Network Services 2 TryHackMe Part 1 NFS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello uh welcome back we are doing some more try hack me walk throughs uh and this is gonna be network services too i'm gonna put my phone on silent or at least turn it down uh today we're gonna be doing this room and it reads enumerating and exploiting more common network services and misconfigs if you want to catch network services one there will be a card popping up or a link description in the description or something or rather uh we will be going through the tasks together uh and you're more than welcome to follow along if you pick anything up that um i've done wrong or something like please reach out let me know i gotta let you know that there is a written write up uh below too uh so if you wanna just scroll through to see any any particular areas uh that'll be there um but yeah and if you wanna subscribe i was like that'd be cool otherwise no pressure no pressure uh cool so let's get started with task one get connected and we'll read this through together uh i do this i sort of like skim areas and then when i miss things i go back so if you wanna pause and like read in more detail like of course you can do that uh before i go i'm just gonna hit the start machine on task three because we'll be focusing this is part one so we'll be doing nfs so tasks one to four uh in this video okay with that all out of the way let's let's get into it uh so we've got task one get connected hello and welcome this room is a sequel for the first network service room which was great uh similarly uh it will explore a few more common network services vulnerabilities and misconfigs that we're likely to find in ctfs and pen tests ah so that's cool so yeah um pretty much we need that uh also we need to do linux fundamentals if you haven't done that also got some walkthroughs if you'd want otherwise go back make sure we're connected on the openvpn um so you can always test by uh pinging 10 10 10 10 10 and if you're on the network you will get something back awesome so there's also a little bit about this not being a wi-fi hacking um room okay i should do that one though it's gonna come up a couple of times cool got our ip there i'm just gonna quickly try and ping that cool box is up awesome so nfs stands for network file system and allows a system to share directories and files with others over a network by using nfs users and programs can access files on remote systems almost as if they were local files it does this by mounting all or a portion of a file system on a server the portion of the file system that is mounting can be accessed by clients with whatever privileges are assigned to each file i'm used to nfs in windows environments from where i've worked but it's cool learning about it in a linux environment too and how that they can both do it so how does it work we don't need to understand the technical exchange too much to be able to exploit it however this is something that interests you there is a link here that i will read one day uh first the client i will request a mount directory from the remote host and a local directory just the same way as like a physical device like plugging a usb or a hard drive design the mount service then will act to connect to the rel uh relevant mount damien damon demon i don't know how we say this using rpc so another protocol the server checks if the user has permissions to mount whatever directory has been requested it will return a file handle which uniquely identifies each file and directory uh that is on the server so yeah okay i'm getting the sense of things um nfs so rpc calls place for the nfsd the nfs damien our daemon on this server this calls and takes a file handle the name of the file to be accessed the user's user id and the group's id um so checking its permissions uh there are user these are user determining the access rights or yeah permissions uh this is what controls user permissions ie read and write files okay so what runs it i'm using the protocol we can transfer files between computers and windows other non-windows os like linux mac and unit so it's pretty universal um i always i honestly always thought that this was just purely for windows um because isn't a computer running windows server can act as an nfs server the other non clients likewise nfs allowed window based computers so yeah it can go it can go either way i just i thought the whole new file thing was a windows name but this is network file system but i i sure associate it with the new files like i get them mixed up but so they're different uh so here's some more sir i've got all this linked off that i will i promise i will read it okay so let's go through the questions together um we've got what does nfs stand for um network file system i remember i've got such a bad memory oh what process allows an nfs client to interact with a remote directory as through as though it was a physical device what process allows our nfs client the process [Music] um what was the process we had back up here the mounting are we calling it i think mounting yeah um caviar i have done this but it was it was a little bit ago so i don't remember everything i remember some things so there might be typical bit of problem solving and going back over and reading re-remembering too um what does nfs use to represent files and directories on the server uh good question what does it use to represent files uh uses the file handle was that one what are you looking for two words yeah i think it's the file handle um it's one so this is the things that it uses to connect um but i think it uses the file handle