Task 1 Get Connected

No answer needed

Task 2 Understanding NFS

 

What does NFS stand for?

"Network File System"

What process allows an NFS client to interact with a remote directory as though it was a physical device?

"Mounting"

What does NFS use to represent files and directories on the server?

"file handle"

What protocol does NFS use to communicate between the server and client?

"Rpc"

What two pieces of user data does the NFS server take as parameters for controlling user permissions?

"user id / group id"

Can a Windows NFS server share files with a Linux client? (Y/N)

"Y"

Can a Linux NFS server share files with a MacOS client? (Y/N)

"Y"

What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.

"4.2"

Task 3 Enumerating NFS

 

Conduct a thorough port scan scan of your choosing, how many ports are open?

"7"

Which port contains the service we're looking to enumerate?

 

 

"2049"

Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

 

 

"/home"

Time to mount the share to our local machine! Change directory to where you mounted the share- what is the name of the folder inside?

 

 

 

"cappucino"

Which of these keys is most useful to us?

"id_rsa"

Can we log into the machine using ssh -i @ ? (Y/N)

 

 

"Y"

Task 4 Exploiting NFS

 

What letter do we use to set the SUID bit set using chmod?

"s"

What letter do we use to set the SUID bit set using chmod?

"-rwsr-sr-x"

Great! If all's gone well you should have a shell as root! What's the root flag?

"THM{nfs_got_pwned}"

Task 5 Understanding SMTP

 

What does SMTP stand for?

“Simple Mail Transfer Protocol”

What does SMTP handle the sending of? (answer in plural)

“Emails”

What is the first step in the SMTP process?

“SMTP handshake”

What is the default SMTP port?

“25”

Where does the SMTP server send the email if the recipient's server is not available?

“SMTP queue”

On what server does the Email ultimately end up on?

“POP/IMAP”

Can a Linux machine run an SMTP server? (Y/N)

“Y”

Can a Windows machine run an SMTP server? (Y/N)

“Y”

Task 6 Enumerating SMTP

 

First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?

“25”

Okay, now we know what port we should be targeting, let's start up Metasploit. What command do we use to do this?

“msfconsole”

Let's search for the module "smtp_version", what's it's full module name?

 

 

“auxiliary/scanner/smtp/smtp_version”

Great, now- select the module and list the options. How do we do this?

“Options”

Have a look through the options, does everything seem correct? What is the option we need to set?

 

 

“rhosts”

Set that to the correct value for your target machine. Then run the exploit. What's the system mail name?

 

 

"polosmtp.home”

What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

“postfix”

What option do we need to set to the wordlist's path?

“USER_FILE”

Once we've set this option, what is the other essential paramater we need to set?

“Rhosts”

Keep yourself hydrated!

No answer needed

 

   

Okay! Now that's finished, what username is returned?

“administrator”

Task 7 Exploiting SMTP

 

The syntax for the command we're going to use to find the passwords is this:

hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.88.11 ssh

 

 

 

 

What is the password of the user we found during our enumeration stage?

“alejandro”

Great! Now, let's SSH into the server as the user, what is contents of smtp.txt

"THM{who_knew_email_servers_were_c00l?}"

Task 8 Understanding MySQL

 

What type of software is MySQL?

“relational database management system”

What language is MySQL based on?

“sql”

What communication model does MySQL use?

“client-server”

What is a common application of MySQL?

“back end database”

What major social network uses MySQL as their back-end database? This will require further research.

“Facebook”

Task 9 Enumerating MySQL

 

As always, let's start out with a port scan, so we know what port the service we're trying to attack is running on. What port is MySQL using?

 

"3306"

Search for, select and list the options it needs. What three options do we need to set?

 

“password/rhosts/username”

Run the exploit. By default it will test with the "select version()" command, what result does this give you?

 

“5.7.29-0ubuntu0.18.04.1”

Great! We know that our exploit is landing as planned. Let's try to gain some more ambitious information. Change the "sql" option to "show databases". how many databases are returned?

 

“4”

Task 10 Exploiting MySQL

 

First, let's search for and select the "mysql_schemadump" module. What's the module's full name?

 

“auxiliary/scanner/mysql/mysql_schemadump”

Great! Now, you've done this a few times by now so I'll let you take it from here. Set the relevant options, run the exploit. What's the name of the last table that gets dumped?

 

 

“x$waits_global_by_latency”

Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better... search for and select the "mysql_hashdump" module. What's the module's full name?

 

“auxiliary/scanner/mysql/mysql_hashdump”

Again, I'll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?

 

“carl”

What is the user/hash combination string?

 

“carl:*EA031893AA21444B170FC2162A56978B8CEECE18”

Now, we need to crack the password! Let's try John the Ripper against it using: "john hash.txt" what is the password of the user we found?

 

“doggie”

What's the contents of MySQL.txt?

 

“THM{congratulations_you_got_the_mySQL_flag}”

Task 11 Further Learning

 

Congratulations! You did it!

No answer needed