In this article, I tried to prepare a write-up for the "Network Services ii"  room ontryhackme.

[Chore 1] Get Connected

This room is a sequel to the showtime network services room. Similarly, it will explore a few more than mutual Network Service vulnerabilities and misconfigurations that you're likely to notice in CTFs, and some penetration exam scenarios.

#1 Ready? Let's go going!

Reply: No respond needed

[Task 2] Understanding NFS

NFS stands for "Network File Organisation" and allows a system to share directories and files with others over a network. By using NFS, users and programs tin access files on remote systems most as if they were local files. It does this by mounting all, or a portion of a file system on a server. The portion of the file organisation that is mounted can be accessed by clients with whatever privileges are assigned to each file.

#one What does NFS correspond?

NFS stands for "Network File Organisation" and allows a system to share directories and files with others over a network.

ANSWER: Network File Organization

#two What process allows an NFS client to interact with a remote directory as though information technology was a physical device?

 By using NFS, users and programs tin access files on remote systems almost as if they were local files. Information technology does this by "mounting" all, or a portion of a file system on a server.

Respond: Mounting

#3 What does NFS use to correspond files and directories on the server?

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This phone call takes parameters such as:

  • The file handle
  •  The proper noun of the file to be accessed
  •  The user's, user ID
  •  The user's group ID

ANSWER: file Handle

#four What protocol does NFS use to communicate between the server and client?

 The mount service will and so act to connect to the relevant mount daemon using RPC.

Respond: RPC

#5 What two pieces of user data does the NFS server take as parameters for controlling user permissions?

If someone wants to admission a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:

  •  The file handle
  •  The name of the file to be accessed
  •  The user's, user ID
  •  The user's group ID

Respond: user id / group id

#half dozen Can a Windows NFS server share files with a Linux client? (Y/North)

Respond: Y

#7 Can a Linux NFS server share files with a MacOS client? (Y/N)

ANSWER: Y

#eight What is the latest version of NFS?

You tin detect the reply on this website

Reply: 4.2

[Chore iii] Enumerating NFS

You tin use this Nmap query:

nmap -p- -A -sC -Pn [IP Adress]
Nmap Result
Nmap Result

#i Comport a thorough port scan browse of your choosing, how many ports are open?

Port 22, 111, 2049, 37069, 39969, 41047, 48707 are open.

Answer: 7

#two Which port contains the service we're looking to enumerate?

Yous tin can run across the answer in the 2nd picture show above.

ASNWER: 2049

#3 At present, use /usr/sbin/showmount -e [IP] to listing the NFS shares, what is the proper name of the visible share?

ANSWER: /home

#iv Change directory to where you mounted the share- what is the name of the folder inside?

Fourth dimension to mount the share to our local machine!

First, use "mkdir /tmp/mount" to create a directory on your automobile to mount the share to. This is in the /tmp directory- and then exist aware that it volition exist removed on restart.

Then, utilize the mount command we bankrupt down earlier to mount the NFS share to your local machine.

ANSWER: cappucino

#5 Have a expect inside this directory, look at the files. Looks like  we're inside a user's domicile directory…

ANSWER: No answer needed

#six Which of these folders could contain keys that would give us remote access to the server?

Reply: .ssh

#7 Which of these keys is virtually useful to us?

ANSWER: id_rsa

#viii Can nosotros log into the machine usingssh -i <key-file> <username>@<ip>? (Y/Due north)

ANSWER: Y

[Task 4] Exploiting NFS

#1 First, alter directory to the mount point on your motorcar, where the NFS share should notwithstanding be mounted, and then into the user's abode directory.

ANSWER: No answer needed

#2 The copied fustigate shell must be endemic by a root user, you can gear up this using "sudo chown root bash"

ANSWER: No answer needed

#3 What letter do we use to set the SUID bit prepare using chmod?

Reply: s

#4 What does the permission gear up wait like? Make sure that it ends with -sr-x.

Reply: -rwsr-sr-ten

#5 The -p persists the permissions, and then that it can run as root with SUID- every bit otherwise fustigate will sometimes drop the permissions.

ANSWER: No answer needed

#6 Great! If all's gone well you should have a shell equally root! What's the root flag?

Answer: I'1000 certain you tin can detect it in your ain efforts 🙂

[Task five] Understanding SMTP

#1 What does SMTP stand for?

SMTP stands for "Simple Post Transfer Protocol".

Respond: Unproblematic Mail Transfer Protocol

#2 What does SMTP handle the sending of?

Reply: emails

#3 What is the commencement step in the SMTP process?

The postal service user agent, which is either your email client or an external program. connects to the SMTP server of your domain. This initiates the SMTP handshake.

ANSWER: SMTP handshake

#4 What is the default SMTP port?

This connectedness works over the SMTP port- which is usually 25.

Reply: 25

#v Where does the SMTP server send the email if the recipient's server is non available?

 If the recipient's server can't exist accessed, or is non available– the Email gets put into an SMTP queue.

ANSWER: smtp queue

#half-dozen On what server does the Email ultimately end upwards on?

ANSWER: POP/IMAP

#7 Can a Linux machine run an SMTP server? (Y/North)

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP existence available to run on Linux.

