Hey, welcome to another try
hack me walk through room. We're going to be going over network
services, learn about then enumerate and explore exploit a variety of
network services and misconfigs. Cool. So we're going to do this in three parts. There's going to be part one. So we'll just cover tasks one to four, and then part two will be tasks five to seven,
and part three, tasks eight to eleven. So all links will be down
below when they're all live. And if you want a written write up of this, you can check out my blog
below that will be linked also. So let's go ahead and make sure you are connected via the VPN to
the Triathme network. And then we can go ahead and get started. So we've got the Trihack me on the left and then Terminal on the right running
Carly, the rolling release on Birchbox. So that's pretty much everything. Let's get into it. Task one, get connected.
Hello. Welcome. This room will explore common network
service, vulnerabilities and misconfigs. In order to do that, we'll
need to do a few things first. So we're going to need
the basics of Linux. So if you haven't done that, you can see probably a card come up to
my walkthrough of that. Otherwise, just go through that room really good and we need to
be connected, which is cool. There's also a little note
here about WiFi hacking. I've seen this in a couple of the network
service rooms, and this probably was like a big
question, like Where's Wi Fi hacking? So they put that in there. Cool. As you may have noticed, I'm not reading
everything exactly word for word. I'm sort of just going through. So if you want to pause it and read in
more detail, by all means go for it. So task two, understanding SMB. Smb standing for server
message block protocol. So it's a client server communication
protocol used for sharing access to files, printers, serial ports, and
other resources on the network. Cool. So we have a little bit of a diagram
explaining how it works, what it runs on. So we've got Windows operating
systems since Windows 95. Fun fact. And also under the Samba, being an open source server that supports SMB
protocol was released for Unix systems. I don't know why I've always found that kind of fascinating, because I just always
I don't know, Microsoft and Unix should be opposite, but then sometimes
they share things. Fascinating. All right, let's go over the questions. So we've got what does SMB stand for? So we can copy that from up here. Server message block. What type of protocol is SMB? So let's go through and we had up here a communication protocol
that's interesting to me because in my head, when I think of protocols, I
don't group them by like a communication type, but I should that's not right
use for sharing. So let's go back down here. Actually, we've got a response
request protocol that was close. So yeah, I guess that's
the type of protocol. I probably just need to do more
research into types of protocols. But yeah, response and request protocol. Also communication protocol. What do clients connect to servers using? So this is a bit tricky because this is also asking for what I would
consider, like the protocols that it uses. Some of these questions, like they really tripped me up, but I know that
this is looking for TCP IP. That is the communication
protocols that it's using. Is that right though? Is communication protocols the right term? I don't know. What systems does Samber run on? So this was Unix, which is
also what Linux is built on. So yeah.
So cool. Good little understanding of SMB. So it's sending stuff. If you want to read up more, you
can read the couple of RFCs. Good.
To be honest, I haven't. Okay, so we've got task three,
forgot to hit start machine. So if you've already gone ahead
and done that, good on you. I totally forgot. So we do have a little bit of enumeration to
we have a little bit of enumeration to go, which is meaning just find stuff
out of our box about the machine. So we will be doing a little
bit of N map scanning. So I might pause or anything. Just be aware of that. Okay, so let's go over our box. So we should see our IP soon.
So let's read this. Before we begin, we need to enumerate to
find out stuff and we're going to be focusing on this SMB shares
drive on the server. So we're going to have a server that's going to be sharing files or
something over this SMB protocol. So the first things first is running a Port scan and we've got
a few different options. So we will be using another tool for
enumeration called Enum for Linux. And we'll sort of get into that. I'm only really familiar
with that through this box. So I'm definitely no expert, but I've done a couple of things on Nmap, so yeah, a bit
of an expert now because I've done a couple of rooms
conduct an Nmap scan of your choosing. How many ports are open?
Cool. So I can guess that it's between zero
and nine by looking at our one digit. So I could just guess. But let's give it a go. I think I remember I have
gone through this room. Okay.
