Task 3 →Understanding SMB
SMB mean server message block protocol used as a network file sharing method.
What does SMB stand for?
Server Message Block
What type of protocol is SMB?
What do clients connect to servers using?
What systems does Samba run on?
Task 4 →Enumerating SMB
Enumeration is the process of gathering information about the target system. there are lot of way to do this like using port scan and network scan system scan like that. In this room they mention to use Enum4Linux. There are new tools for this like linpeas to do which is more effective
Conduct an nmap scan of your choosing, How many ports are open?
What ports is SMB running on?
In the nmap result there are 2 ports running SMB services those are
Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
What comes up as the name of the machine?
What operating system version is running?
What share sticks out as something we might want to investigate?
these are the shared service in the network identifying the users are one of the most important thing in the enumeration so in here answers is profiles
Task 5 → Exploiting SMB
What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
smbclient //10.10.10.2/secret -U suit -p 445 or for port you can use 139 also
Does the share allow anonymous access? Y/N?
In previous task we found out 4 share SMB networks so to connect that server I am gonna use sharename call profiles.
There are lot of files in that folder. There is an interesting file call Working from home information.txt so lets download it using
get “Working From Home Information.txt” <OUTPUT>.txt
Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
What service has been configured to allow him to work from home?
Okay! Now we know this, what directory on the share should we look in?
now we downloaded the ssh key and now we need to give the proper permission to that key and log in to the system.
chmod 600 <key>
ssh -i <key> cactus@<IP>
What is the smb.txt flag?
Task 6→ Understanding Telnet
What is Telnet?
What has slowly replaced Telnet?
How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
telnet 10.10.10.3 23
The lack of what, means that all Telnet communication is in plaintext?
Task 7→ enumerating Telnet
How many ports are open on the target machine?
What port is this?
This port is unassigned, but still lists the protocol it’s using, what protocol is this?
Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
reason it get 0 is firewall is blocking the all the pings. There for we need to do
-Pn to be stealth while scanning
Based on the title returned to us, what do we think this port could be used for?
Who could it belong to? Gathering possible usernames is an important step in enumeration.
Task 8→ exploiting Telnet
Great! It’s an open telnet connection! What welcome message do we receive?
Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
pin command in telnet session
→.RUN ping <Tun0_IP> -c 1
What word does the generated payload start with?
What would the command look like for the listening port we selected in our payload?
nc -lvp 4444
Success! What is the contents of flag.txt?
Task 9 →Understanding FTP
FTP mean File transfer protocol used to transfer files over network. it use client-server model to transfer file. there are 2 type of FTP methods +.
Active FTP and Passive FTP
Active FTP → In an Active FTP connection, The client opens and listens to the port. The server must be constantly linked to it.
Passive FTP →In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.
What communications model does FTP use?
What’s the standard FTP port?
How many modes of FTP connection are there?
Task 10 → enumerating FTP
How many ports are open on the target machine?
What port is ftp running on?
What variant of FTP is running on it?
What is the name of the file in the anonymous FTP directory?
PUBLIC_NOTICE.txt to download the file use get <FILE_NAME>
What do we think a possible username could be?
Task 11 → Exploiting FTP
to brute force the password use this command
hydra -t 4 -l <USER_NAME>-P /usr/share/wordlists/rockyou.txt -vV <IP>ftp
What is the password for the user “mike”?
What is ftp.txt?
when you connect to FTP server using mike as the username and password as password and do ls to fins the ftp.txt and download it can you can get the flag
See you in another blog…..!!