In this article, I tried to set up a write-up for the "Network Services 2"  room ontryhackme.

[Job 1] Get Connected

This room is a sequel to the showtime network services room. Similarly, it will explore a few more common Network Service vulnerabilities and misconfigurations that you're likely to find in CTFs, and some penetration examination scenarios.

#1 Ready? Let'due south get going!

ANSWER: No answer needed

[Task 2] Understanding NFS

NFS stands for "Network File System" and allows a system to share directories and files with others over a network. Past using NFS, users and programs can access files on remote systems virtually as if they were local files. It does this by mounting all, or a portion of a file system on a server. The portion of the file system that is mounted can be accessed by clients with whatsoever privileges are assigned to each file.

#ane What does NFS stand for?

NFS stands for "Network File Organisation" and allows a system to share directories and files with others over a network.

Answer: Network File System

#two What process allows an NFS client to interact with a remote directory as though information technology was a physical device?

 By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by "mounting" all, or a portion of a file organisation on a server.

Reply: Mounting

#iii What does NFS utilise to represent files and directories on the server?

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:

  • The file handle
  •  The name of the file to be accessed
  •  The user's, user ID
  •  The user'due south group ID

ANSWER: file Handle

#4 What protocol does NFS utilise to communicate betwixt the server and client?

 The mountain service will then act to connect to the relevant mount daemon using RPC.

ANSWER: RPC

#5 What ii pieces of user information does the NFS server have as parameters for controlling user permissions?

If someone wants to admission a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This telephone call takes parameters such as:

  •  The file handle
  •  The proper noun of the file to be accessed
  •  The user'southward, user ID
  •  The user's group ID

ANSWER: user id / group id

#6 Can a Windows NFS server share files with a Linux client? (Y/Due north)

ANSWER: Y

#vii Can a Linux NFS server share files with a MacOS customer? (Y/N)

Reply: Y

#eight What is the latest version of NFS?

Y'all tin can detect the answer on this website

Reply: iv.2

[Task 3] Enumerating NFS

You can use this Nmap query:

nmap -p- -A -sC -Pn [IP Adress]
Nmap Result
Nmap Outcome

#i Conduct a thorough port scan scan of your choosing, how many ports are open up?

Port 22, 111, 2049, 37069, 39969, 41047, 48707 are open.

Respond: 7

#2 Which port contains the service we're looking to enumerate?

You can see the answer in the second picture above.

ASNWER: 2049

#3 Now, use /usr/sbin/showmount -e [IP] to listing the NFS shares, what is the proper name of the visible share?

ANSWER: /dwelling house

#4 Modify directory to where you mounted the share- what is the name of the folder inside?

Time to mount the share to our local auto!

First, apply "mkdir /tmp/mountain" to create a directory on your auto to mount the share to. This is in the /tmp directory- so be aware that it will exist removed on restart.

Then, use the mount command we broke downwards before to mount the NFS share to your local auto.

ANSWER: cappucino

#5 Have a look inside this directory, look at the files. Looks like  we're inside a user'southward dwelling directory…

ANSWER: No respond needed

#six Which of these folders could contain keys that would give us remote access to the server?

Answer: .ssh

#7 Which of these keys is most useful to us?

Answer: id_rsa

#viii Can we log into the auto usingssh -i <cardinal-file> <username>@<ip>? (Y/Northward)

ANSWER: Y

[Task 4] Exploiting NFS

#1 First, change directory to the mount point on your car, where the NFS share should however be mounted, and and then into the user's home directory.

ANSWER: No respond needed

#2 The copied bash shell must exist owned by a root user, you can set this using "sudo chown root bash"

Reply: No answer needed

#three What letter of the alphabet do we use to ready the SUID fleck set using chmod?

Answer: s

#four What does the permission gear up look like? Brand sure that it ends with -sr-x.

ANSWER: -rwsr-sr-10

#v The -p persists the permissions, so that it can run as root with SUID- every bit otherwise bash will sometimes drop the permissions.

ANSWER: No respond needed

#6 Great! If all's gone well you should have a shell as root! What's the root flag?

ANSWER: I'yard sure you can notice information technology in your own efforts 🙂

[Task 5] Understanding SMTP

#i What does SMTP represent?

SMTP stands for "Simple Mail Transfer Protocol".

ANSWER: Simple Mail Transfer Protocol

#2 What does SMTP handle the sending of?

Respond: emails

#3 What is the kickoff step in the SMTP process?

The postal service user amanuensis, which is either your electronic mail customer or an external program. connects to the SMTP server of your domain. This initiates the SMTP handshake.

Reply: SMTP handshake

#iv What is the default SMTP port?

This connectedness works over the SMTP port- which is unremarkably 25.

Respond: 25

#five Where does the SMTP server send the electronic mail if the recipient'southward server is not bachelor?

 If the recipient's server can't be accessed, or is not available– the Electronic mail gets put into an SMTP queue.

Reply: smtp queue

#6 On what server does the Electronic mail ultimately finish upwards on?

Reply: Pop/IMAP

#7 Can a Linux machine run an SMTP server? (Y/N)

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP being available to run on Linux.