I need to type. So my dog is very needy. So let's run an Nmap scan against our box so you can see a couple
of options that I've done. So trying to get in the habit,
always running double for both. So we see more information. We could do aggressive, but I'm instead
going to use the capital P N, which is to assume that everything's
up for host discovery. I'm not sure if that's a good idea, but I'm going to do it
and we want to do all the ports. Okay, so all the ports is P, and then we can before we do that, I'm
just going to go over to this other tab. I'm just going to see if we can
actually see the box by just a Ping. Cool. So ICMP packets or Ping packets are
enabled on our box, which is cool. So I think that this is
a good place to start. I don't know if I have to use the
PN, but I've had good luck with it. I could increase the speed, but
I'm feeling pretty good with that. So let's run that. So I've got three so far,
so it's pretty cool. We should get an update on how
long this is going to take. If it's going to take
really long, I will pause. I'm just going to try three, see
what we get, see if that's right. Awesome.
So we know we've got 13945 and two, but I can just cancel that controls. Something that I failed to do was I'm
trying to get in the habit of piping through any scans and putting in
a file, so I forgot to do that. Please remind me on my next scan. So let's try enumerating a bit more. Sorry, my dog is being very distracting. Let's focus on one, three, nine,
use one hand here, 13944, five. And then this is something that I've
been doing in these boxes just to. Yeah. So we just want to drill down
on that a little bit more. In this case, I'm going to actually do the upper case a for aggressive,
see what we get here. So run that. And if it's only going to take like five minutes or something, I might just
go for it. But I just want to know a little bit more
information about these three ports. So it's trying to detect we've got tracer out, so I'll pause it there
and come back in just a second. All right, so Scan actually finished pretty much just after I
pause it, which is cool. So let's scroll up so I can
see lots of information. Completed scan report. So from here, I sort of wish that there was just like a nice
little space between that. So it's just easier to find
a little bit of feedback. So we have an SSH running on two too. So we could maybe connect
to that openh ranking. Ubuntu. So lots of information. Ssh, host, keys. I don't know how this helps us exactly. I don't know if we can use that, but we want to understand a
little bit more about SMB. So what Port is SMB running on? So we're looking for SMB. Smb. So we've got host Polo SMB. So I know Polo Mince is the
creator, so if I see that. Anyway, that's a good indication
we're in the right place. So I didn't catch the Port number,
but I mean, it's either 45139, right. So we've got here one,
three, nine, NetBIOS. We've got some work groups. Four, four, five. So it's running on both. Is this right?
Oh, my gosh. Okay.
Max. Okay.
Awesome. So it's running on both.
That's interesting. I don't know why, but that's cool. So let's get started with Enum for Linux. Conduct a full basic enumeration to
start is what is the work group name? Now I actually got this already from Nmap,
so I can go ahead and just type that in and what comes up as the
name of the machine. So let's go back to our Enum for Linux. So we've got a command
there of what we can do. So we've got options and then the IP. So that was a pretty good scan. If I was a bit more experienced, there's probably more information in
here that would be helpful. So yeah, there's a lot of it
that I still don't understand. I think that these are
possibly more scripts. We got an account used Guest, so we
might be able to just log in as a guest. Smb. We also have the version
Samba 4.7 .6 for Ubuntu. Yeah, Nmap using that a it's pretty good. It gives us a lot more. But the point is Enum for Linux. So let's go and use Enum for
Linux, which is already installed. I think I'm currently I don't
remember if I had to install it. I think I already know the
name of the machine too. I'm just going to guess hollows and B. Yeah, it's not completely guessed because
I have gone through these rooms, I'll be clear that I do remember
some of this stuff. So I'm just going to run the enum
directly for this and see what I get. So without any switches, because we do
have a couple of switches about get userless, get Machineless, get nameless,
dump, shareless password policy. So we can use a lot of these switches. I could have done a dash A for all of the above, so I should have
done that actually. All right, so that's still running. Let's see what information
we can sort of pull. So we are looking for a
version number for the OS. And I did see seven point something, point something back in Nmap, so I might
scroll up if I don't get anything. And I keep forgetting to T this stuff into
another file so I can search through it. Okay,
up here, we did see the host discovery, so we might just try 4.7,
see if that's right. I would think that's right. But that could be wrong. And I might have to run
another scan with Dasha this time. Let's just take our time.
I always do this. I just do a scan.
