TryHackMe Network Services 1 Part 1 SMB • Walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Hey, welcome to another try hack me walk through room. We're going to be going over network services, learn about then enumerate and explore exploit a variety of network services and misconfigs. Cool. So we're going to do this in three parts. There's going to be part one. So we'll just cover tasks one to four, and then part two will be tasks five to seven, and part three, tasks eight to eleven. So all links will be down below when they're all live. And if you want a written write up of this, you can check out my blog below that will be linked also. So let's go ahead and make sure you are connected via the VPN to the Triathme network. And then we can go ahead and get started. So we've got the Trihack me on the left and then Terminal on the right running Carly, the rolling release on Birchbox. So that's pretty much everything. Let's get into it. Task one, get connected. Hello. Welcome. This room will explore common network service, vulnerabilities and misconfigs. In order to do that, we'll need to do a few things first. So we're going to need the basics of Linux. So if you haven't done that, you can see probably a card come up to my walkthrough of that. Otherwise, just go through that room really good and we need to be connected, which is cool. There's also a little note here about WiFi hacking. I've seen this in a couple of the network service rooms, and this probably was like a big question, like Where's Wi Fi hacking? So they put that in there. Cool. As you may have noticed, I'm not reading everything exactly word for word. I'm sort of just going through. So if you want to pause it and read in more detail, by all means go for it. So task two, understanding SMB. Smb standing for server message block protocol. So it's a client server communication protocol used for sharing access to files, printers, serial ports, and other resources on the network. Cool. So we have a little bit of a diagram explaining how it works, what it runs on. So we've got Windows operating systems since Windows 95. Fun fact. And also under the Samba, being an open source server that supports SMB protocol was released for Unix systems. I don't know why I've always found that kind of fascinating, because I just always I don't know, Microsoft and Unix should be opposite, but then sometimes they share things. Fascinating. All right, let's go over the questions. So we've got what does SMB stand for? So we can copy that from up here. Server message block. What type of protocol is SMB? So let's go through and we had up here a communication protocol that's interesting to me because in my head, when I think of protocols, I don't group them by like a communication type, but I should that's not right use for sharing. So let's go back down here. Actually, we've got a response request protocol that was close. So yeah, I guess that's the type of protocol. I probably just need to do more research into types of protocols. But yeah, response and request protocol. Also communication protocol. What do clients connect to servers using? So this is a bit tricky because this is also asking for what I would consider, like the protocols that it uses. Some of these questions, like they really tripped me up, but I know that this is looking for TCP IP. That is the communication protocols that it's using. Is that right though? Is communication protocols the right term? I don't know. What systems does Samber run on? So this was Unix, which is also what Linux is built on. So yeah. So cool. Good little understanding of SMB. So it's sending stuff. If you want to read up more, you can read the couple of RFCs. Good. To be honest, I haven't. Okay, so we've got task three, forgot to hit start machine. So if you've already gone ahead and done that, good on you. I totally forgot. So we do have a little bit of enumeration to we have a little bit of enumeration to go, which is meaning just find stuff out of our box about the machine. So we will be doing a little bit of N map scanning. So I might pause or anything. Just be aware of that. Okay, so let's go over our box. So we should see our IP soon. So let's read this. Before we begin, we need to enumerate to find out stuff and we're going to be focusing on this SMB shares drive on the server. So we're going to have a server that's going to be sharing files or something over this SMB protocol. So the first things first is running a Port scan and we've got a few different options. So we will be using another tool for enumeration called Enum for Linux. And we'll sort of get into that. I'm only really familiar with that through this box. So I'm definitely no expert, but I've done a couple of things on Nmap, so yeah, a bit of an expert now because I've done a couple of rooms conduct an Nmap scan of your choosing. How many ports are open? Cool. So I can guess that it's between zero and nine by looking at our one digit. So I could just guess. But let's give it a go. I think I remember I have gone through this room. Okay. I need to type. So my dog is very needy. So let's run an Nmap scan against our box so you can see a couple of options that I've done. So trying to get in the habit, always running double for both. So we