Reply: Y

#8 Can a Windows machine run an SMTP server? (Y/N)

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP being bachelor to run on Linux.

ANSWER: Y

[Task vi] Enumerating SMTP

Before nosotros brainstorm, make sure to deploy the room and give information technology some time to boot. Delight be aware, this can take up to 5 minutes so be patient!

#1 Starting time, lets run a port scan against the target machine, same as last time. What port is SMTP running on?

ANSWER: 25

#ii Okay, now we know what port we should be targeting, permit's start up Metasploit. What control do we utilise to practice this?

Respond: msfconsole

#3 Let'due south search for the module "smtp_version", what's it's total module name?

Reply: auxiliary/scanner/smtp/smtp_version

#four Great, now- select the module and list the options. How do we do this?

Respond: options

#5 Have a await through the options, does everything seem correct? What is the selection we need to set?

Answer: RHOSTS

#vi Set that to the correct value for your target automobile. And then run the exploit. What'south the system mail name?

ANSWER: polosmtp.home

#7 What Postal service Transfer Amanuensis (MTA) is running the SMTP server? This will require some external inquiry.

You lot can find the answer on this website .

Respond: Postfix

#8 Expert! We've now got a good amount of information on the target system to move onto the side by side phase. Let's search for the module "smtp_enum", what's it'due south full module name?

ANSWER: auxiliary/scanner/smtp/smtp_enum

#9 What option exercise we need to set to the wordlist'southward path?

Reply: USER_FILE

#10 Once nosotros've ready this option, what is the other essential paramater we need to set?

ANSWER: RHOSTS

#11 At present, set the THREADS parameter to 16 and run the exploit, this may take a few minutes, then catch a cup of tea, coffee, water. Keep yourself hydrated!

ANSWER: No answer needed

#12 Okay! At present that's finished, what username is returned?

Reply: ambassador

[Task seven]  Exploiting SMTP

#ane What is the countersign of the user we institute during our enumeration stage?

You can use this control:

hydra -t sixteen -l [USERNAME] -P [rockyou.txt location] -vV [Machine IP Addres] ssh

Answer: alejandro

#2 Great! At present, permit'due south SSH into the server every bit the user, what is contents of smtp.txt

You lot tin employ this command:

ssh administrator@[Machine IP Address] Password: alejandro

ANSWER: I'm certain you can find information technology in your own efforts 🙂

[Job eight] Understanding MySQL

#1 What type of software is MySQL?

MySQL is a relational database management system (RDBMS) based on Structured Query Language (SQL).

Reply: relational database management organisation

#ii What linguistic communication is MySQL based on?

They use a linguistic communication, specifically the Structured Query Linguistic communication (SQL).

Answer: SQL

#3 What communication model does MySQL use?

As nosotros knoww, it uses a customer-server model.

Respond: client-server

#4 What is a common awarding of MySQL?

Respond: back end database

#5 What major social network uses MySQL as their back-terminate database? This volition require further inquiry.

ANSWER: Facebook

[Task nine] Enumerating MySQL

Before we begin, brand sure to deploy the room and give it some time to boot. Please be aware, this can accept upwards to five minutes and so be patient!

#1 What port is MySQL using?

ANSWER: 3306

#2 We can do this using the command "mysql -h [IP] -u [username] -p"

Answer: No answer needed

#3 Okay, nosotros know that our login credentials work. Lets quit out of this session with "get out" and launch upwards Metasploit.

ANSWER: No answer needed

#4 Search for, select and list the options it needs. What iii options exercise we need to set? (in descending order).

Reply: PASSWORD/RHOSTS/USERNAME

#5 Run the exploit. By default it will test with the "select module()" command, what result does this requite you lot?

ANSWER: 5.seven.29-0ubuntu0.18.04.i

#6 Change the "sql" selection to "show databases". how many databases are returned?

Answer: iv

[Task 10] Exploiting MySQL

#1 First, permit's search for and select the "mysql_schemadump" module. What's the module'due south full proper name?

ANSWER: auxiliary/scanner/mysql/mysql_schemadump

#2 What's the name of the last table that gets dumped?

First, y'all must outset "mysql" services:

And then we should apply msfconsole:

We have to set the parameters:

Then run this payload:

Reply: x$waits_global_by_latency

#iii Search for and select the "mysql_hashdump" module. What's the module's full name?

Respond: auxiliary/scanner/mysql/mysql_hashdump

#four Once again, I'll let you have information technology from hither. Set up the relevant options, run the exploit. What non-default user stands out to you?

ANSWER: carl

#5 What is the user/hash combination string?

Answer: carl:*EA031893AA21444B170FC2162A56978B8CEECE18

#vi Now, nosotros demand to crack the password! Let'due south try John the Ripper against information technology using: "john hash.txt" what is the password of the user we found?

Respond: doggie

#7 What's the contents of MySQL.txt

Reply: I'm certain you can find it in your own efforts 🙂

[Task 11] Further Learning

#1 Congratulations! Y'all did it!

Answer: No answer needed

So far, I take tried to explain the solutions of the questions as detailed as I tin. I hope it helped you. Encounter yous in my next write-up.