I just keep scrolling up and down. Sort of terrible. So let's slow it down. So we've got our target. We've got some few usernames that
we could use to maintain none. So I'm not an expert with Enum for Linux. I don't know if this is like when it says known, I don't know if that means
it tested it and it got a correct. I'm not sure, but we definitely
have this being our machine. It's massive. I find doing these scans like a little
overwhelming because you get like so much sometimes it's a bit hard to know
where to really start and go. I'm not seeing a version. Probably scrolled past it. We do have a minimum password length. What sticks out is something that
we might want to investigate. That is a very good question. So there is a shared.
Okay, there we go. Yeah.
I knew I was going past it. Os version. Good lesson we're all learning.
Good lesson. Take your time.
Slow down. Take your time. So our domain name is our work group, but we do have a list of
these, the shares browse. This is just a bit of a guess. I don't think that's it. I don't know if
we're looking for a share to enumerate. There's got to be some
sort of share on here. Okay, here we go.
Share names. So remember that this is all
about sharing files in that. So we're trying to enumerate one of these. So out of our shares that we've got,
we've got net login, we've got profiles. So I'm going to guess profiles
looks pretty interesting. Damn it. There we go.
Awesome. Okay, we found out a pretty good amount of information and we're going to look at
trying to connect to our profiles share. So let's go over to task four and
let's see how we can exploit SMB. So while there are vulnerabilities such as
CVE 2017 74 and one all that can allow remote code execution by exploring, you're
more likely to encounter a situation where the best way into the system is due
to misconfigurations in the system. In this case, we're going to exploit
anonymous SMB share access a common misconfig that can allow us to gain
info that we will lead to a shell. Cool.
So that's basically saying there's an anonymous account, meaning we
don't necessarily need an account. Know what the number Linux
is still doing built in. So I guess these are local groups. So it's still trying to find more stuff. And I canceled it when I copied, but yeah. Cool. Okay, so when you use share location and interesting SMB shares, we use SMB
clients, IP and then our shares. So that's going to be our profile. So let's go and use SMB client, which should be preinstalled in
Linux if you're using that. Otherwise you'll have to look it up
and how to download it and install it. And we can followed by the username
and then the Port number 13944 five. Cool. So let's try and do this
before we go any further, let's just what would be the correct syntax to access an
SMB share called Secret as a user suit on a machine with the IPF
in the default Port okay. We would run SMB clients. Do we do our dashes first? No, we go IP, which would be and then our share name, which
we are in this case secret. So that would go towards it. But then we need to as the user suit. So we do uppercase U, so uppercase U for suit, and then a P for the Port,
which I assume we do need to go P. I think it was one, three nine. Awesome.
Cool. So this is just getting used to the
syntax before we go do it for real. Great.
Now you got the hang of the syntax. Let's go ahead and do that. So we've got some help here. We're going to be using the anonymous. Will this share allow us to access it? Let's test it out. Something says yes, it will
anonymous with a capital A. So let's go ahead and write this out. But in this case we want to go to our
put in your IP address. So make sure you're getting
your IP address, not mine. But we're going to be going to profiles. So just check that we're going to the right share and then in this case
the user is going to be anonymous. Let's go and type that in anonymous. And then our Port was also the same
one three nights, the default Port. So yeah, let's run that,
see what we get into. Workgroup anonymous password. I'm just going to hit enter,
see if we can get in. Look at that, we have got a
shell, we've got a command line. So let's use the capital Y there for yes.
Great. Have a look around for any interesting documents that could contain
valuable information. So I always find this a bit hard. When we're in a shell,
we're running Ubuntu. So commands like LS print
working directory, who am I? But since it's a different version of Ubuntu, not everything works the
same and we're using SMB clients. So it's tricky to sort of
get used to everything. So some commands like LS is working
fine, but some commands like who am I? Aren't found. So it's just a case of
getting used to the shell. So who can we assume
this profile belongs to? So I can't see anything from who am I? They've left a workingfromhome text. So let's try and cat that out. Tab doesn't work. And I think if we Typed it out with spaces we're not going to have any luck
either because cat doesn't work. So this is a good time that I go to help
and we learn the commands in this SMB. So it's not all the same as just like any because I guess we're not
using bash, we're using SMB. I think still learning from my
memory from when I did this. I think we used the more working from home
formation. I might have to look this up. No, that didn't work. Yeah, we definitely want to. We can just look up SMB client cat file doesn't work or just how to cat file. So we've got a few options. I just Echo SMB client
useful tips for clients. So we've got enable LS and I get Recurse Recurse multiple
directories instead of files. All info. Bonus account can't remember what it was so we can get the file,
put it on local or info. Do we have all info? Do we have all info? Okay, can we just run this against
working from tab worked fine. This is what I find tricky. I'm trying to remember live so you can
skip ahead if you already know it. I can't remember. I was going to pause
and come back in a SEC. Okay.