oh we had a hint what does the operator use yeah mounting um cool uh what does uh what protocol does nfs use to communicate between the server and the client so there was another protocol that it um specified in summary once access uh r p c paste rpc awesome what two pieces of user data does the nfs server take as parameters for controlling user permissions format uh parameter one and parameter two so something something something something um so under the file handle we got the name of the file to be accessed we've got the user so we got the user id and group id uh i'm pretty sure now i remember i remember uh can a windows nfs chef uh file with a linux yeah can um if we remember up here it said uh that it can go either way so what runs it everything can run it one way and everything can round the other way so the next kind of linux yeah linux can share files with mac os clients everybody's happy uh what's the latest version of nfs released so i don't know um let's have a look network file system for nfs um so we got v2 we got v3 we've got v4 so i'm going to take it v4 being the largest number and not seeing anything else but just scan around uh version 4 came out december 2000 um we got 4.1 2010 and we got 4.2 in from 2016 uh and it does say since 2016. so there's no as of 2020 there's nothing new so far uh but being 2022 maybe there might be something new i mean this is like yeah okay how long was it between that was six years so maybe we gotta wait you know a few more years um cool so that's going to be our understanding nfs so we'll close that one so let's go over to task 3 for nfs and we've already started our machine we already pinged it so we should be good to go so before i go and read this i know we do have to go ahead and do a port scan so it's going to tell us about mounting and shares so what i'm going to do is i'm going to run the port scan then i'm going to do a bit of reading going to let that run in the background and maybe by the time we finish reading it'll all be done um otherwise i'll i'll just skip the video so let's go and do an n-map against our machine that is not our machine that is the version of nfs let's go and get our copy but we're gonna do a couple switches like always um double vv for the verbose um i'm gonna make sure i do a capital a i'm pretty much actually gonna just do this this was from uh the last scan so if you wanna go ahead and copy that or you've already got it um i've gone ahead and actually created a network services 2 directory uh so i'm going to output a scan port whoops output to a scan port file and just have a scan port back up just in case uh but the thing we do want to change that's not how terminals work actually um we do want to just make sure we put in our ip in there uh so if you're unfamiliar with the switches that's all good i'm learning two uh this was the all or aggressive married which is gonna try and detect and run some scripts i think this is then gonna run all ports so we're trying to scan as many ports as we can um and get as much information as we can and this is just outputting the file cool that should be cool so gonna let that run already found a couple of supports uh so that's very exciting so while that's running in the background let's keep on going with what we got here all right before we begin make sure to deploy the room and give it some time to boot uh yeah it's been booting for a while please this can take up to five minutes so yeah we're good uh what is enumeration uh enumeration is defined as a process establishes active um connection to the target host to discover potential attack vectors in the system and blah blah blah finding out stuff um that's probably a good link to use for blogging and stuff um cool so we're going to find out stuff requirements in order to do more advanced enumeration on nfs servers we're going to use uh and shares we're going to need a few tools so for this we have nfs dash common do i have nfs dash common uh i don't believe i do so let's just try an apt install nfs dash common cool so it's a package on uh the list so let that do its thing uh it's important so includes led shadow mount fc and we use this shadow mount um these are going to be useful tools when it comes to extracting information uh from amateur if you like more information about this please go here i'm all good you can install this by running apt install and oscon which we just did it's part of the default repositories from linux distro's cure that makes it easy like not that i don't like installing different things from like github and stuff i mean it's like fine but it is nice when things are just like on your system um i'm just gonna run a quick abt what this keeps happening i don't know what is up see my terminal right now i'm just going i'm just i'm just going over i'm just gonna run a quick update and upgrade um [Music] seriously what is with this terminal thing okay port scanning uh covered many times before we use nmap uh first step is poor scan so anything else that we need to know here you can do this i suggest nmap dash a so we use that n-p dash for all the ports mounting shares your client system needs a directory where content can be shared between the hosts and the server so once we're finished with our nmap scan which is going to take a little while uh we're going gonna use mount dash t nfs ip um share so we'll put our ip there and then share and we'll put it to a temp in our temp file and create a mount and use a flag no lock so that runs it as meh um root execute the mount command um which i assume is part of nfs common or maybe not uh type of device to mount um so dash t to