see more information. We could do aggressive, but I'm instead going to use the capital P N, which is to assume that everything's up for host discovery. I'm not sure if that's a good idea, but I'm going to do it and we want to do all the ports. Okay, so all the ports is P, and then we can before we do that, I'm just going to go over to this other tab. I'm just going to see if we can actually see the box by just a Ping. Cool. So ICMP packets or Ping packets are enabled on our box, which is cool. So I think that this is a good place to start. I don't know if I have to use the PN, but I've had good luck with it. I could increase the speed, but I'm feeling pretty good with that. So let's run that. So I've got three so far, so it's pretty cool. We should get an update on how long this is going to take. If it's going to take really long, I will pause. I'm just going to try three, see what we get, see if that's right. Awesome. So we know we've got 13945 and two, but I can just cancel that controls. Something that I failed to do was I'm trying to get in the habit of piping through any scans and putting in a file, so I forgot to do that. Please remind me on my next scan. So let's try enumerating a bit more. Sorry, my dog is being very distracting. Let's focus on one, three, nine, use one hand here, 13944, five. And then this is something that I've been doing in these boxes just to. Yeah. So we just want to drill down on that a little bit more. In this case, I'm going to actually do the upper case a for aggressive, see what we get here. So run that. And if it's only going to take like five minutes or something, I might just go for it. But I just want to know a little bit more information about these three ports. So it's trying to detect we've got tracer out, so I'll pause it there and come back in just a second. All right, so Scan actually finished pretty much just after I pause it, which is cool. So let's scroll up so I can see lots of information. Completed scan report. So from here, I sort of wish that there was just like a nice little space between that. So it's just easier to find a little bit of feedback. So we have an SSH running on two too. So we could maybe connect to that openh ranking. Ubuntu. So lots of information. Ssh, host, keys. I don't know how this helps us exactly. I don't know if we can use that, but we want to understand a little bit more about SMB. So what Port is SMB running on? So we're looking for SMB. Smb. So we've got host Polo SMB. So I know Polo Mince is the creator, so if I see that. Anyway, that's a good indication we're in the right place. So I didn't catch the Port number, but I mean, it's either 45139, right. So we've got here one, three, nine, NetBIOS. We've got some work groups. Four, four, five. So it's running on both. Is this right? Oh, my gosh. Okay. Max. Okay. Awesome. So it's running on both. That's interesting. I don't know why, but that's cool. So let's get started with Enum for Linux. Conduct a full basic enumeration to start is what is the work group name? Now I actually got this already from Nmap, so I can go ahead and just type that in and what comes up as the name of the machine. So let's go back to our Enum for Linux. So we've got a command there of what we can do. So we've got options and then the IP. So that was a pretty good scan. If I was a bit more experienced, there's probably more information in here that would be helpful. So yeah, there's a lot of it that I still don't understand. I think that these are possibly more scripts. We got an account used Guest, so we might be able to just log in as a guest. Smb. We also have the version Samba 4.7 .6 for Ubuntu. Yeah, Nmap using that a it's pretty good. It gives us a lot more. But the point is Enum for Linux. So let's go and use Enum for Linux, which is already installed. I think I'm currently I don't remember if I had to install it. I think I already know the name of the machine too. I'm just going to guess hollows and B. Yeah, it's not completely guessed because I have gone through these rooms, I'll be clear that I do remember some of this stuff. So I'm just going to run the enum directly for this and see what I get. So without any switches, because we do have a couple of switches about get userless, get Machineless, get nameless, dump, shareless password policy. So we can use a lot of these switches. I could have done a dash A for all of the above, so I should have done that actually. All right, so that's still running. Let's see what information we can sort of pull. So we are looking for a version number for the OS. And I did see seven point something, point something back in Nmap, so I might scroll up if I don't get anything. And I keep forgetting to T this stuff into another file so I can search through it. Okay, up here, we did see the host discovery, so we might just try 4.7, see if that's right. I would think that's right. But that could be wrong. And I might have to run another scan with Dasha this time. Let's just take our time. I always do this. I just do a scan. I just keep scrolling up and down. Sort of terrible. So let's slow it down. So we've got our target. We've got some few usernames that we could use to maintain none. So I'm not an expert with Enum for Linux. I don't know if this