After looking it up a couple of times, it was the more command I think
I used, the more command. Didn't I use it? Yeah, I used it, but I
just didn't add quotes. So little annoying. But anyway figured out. So we've got to John Cactus. As you're well aware, due to current
pandemic, most Polo Incorporated hasn't insisted that wherever possible
employees should work, such as your account would be enabled with
SSH to access the main server. So if there's any problems, contact that.
So that's from James. But we have this is to John
and it's on his machine. So we can assume that in this case this
is going to be John Cactus account. What service has been configured
to allow him to work from home? So we found out SSH. Okay, now we know what
directory on the share. Should we look in something? So let's hit queue and let's list
out everything that's in here. So we have a SSH,
but we need to actually put the dot in. So this directory contains authentication keys that allow a user to authenticate
themselves on and then access a server. Which keys is most useful to us. So can we change directories into SSH? And then we can list
out everything in here. So we have got IDRs P-U-B. So I think that's public and I think that
this is private could be dead wrong. I'm learning about SSH and encryption and RSA was something that
was used in encryption. So yeah, this is super important to us. These are, I think, public and private. Don't hold that against me. But we're going to go R DSA. So that's going to be so download this to. I'm going to have to look this up, man. I cannot remember
because I think it's get. I think Mget, there's something here. How do I find out more information? I'm probably going to pause
again and look this up. But yeah, we just need to get this. So I'll be right back again. I'm using Mget and it's saying
do you want to get this? So I think that this is right. I don't know if I exit does that. Yeah, I'll be back again. Okay, so I was super close. Found a helpful article. So we were using get, but I just
wasn't specifying the output file. So yeah, I did already get it. So we can use get SSH in SSH and get the rdrsa. So that's what we want to get. But we just want to specify what that
is going to be on our local machine. So then we can run exit and we
can list out what we've got. And now we actually actually got our
ID RSA, which was right there. Cool. So we can cat this out and we can
see that this is a private key. So I've started doing a
little bit of cracking. So we need to download this file, your local machine, check change
permissions using Ch mod. 600. So I need to learn a bit more about
we can do that. And now use the information you have
already gathered to work out the username of the account, then use the service to
service key to login to the server. So this means we want to use SSH to
log in because that was activated. Now we have a couple of
ideas of the username. We've got John Cactus.
So we could try John. We could try Cactus.
We could try John Cactus off memory. I think it was Cactus. And how do we SSH with private key? Because we want to pass
through that private key. So let's go over here and go
I and run that ID underscore RSA, which should be right there and
permanently added. And if that is right, we should be in. So the only reason I knew was Cactus was from like, last time I did
that, that was off memory. But that would be probably the thing that would get pretty annoying
trying to figure that out. But hey, we got the last flag in the end. So took a little bit of more digging. I didn't remember everything since the last time I thought through this,
so it was fun to do it again. Sort of stretched me a little bit. Trying to remember everything. Smb client in particular is something I should probably do a bit
more research on personally. So I hope you've enjoyed this first part. So I'm going to terminate the machine and we'll go through the next
part in the next video. So subscribe if you'd like to check
that out for when that goes live. If you've got any questions
or anything, reach out. If you've got any pointers, things that I
might have not done, exactly 100% or just any feedback or anything,
please let me know. Always willing to learn. So that's what I'm trying
to do is put this out. Hopefully I can help someone else and hopefully someone else can
help me and we can all learn. So if you enjoyed this video, let me know if you didn't also let me know
and yeah, thanks for checking out. I'll see you in the next one.
