Network Services — Try Hack Me Room

mohomed arfath

6 min readDec 22, 2020

Task 3 →Understanding SMB

SMB mean server message block protocol used as a network file sharing method.

What does SMB stand for?

Server Message Block

What type of protocol is SMB?

response-request

What do clients connect to servers using?

TCP/IP

What systems does Samba run on?

Unix

Task 4 →Enumerating SMB

Enumeration is the process of gathering information about the target system. there are lot of way to do this like using port scan and network scan system scan like that. In this room they mention to use Enum4Linux. There are new tools for this like linpeas to do which is more effective

Conduct an nmap scan of your choosing, How many ports are open?

3 ports

What ports is SMB running on?

In the nmap result there are 2 ports running SMB services those are
139/445

Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?

WORKGROUP

What comes up as the name of the machine?

POLOSMB

What operating system version is running?

6.1

What share sticks out as something we might want to investigate?

these are the shared service in the network identifying the users are one of the most important thing in the enumeration so in here answers is profiles

Task 5 → Exploiting SMB

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?

smbclient //10.10.10.2/secret -U suit -p 445 or for port you can use 139 also

Does the share allow anonymous access? Y/N?

In previous task we found out 4 share SMB networks so to connect that server I am gonna use sharename call profiles.

There are lot of files in that folder. There is an interesting file call Working from home information.txt so lets download it using
get “Working From Home Information.txt” <OUTPUT>.txt

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

John Cactus

What service has been configured to allow him to work from home?

ssh

Okay! Now we know this, what directory on the share should we look in?

.ssh

now we downloaded the ssh key and now we need to give the proper permission to that key and log in to the system.
chmod 600 <key>
ssh -i <key> cactus@<IP>

What is the smb.txt flag?

THM{smb_is_fun_eh?}

Task 6→ Understanding Telnet

What is Telnet?

application protocol

What has slowly replaced Telnet?

ssh

How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

telnet 10.10.10.3 23

The lack of what, means that all Telnet communication is in plaintext?

encryption

Task 7→ enumerating Telnet

How many ports are open on the target machine?

What port is this?

8012

This port is unassigned, but still lists the protocol it’s using, what protocol is this?

tcp

Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

0
reason it get 0 is firewall is blocking the all the pings. There for we need to do
-Pn to be stealth while scanning

Based on the title returned to us, what do we think this port could be used for?

a backdoor

Who could it belong to? Gathering possible usernames is an important step in enumeration.

SKIDY

Task 8→ exploiting Telnet

Great! It’s an open telnet connection! What welcome message do we receive?

SKIDY’S BACKDOOR.

Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

pin command in telnet session
→.RUN ping <Tun0_IP> -c 1

What word does the generated payload start with?

mkfifo

What would the command look like for the listening port we selected in our payload?

nc -lvp 4444

Success! What is the contents of flag.txt?

THM{y0u_g0t_th3_t3ln3t_fl4g}

Task 9 →Understanding FTP

FTP mean File transfer protocol used to transfer files over network. it use client-server model to transfer file. there are 2 type of FTP methods +.
Active FTP and Passive FTP
Active FTP → In an Active FTP connection, The client opens and listens to the port. The server must be constantly linked to it.

Passive FTP →In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.

What communications model does FTP use?

client-server

What’s the standard FTP port?

How many modes of FTP connection are there?

Task 10 → enumerating FTP

How many ports are open on the target machine?

What port is ftp running on?

What variant of FTP is running on it?

vsftpd

What is the name of the file in the anonymous FTP directory?

PUBLIC_NOTICE.txt to download the file use get <FILE_NAME>

What do we think a possible username could be?

mike

Task 11 → Exploiting FTP

to brute force the password use this command
hydra -t 4 -l <USER_NAME>-P /usr/share/wordlists/rockyou.txt -vV <IP>ftp

What is the password for the user “mike”?

password

What is ftp.txt?

when you connect to FTP server using mike as the username and password as password and do ls to fins the ftp.txt and download it can you can get the flag

THM{y0u_g0t_th3_ftp_fl4g}

See you in another blog…..!!