Task 2 → Understanding NFS
NFS stands for “Network File System” which supports a system
over a network to exchange archives and data with others. Users and applications will view files on remote systems almost as if they were local files through the use of NFS. This is done by mounting all or apart of a file system on a server. Clients with whatever rights are allocated to each file. Will access the part of the file system that’s installed.
What does NFS stand for?
Network File System
What process allows an NFS client to interact with a remote directory as though it was a physical device?
What does NFS use to represent files and directories on the server?
What protocol does NFS use to communicate between the server and client?
What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2
user id / group id
Can a Windows NFS server share files with a Linux client? (Y/N)
Can a Linux NFS server share files with a MacOS client? (Y/N)
What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.
Task 3 → Enumerating NFS
before doing anything first we need to do an Nmap scan to find out what are the services running on open ports.
command for scan is Nmap -A <IP> -p- -Pn
this what we get after running a Nmap scan.
Conduct a thorough port scan scan of your choosing, how many ports are open?
Which port contains the service we’re looking to enumerate?
Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?
according to above result it shows /home there for answer is /home
Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside?
the folder was inside the first dot(.) directory so lets do
cd . command to get in and the folder was cappucino
answer is cappucino
Interesting! Let’s do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?
Which of these keys is most useful to us?
there are 3 type of keys those are authorized_keys, id_rsa ,id_rsa.pub
authorized_keys —> An authorized key in SSH is a public key used for granting login access to users
id_rsa →this is the private key of the user which used to login to the system
id_rsa.pub →this is the key that used send others to encrypt when they send message to us.
answer is id_rsa
Now we need to change the permison of the key using chmod command
chmod 600 id_rsa
Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)
task 4 → Exploiting NFS
Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod?
Let’s do a sanity check, let’s check the permissions of the “bash” executable using “ls -la bash”. What does the permission set look like? Make sure that it ends with -sr-x.
To get this you need to run the command ls -la then it shows all the permission file has.
in here we have mount the file with server life there for what ever the change we make in our local machine’s mount folder that change may take place in the server.
Great! If all’s gone well you should have a shell as root! What’s the root flag?
task 5 → Understanding SMTP
SMTP stands for “Simple Mail Transfer Protocol”. It is utilised to handle the sending of emails. In order to support email services, a protocol pair is required, comprising of SMTP and POP/IMAP. Together they allow the user to send outgoing mail and retrieve incoming mail, respectively.
What does SMTP stand for?
Simple Mail Transfer Protocol
What does SMTP handle the sending of?
What is the first step in the SMTP process?
What is the default SMTP port?
Where does the SMTP server send the email if the recipient’s server is not available?
On what server does the Email ultimately end up on?
Can a Linux machine run an SMTP server? (Y/N)
Can a Windows machine run an SMTP server? (Y/N)
Task 6 → enumerating SMTP
First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?
Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?
Let’s search for the module “smtp_version”, what’s it’s full module name?
Great, now- select the module and list the options. How do we do this?
Have a look through the options, does everything seem correct? What is the option we need to set?
Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?
What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.
Good! We’ve now got a good amount of information on the target system to move onto the next stage. Let’s search for the module “smtp_enum”, what’s it’s full module name?
What option do we need to set to the wordlist’s path?
Once we’ve set this option, what is the other essential paramater we need to set?
Okay! Now that’s finished, what username is returned?
administrator (shown in above picture )
Task 7 →Exploiting SMTP
What is the password of the user we found during our enumeration stage?
Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt
Task 8 → Understanding MySQL
What type of software is MySQL?
relational database management system
What language is MySQL based on?
What communication model does MySQL use?
What is a common application of MySQL?
back end database
What major social network uses MySQL as their back-end database? This will require further research.
Task 9 → Enumerating MySQL
As always, let’s start out with a port scan, so we know what port the service we’re trying to attack is running on. What port is MySQL using?
Good, now- we think we have a set of credentials. Let’s double check that by manually connecting to the MySQL server. We can do this using the command “mysql -h [IP] -u [username] -p”
mysql -h <IP> -u root -p
We’re going to be using the “mysql_sql” module.
Run the exploit. By default it will test with the “select module()” command, what result does this give you?
Great! We know that our exploit is landing as planned. Let’s try to gain some more ambitious information. Change the “sql” option to “show databases”. how many databases are returned?
First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name?
Great! Now, you’ve done this a few times by now so I’ll let you take it from here. Set the relevant options, run the exploit. What’s the name of the last table that gets dumped?
Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better… search for and select the “mysql_hashdump” module. What’s the module’s full name?
Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?
Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called “hash.txt”.
What is the user/hash combination string?
Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found?
What’s the contents of MySQL.txt
see you in another blog…..