specify the device type ip the address of the nfs server and the name of the share so share isn't like a flag this is just a name which could be anything in this case let's just share cool and no look specifies not to use nlm locking so i have no idea what nlm locking is um network lock manager version two and three um this protocol is closely tied with nfs protocol self shares handle fire cool um i now have still no idea what it is uh but we don't want it cool uh okay so now we understand our tools so so conduct a thorough port scan of your choosing and we want to find out how many ports are open so out of the top thousand or so we do have two and we are looking for a one digit answer um do we have two there are more than two uh so we're gonna this is a bit of a worry this is like what gets me like i don't know if this is the the switch that makes it go longer um or you know what i'm actually gonna i'm gonna undo it and i'm gonna use the dash t4 to speed it up okay so you don't have to wait through i'm gonna skip ahead but i'm gonna run that and um okay um so our scan has finished uh took a little less time um that we speeded up but uh it has tried to find a little bit more about the ports so let's go over the first question again conduct a thorough portal how many ports are open so we've got one um oh you know what instead of counting them i'm going to try and do um something that i saw in another one we can just cat out the file that i created but we'll just grip anything that is open cool so a little bit easier one two three four five six seven seven ports are open uh so let's just have a little bit so we've got ssh we've got rpc bind uh so rpc was another protocol that nfs uses uh so it looks like they're all got rpc or something i've got mount d on a couple of ports so not sure if these are like all the one service and they just have multiple ports to use or you know these are definitely different services therefore needing different ports not sure so which port contains the service we're looking to enumerate uh so this is a bit tricky i like i'm assuming it's going to be one of these um it's got we're looking for four digits i'm using it it's telling me that this is definitely the one that actually says nfs um so i'm gonna just copy over that number and put it in cool so that's what we're looking at if if that wasn't here like honestly i wouldn't be 100 sure i mean it does say nfs but otherwise fair game uh now use the user bin sn shell show mount dash ie to list the nfs shares okay let's try that um so is show mounts yep so it's in the binaries so we can just run it as is um dash e and then our ip address which i will just copy over and let's see if that takes on so export list from this is under home um is is that right [Music] uh i don't or is home is that it have i misunderstood that home is literally it what is the name of the visible share oh that is it it that tripped me out i thought it was exporting a list to this directory but home is actually okay cool no that's cool all right um time to mount the share to our local machine let's make the directory so make do and we're putting this in our temporary folder with an absolute path and we're just going to create this mounting folder here um so we can just list out everything else in our temporary uh folder or directory and we can see it's got a bunch of random stuff um and then we've got our mount that we just created uh then we want to use the mount command we broke down earlier um to [Music] go to nfs share to the local machine change directory to where you mounted the share what is the name of the folder inside okay let's go up and use this so we're going to use the mount command now if you're wondering i don't need pseudo privileges because i'm already logged in as my most privileged user so i don't have to um use that but when you use t for the type which was nfs then we're going to paste in our ip again which i need to copy thank you try hack me for putting it right there um and then we're going to put in the share so this share that we're connecting to is home so that was the file that i saw now i don't think we need to put a file path like i don't think we need to do that i think we just need could be could be wrong let's see and then we're going to put the location of where we're connecting this chair to and then that last one no lock which does the thing about the thingy that's it uh cool see what it does so this if it is working it is going out and grabbing it and connecting it so if there's a little bit of time delay that like it's not a bad thing uh so let's list out what is in our temporary and in that mount directory and hopefully we see something great so that's successful that means uh it's worked basically all right let's look inside this so you're gonna hit the up arrow and we're going to spell it out and hit tab and see what we've got so i can't see anything but that doesn't mean there's nothing there let's use ll which is shorthand for list okay really don't have anything there um looks like we're inside a user's home okay enjoy let's do a bit of research now let's have a look uh through the folders which of these folders contain the keys uh so am i am i did i do something wrong because i can't actually um see anything in this some i may have to retrace my steps if i have done something wrong here okay cool um i'm just silly because the ll doesn't include the dash a i thought it did it only does the dash l which it lists out but a includes all which shows us all the files including hidden files which has the period before it so there's a little hint in here they've bolded the letters