is like when it says known, I don't know if that means it tested it and it got a correct. I'm not sure, but we definitely have this being our machine. It's massive. I find doing these scans like a little overwhelming because you get like so much sometimes it's a bit hard to know where to really start and go. I'm not seeing a version. Probably scrolled past it. We do have a minimum password length. What sticks out is something that we might want to investigate. That is a very good question. So there is a shared. Okay, there we go. Yeah. I knew I was going past it. Os version. Good lesson we're all learning. Good lesson. Take your time. Slow down. Take your time. So our domain name is our work group, but we do have a list of these, the shares browse. This is just a bit of a guess. I don't think that's it. I don't know if we're looking for a share to enumerate. There's got to be some sort of share on here. Okay, here we go. Share names. So remember that this is all about sharing files in that. So we're trying to enumerate one of these. So out of our shares that we've got, we've got net login, we've got profiles. So I'm going to guess profiles looks pretty interesting. Damn it. There we go. Awesome. Okay, we found out a pretty good amount of information and we're going to look at trying to connect to our profiles share. So let's go over to task four and let's see how we can exploit SMB. So while there are vulnerabilities such as CVE 2017 74 and one all that can allow remote code execution by exploring, you're more likely to encounter a situation where the best way into the system is due to misconfigurations in the system. In this case, we're going to exploit anonymous SMB share access a common misconfig that can allow us to gain info that we will lead to a shell. Cool. So that's basically saying there's an anonymous account, meaning we don't necessarily need an account. Know what the number Linux is still doing built in. So I guess these are local groups. So it's still trying to find more stuff. And I canceled it when I copied, but yeah. Cool. Okay, so when you use share location and interesting SMB shares, we use SMB clients, IP and then our shares. So that's going to be our profile. So let's go and use SMB client, which should be preinstalled in Linux if you're using that. Otherwise you'll have to look it up and how to download it and install it. And we can followed by the username and then the Port number 13944 five. Cool. So let's try and do this before we go any further, let's just what would be the correct syntax to access an SMB share called Secret as a user suit on a machine with the IPF in the default Port okay. We would run SMB clients. Do we do our dashes first? No, we go IP, which would be and then our share name, which we are in this case secret. So that would go towards it. But then we need to as the user suit. So we do uppercase U, so uppercase U for suit, and then a P for the Port, which I assume we do need to go P. I think it was one, three nine. Awesome. Cool. So this is just getting used to the syntax before we go do it for real. Great. Now you got the hang of the syntax. Let's go ahead and do that. So we've got some help here. We're going to be using the anonymous. Will this share allow us to access it? Let's test it out. Something says yes, it will anonymous with a capital A. So let's go ahead and write this out. But in this case we want to go to our put in your IP address. So make sure you're getting your IP address, not mine. But we're going to be going to profiles. So just check that we're going to the right share and then in this case the user is going to be anonymous. Let's go and type that in anonymous. And then our Port was also the same one three nights, the default Port. So yeah, let's run that, see what we get into. Workgroup anonymous password. I'm just going to hit enter, see if we can get in. Look at that, we have got a shell, we've got a command line. So let's use the capital Y there for yes. Great. Have a look around for any interesting documents that could contain valuable information. So I always find this a bit hard. When we're in a shell, we're running Ubuntu. So commands like LS print working directory, who am I? But since it's a different version of Ubuntu, not everything works the same and we're using SMB clients. So it's tricky to sort of get used to everything. So some commands like LS is working fine, but some commands like who am I? Aren't found. So it's just a case of getting used to the shell. So who can we assume this profile belongs to? So I can't see anything from who am I? They've left a workingfromhome text. So let's try and cat that out. Tab doesn't work. And I think if we Typed it out with spaces we're not going to have any luck either because cat doesn't work. So this is a good time that I go to help and we learn the commands in this SMB. So it's not all the same as just like any because I guess we're not using bash, we're using SMB. I think still learning from my memory from when I did this. I think we used the more working from home formation. I might have to look this up. No, that didn't work. Yeah, we definitely want to. We can just look up SMB client cat file doesn't work or just how to cat file. So we've got a few options. I just