Reply: Y

#8 Can a Windows machine run an SMTP server? (Y/N)

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP beingness available to run on Linux.

Reply: Y

[Job six] Enumerating SMTP

Before we begin, make sure to deploy the room and give it some fourth dimension to boot. Please exist enlightened, this can accept upwards to v minutes and so be patient!

#ane First, lets run a port scan against the target machine, aforementioned every bit terminal time. What port is SMTP running on?

ANSWER: 25

#2 Okay, now nosotros know what port nosotros should be targeting, let's start upward Metasploit. What command do we use to do this?

Respond: msfconsole

#three Let's search for the module "smtp_version", what's it'south total module name?

ANSWER: auxiliary/scanner/smtp/smtp_version

#4 Bang-up, at present- select the module and list the options. How do we practise this?

Respond: options

#5 Have a look through the options, does everything seem correct? What is the option we need to set?

Answer: RHOSTS

#6 Fix that to the correct value for your target car. Then run the exploit. What's the system mail name?

ANSWER: polosmtp.dwelling house

#seven What Mail Transfer Amanuensis (MTA) is running the SMTP server? This will require some external research.

You can observe the answer on this website .

Answer: Postfix

#8 Good! We've now got a good corporeality of information on the target system to motility onto the next stage. Permit's search for the module "smtp_enum", what's it's total module proper noun?

Respond: auxiliary/scanner/smtp/smtp_enum

#ix What option practice nosotros need to set to the wordlist's path?

ANSWER: USER_FILE

#10 Once nosotros've set up this option, what is the other essential paramater we need to set?

Answer: RHOSTS

#eleven Now, set the THREADS parameter to sixteen and run the exploit, this may take a few minutes, so grab a loving cup of tea, coffee, water. Keep yourself hydrated!

ANSWER: No answer needed

#12 Okay! Now that's finished, what username is returned?

Respond: ambassador

[Job 7]  Exploiting SMTP

#ane What is the password of the user nosotros found during our enumeration stage?

You tin use this command:

hydra -t 16 -l [USERNAME] -P [rockyou.txt location] -vV [Machine IP Addres] ssh

Answer: alejandro

#2 Great! At present, let's SSH into the server equally the user, what is contents of smtp.txt

You tin can use this command:

ssh administrator@[Machine IP Address] Password: alejandro

Reply: I'm sure y'all can find it in your own efforts 🙂

[Job 8] Understanding MySQL

#1 What type of software is MySQL?

MySQL is a relational database management organisation (RDBMS) based on Structured Query Language (SQL).

Reply: relational database management system

#2 What linguistic communication is MySQL based on?

They use a language, specifically the Structured Query Linguistic communication (SQL).

ANSWER: SQL

#3 What communication model does MySQL utilize?

As we knoww, it uses a client-server model.

ANSWER: customer-server

#four What is a mutual application of MySQL?

ANSWER: back end database

#5 What major social network uses MySQL as their back-end database? This will require farther research.

ANSWER: Facebook

[Task nine] Enumerating MySQL

Before we brainstorm, make sure to deploy the room and requite it some time to boot. Delight be aware, this can take up to five minutes so be patient!

#1 What port is MySQL using?

Respond: 3306

#2 We can do this using the command "mysql -h [IP] -u [username] -p"

ANSWER: No answer needed

#three Okay, nosotros know that our login credentials work. Lets quit out of this session with "exit" and launch up Metasploit.

ANSWER: No answer needed

#4 Search for, select and list the options it needs. What three options do we demand to set? (in descending order).

Answer: PASSWORD/RHOSTS/USERNAME

#5 Run the exploit. Past default it will test with the "select module()" command, what result does this give yous?

ANSWER: 5.7.29-0ubuntu0.18.04.one

#half-dozen Change the "sql" option to "evidence databases". how many databases are returned?

ANSWER: 4

[Task 10] Exploiting MySQL

#1 First, let's search for and select the "mysql_schemadump" module. What's the module's full name?

Answer: auxiliary/scanner/mysql/mysql_schemadump

#2 What'south the name of the last table that gets dumped?

First, you must get-go "mysql" services:

So we should use msfconsole:

We accept to ready the parameters:

Then run this payload:

Reply: x$waits_global_by_latency

#iii Search for and select the "mysql_hashdump" module. What's the module's full name?

ANSWER: auxiliary/scanner/mysql/mysql_hashdump

#4 Again, I'll allow you take it from here. Set the relevant options, run the exploit. What not-default user stands out to you?

ANSWER: carl

#v What is the user/hash combination cord?

ANSWER: carl:*EA031893AA21444B170FC2162A56978B8CEECE18

#half dozen Now, nosotros need to cleft the password! Let's endeavour John the Ripper against it using: "john hash.txt" what is the password of the user we found?

Answer: doggie

#7 What's the contents of MySQL.txt

Respond: I'm sure you can find it in your own efforts 🙂

[Chore xi] Further Learning

#1 Congratulations! Y'all did it!

Answer: No answer needed

So far, I have tried to explain the solutions of the questions as detailed as I can. I hope information technology helped you. See y'all in my next write-upwards.