connection! What welcome message do we receive?
“SKIDY’S BACKDOOR”
Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
"n"
Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.
No answer needed
This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.
No answer needed
Now, use the command "ping [local THM ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
"y"
Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!
No answer needed
We're going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. What word does the generated payload start with?
“mkfifo”
What would the command look like for the listening port we selected in our payload?
“nc -lvp 4444”
Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!
No answer needed
Success! What is the contents of flag.txt?
“THM{y0u_g0t_th3_t3ln3t_fl4g}”
Task 8 Understanding FTP
What communications model does FTP use?
“client-server”
What's the standard FTP port?
“21”
How many modes of FTP connection are there?
“2”
Task 9 Enumerating FTP
Run an nmap scan of your choice.
How many ports are open on the target machine?
“2”
What port is ftp running on?
“21”
What variant of FTP is running on it?
“vsftpd”
What is the name of the file in the anonymous FTP directory?
“PUBLIC_NOTICE.txt”
What do we think a possible username could be?
“mike”
Great! Now we've got details about the FTP server and, crucially, a possible username. Let's see what we can do with that...