Echo SMB client useful tips for clients. So we've got enable LS and I get Recurse Recurse multiple directories instead of files. All info. Bonus account can't remember what it was so we can get the file, put it on local or info. Do we have all info? Do we have all info? Okay, can we just run this against working from tab worked fine. This is what I find tricky. I'm trying to remember live so you can skip ahead if you already know it. I can't remember. I was going to pause and come back in a SEC. Okay. After looking it up a couple of times, it was the more command I think I used, the more command. Didn't I use it? Yeah, I used it, but I just didn't add quotes. So little annoying. But anyway figured out. So we've got to John Cactus. As you're well aware, due to current pandemic, most Polo Incorporated hasn't insisted that wherever possible employees should work, such as your account would be enabled with SSH to access the main server. So if there's any problems, contact that. So that's from James. But we have this is to John and it's on his machine. So we can assume that in this case this is going to be John Cactus account. What service has been configured to allow him to work from home? So we found out SSH. Okay, now we know what directory on the share. Should we look in something? So let's hit queue and let's list out everything that's in here. So we have a SSH, but we need to actually put the dot in. So this directory contains authentication keys that allow a user to authenticate themselves on and then access a server. Which keys is most useful to us. So can we change directories into SSH? And then we can list out everything in here. So we have got IDRs P-U-B. So I think that's public and I think that this is private could be dead wrong. I'm learning about SSH and encryption and RSA was something that was used in encryption. So yeah, this is super important to us. These are, I think, public and private. Don't hold that against me. But we're going to go R DSA. So that's going to be so download this to. I'm going to have to look this up, man. I cannot remember because I think it's get. I think Mget, there's something here. How do I find out more information? I'm probably going to pause again and look this up. But yeah, we just need to get this. So I'll be right back again. I'm using Mget and it's saying do you want to get this? So I think that this is right. I don't know if I exit does that. Yeah, I'll be back again. Okay, so I was super close. Found a helpful article. So we were using get, but I just wasn't specifying the output file. So yeah, I did already get it. So we can use get SSH in SSH and get the rdrsa. So that's what we want to get. But we just want to specify what that is going to be on our local machine. So then we can run exit and we can list out what we've got. And now we actually actually got our ID RSA, which was right there. Cool. So we can cat this out and we can see that this is a private key. So I've started doing a little bit of cracking. So we need to download this file, your local machine, check change permissions using Ch mod. 600. So I need to learn a bit more about we can do that. And now use the information you have already gathered to work out the username of the account, then use the service to service key to login to the server. So this means we want to use SSH to log in because that was activated. Now we have a couple of ideas of the username. We've got John Cactus. So we could try John. We could try Cactus. We could try John Cactus off memory. I think it was Cactus. And how do we SSH with private key? Because we want to pass through that private key. So let's go over here and go I and run that ID underscore RSA, which should be right there and permanently added. And if that is right, we should be in. So the only reason I knew was Cactus was from like, last time I did that, that was off memory. But that would be probably the thing that would get pretty annoying trying to figure that out. But hey, we got the last flag in the end. So took a little bit of more digging. I didn't remember everything since the last time I thought through this, so it was fun to do it again. Sort of stretched me a little bit. Trying to remember everything. Smb client in particular is something I should probably do a bit more research on personally. So I hope you've enjoyed this first part. So I'm going to terminate the machine and we'll go through the next part in the next video. So subscribe if you'd like to check that out for when that goes live. If you've got any questions or anything, reach out. If you've got any pointers, things that I might have not done, exactly 100% or just any feedback or anything, please let me know. Always willing to learn. So that's what I'm trying to do is put this out. Hopefully I can help someone else and hopefully someone else can help me and we can all learn. So if you enjoyed this video, let me know if you didn't also let me know and yeah, thanks for checking out. I'll see you in the next one.
Info
Channel: Mr Ash Co
Views: 20,738
Rating: undefined out of 5
Keywords: TryHackMe, network services, hacking
Id: DwPuDptnc2w
Channel Id: undefined
Length: 30min 57sec (1857 seconds)
Published: Fri Mar 18 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.