rsa which is the acronym for our rsa files so there's the rsa public keys and private keys which is for ssh so if we list out dash la in here but then we go dash ssh this time and we look inside that file then we can see those those files so this is what we're after rsa public and private um so we go dot r uh ssh that's where we're looking inside of and then what are the keys that's mostly useful so out of these two this one is the private key so pub for public um but id underscore rsa is our most because that's private who shouldn't shouldn't be able to see this uh cool so copy this file to a different location cool so we can just use the cp command um to copy that so in that temporary file in the mount um in the cappuccino and then in the dot ssh ssh and we're going to grab that i uh what am i doing what am i doing id um underscore rsa no there's yeah so there's just a little bit of delay between my like keyboard and then server so we're just going to copy that and i'm going to go space and i'm just going to put it in the directory that i'm already at which is in the network services so cool so i've grabbed that um so we can list out here so here it is so we're going to be changing the permissions so we're going to be using the 600 so that means uh i think it's re read oh testing testing my permission knowledge um so let's just run 600 against it so we can see here we've got read write and then uh for the user so no execute and nothing for the group and nothing for everyone else so we're changing it i'm gonna put myself on a limb and i'm gonna say the w is gonna disappear after we run this see if i'm right i am totally ready to be wrong i am totally wrong it was the same i thought i thought yeah okay um it's already at 600 which seems weird i i don't know if i'm probably just getting confused uh or i don't know i don't know assuming we have the the we're right about what type of directory this is we can pretty easily work out the name of the user the key corresponds to which is gonna probably be cappuccino so this way we're gonna ssh use the dash i to import this file as our authentic authentication uh so let's see if that works so ssh we're gonna use the id underscore rsa file uh we're gonna use the cap how do you spell cappuccino again cp ra cap [Music] me no good cool gonna punch that in are you sure you want to do this yes please morning it's apparently host and that just like this thing because that's our password um awesome so can we log in using that yeah sweet okay i'm just trying to remember 600 i think four was breed seven was everything six i can't remember my bit sets bit whatever cool anyway we're in um so who am i i'm running cappuccino i would be in the directory so let's list out the home and there's only one other user on this system um besides root so we're going to try and uh privilege privesque s escalate up the privileges tree vertically of course okay um let's go over to task four so we do have our foothold in the system which is cool but we want to go to roots so just going to quickly scroll down yep so yeah we need to gain definitely prove ask alrighty we're done right not quite we have a low privileged shell so we don't we can't do much with this this user so uh you might be able to use escalate privileges depending on how it's configured what is root squash i don't know hack me what is rootsworsh on nfs shares root squashing is enabled and prevents anyone connecting to the nfs share from having root access to the nfs volume remote root users are assigned as user nfs nobody when connected which has the least local privileges not what we want however if this is turned off it can allow the creation of suid bit files so this is special user ids also i can't remember exactly but it's like temporary um privileges i think allowing a remote user root access to connect to the system so what are the suid bits that essentially this means that the file or files can be run with permissions of the files owner or group in that case as a super user uh we can leverage this to get a shell with the privileges there's like this really long command that you can just copy paste to see all of these um files on a system apparently it's like common in ctfs and stuff okay method it sounds complicated but really provided you're familiar with the i'm not that familiar with how it works so it's not that it is complicated for me but whatever it's fairly easy to understand we're able to upload files to then have a share and then control the permissions of these files we can set the permissions of whatever we uploaded in the case of a bash shell executable okay please walk me through this because like i've gone through this room and i've done this a couple times but it's still like yeah it takes me a little bit anyway due to uh compatibility reasons will be standard and you can download it here uh let me just will this be straight up download um okay so this is just for this far can i just go to the roll view roll uh so upload the bash shell um can i just use wget on the system because w yet and just download that file probably not right it probably doesn't have outbound traffic okay so in that case um we can just w get this man i love this sick terminal um no stuff stuff you terminal uh i'm gonna go over here and i'm just gonna flick between um so let me just change directories over into uh documents try hack me network services too and um cool so we got bash raw true uh that's oh right right [Music] let me just try this again um and ll there's w get this but just call it um bash does that work no okay fine i'll just move sorry this is probably i'm just gonna call this bash got um so if we just cat out bash this should be yeah in binary so it doesn't make a lot of sense all right cool cool cool got that so we do need to get this over to the system um so we can do this by a couple of ways i'm gonna start a python server um on here using python three h running on port 8000 so if we tell our system to download from our local ip so we're gonna go back over to cappuccino did i lose my mouse again sometimes my mouse just stops working okay so yeah definitely can't um but we can w get locally uh to this this system running on port 8000 so that's my system i just started a web server and we're just going to download bash um so i'm just going to go get that locally so this is this isn't apparently this is a good way of getting like files across your uh your systems that you're trying to get into so now like that's our bash file um we can confirm yes am i all right does this happen to other people uh and we can see here hey this system just connected to it cool so we can just turn off that little web server so we can confirm you know 11 35 0 four that this is definitely like the exact same file um yeah so once it's over here we can change mod um uh no okay let's just go over the questions let's let's just go back i'm getting ahead of myself so we've gained access we've got low privilege upload belt bash executable to nfc oh i was supposed to upload to the nfs oh yeah we already had a amount connecting our now two machines i could have just uh whoops well i've done it a slightly different way um so let me just let me just go back let me just this is this is what i get um so what we could have done is copy our bash to our temporary mount uh folder um or directory so we've copied that and it puts it over there and then it uploads so just wait because the files yeah so it just takes a little bit um so in this case if we looked at where's the mount where's is it in mount if we looked up ls mn i don't know where the mount is on here shared folder is that where it goes i don't okay i'm not sure where it goes but i got it over there anyway first change directory to the mount where you're there oh the nfc should still be mounted and then use it in the homes directories oh wait it was just in the um it is wasn't it just in the our file like wouldn't it have yeah it was the home file so it would have just been there so i copied it over i think download a little cp copy that to downloads bash yep so we've got it over there now we're going to add the sad bit permission to the bash executor we just copied using um plus permission bash what letter do we set the sud bit using change but yes actually i'm not sure um so let's just okay let's let's problem solve this so this is our uh file right here that we need to change over so we need to see an s somewhere here like i don't know if it's like for the executable so let's let's just try let's just try so we go ch change mod plus s i think to bash and list that out again and now we have s i think i think that's right um i probably should have done that okay cool that's right probably should have done that before i done it here but i uh anyway let's do a standing check let's just check the permissions of the bash that's what i just did um and ls-la bash what is the permission look like um so i don't know if it wants all of it i'm just gonna copy that over but it says change permissions of bash is not permitted because we're not user so because i'm doing in the wrong one right because i need to do it actually through yes i need to go change um mod plus s two i need to do it in the right place that's what i'm missing that's what i'm missing i think cappuccino bash so i can do it here because i've got privileges um but if i look over here ah if i look over here and it's added but it's not executable for everyone um can i can i add change mod plus x uh wait let me just can i do this and then do this cool all right this is looking a little bit more like what i should have so should dash read write special r dash s oh figured it out okay so this is this good learning so changing the permissions from your machine is what's misconfigured we shouldn't be able to do that obviously guys obviously all right now ssh into the user um which is where i'm already at and this is what was confusing me and run bash dash pp persists with permissions so we can just go bash dash p and go who am i and we're we did it baby uh let's list out what we've got um wait where am i print working directory home capture so let's um just change directories to go to our route folder and then we can list out that then there's a we can cut out the root dot text and looks like we've got our flag how honestly it felt pretty good because sort of things went a bit pear-shaped there did things but you know what it's all part of the learning so it's all good uh that was the first part of network services two tasks one to four go ahead and we'll terminate that if you enjoyed this let me know um comment like all those sort of good stuff if you have any comments for videos or anything just let me know um yeah reach out if you want to uh yeah that was fun that was really fun um stay tuned for part two which will be going over smtp so that should be fun and then of course part three will finish off with mysql so thanks for sticking around if you've made it this far you're an absolute legend and i will see in the next one cool thank you
Info
Channel: Mr Ash Co
Views: 13,673
Rating: undefined out of 5
Keywords:
Id: lBWxgGQObuo
Channel Id: undefined
Length: 38min 57sec (2337 seconds)
Published: Sat Apr 16 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.