In this commodity, I tried to prepare a write-up for the "Network Services ii"  room ontryhackme.


[Task 1] Go Connected

This room is a sequel to the first network services room. Similarly, it will explore a few more common Network Service vulnerabilities and misconfigurations that you lot're probable to notice in CTFs, and some penetration test scenarios.

#1 Ready? Let'due south get going!

ANSWER: No answer needed


[Chore two] Understanding NFS

NFS stands for "Network File System" and allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems most equally if they were local files. Information technology does this by mounting all, or a portion of a file system on a server. The portion of the file system that is mounted tin be accessed past clients with whatever privileges are assigned to each file.

#1 What does NFS stand for?

NFS stands for "Network File Arrangement" and allows a system to share directories and files with others over a network.

Answer: Network File Arrangement

#2 What procedure allows an NFS customer to interact with a remote directory as though it was a concrete device?

 Past using NFS, users and programs can access files on remote systems about as if they were local files. Information technology does this by "mounting" all, or a portion of a file system on a server.

Answer: Mounting

#3 What does NFS use to represent files and directories on the server?

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such every bit:

  • The file handle
  •  The proper noun of the file to be accessed
  •  The user'southward, user ID
  •  The user'due south group ID

ANSWER: file Handle

#4 What protocol does NFS use to communicate between the server and client?

 The mountain service will then act to connect to the relevant mountain daemon using RPC.

ANSWER: RPC

#v What two pieces of user data does the NFS server accept as parameters for controlling user permissions?

If someone wants to access a file using NFS, an RPC phone call is placed to NFSD (the NFS daemon) on the server. This phone call takes parameters such as:

  •  The file handle
  •  The name of the file to be accessed
  •  The user'south, user ID
  •  The user'south group ID

Respond: user id / grouping id

#6 Can a Windows NFS server share files with a Linux client? (Y/Due north)

Reply: Y

#7 Can a Linux NFS server share files with a MacOS client? (Y/N)

ANSWER: Y

#8 What is the latest version of NFS?

You can find the answer on this website

Respond: four.two


[Task three] Enumerating NFS

You can use this Nmap query:

nmap -p- -A -sC -Pn [IP Adress]          
Nmap Result
Nmap Result

#1 Conduct a thorough port scan scan of your choosing, how many ports are open?

Port 22, 111, 2049, 37069, 39969, 41047, 48707 are open.

ANSWER: vii

#2 Which port contains the service we're looking to enumerate?

Yous can meet the answer in the 2d motion picture above.

ASNWER: 2049

#3 Now, apply /usr/sbin/showmount -east [IP] to list the NFS shares, what is the name of the visible share?

ANSWER: /home

#4 Alter directory to where y'all mounted the share- what is the proper name of the binder inside?

Time to mount the share to our local machine!

Starting time, employ "mkdir /tmp/mount" to create a directory on your car to mount the share to. This is in the /tmp directory- so exist enlightened that it will be removed on restart.

Then, use the mount command we bankrupt down before to mountain the NFS share to your local auto.

ANSWER: cappucino

#v Have a wait within this directory, look at the files. Looks like  nosotros're inside a user'south home directory…

ANSWER: No answer needed

#6 Which of these folders could contain keys that would give us remote admission to the server?

ANSWER: .ssh

#7 Which of these keys is most useful to us?

ANSWER: id_rsa

#8 Can we log into the machine usingssh -i <primal-file> <username>@<ip>? (Y/Northward)

ANSWER: Y


[Job four] Exploiting NFS

#i Kickoff, modify directory to the mountain point on your machine, where the NFS share should still be mounted, and then into the user'south home directory.

ANSWER: No answer needed

#ii The copied bash beat out must be owned by a root user, you lot can fix this using "sudo chown root bash"

Answer: No answer needed

#3 What letter exercise we use to prepare the SUID bit set using chmod?

ANSWER: s

#4 What does the permission set look similar? Brand sure that information technology ends with -sr-10.

ANSWER: -rwsr-sr-x

#v The -p persists the permissions, then that it tin can run equally root with SUID- as otherwise bash will sometimes drop the permissions.

ANSWER: No reply needed

#6 Bang-up! If all'southward gone well y'all should have a shell as root! What's the root flag?

ANSWER: I'g certain yous can notice it in your own efforts 🙂


[Chore 5] Understanding SMTP

#one What does SMTP correspond?

SMTP stands for "Simple Mail Transfer Protocol".

ANSWER: Simple Mail Transfer Protocol

#2 What does SMTP handle the sending of?

Respond: emails

#3 What is the first footstep in the SMTP process?

The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain. This initiates the SMTP handshake.

ANSWER: SMTP handshake

#4 What is the default SMTP port?

This connection works over the SMTP port- which is usually 25.

Answer: 25

#five Where does the SMTP server send the electronic mail if the recipient's server is not bachelor?

 If the recipient's server can't be accessed, or is not available– the Email gets put into an SMTP queue.

ANSWER: smtp queue

#6 On what server does the Electronic mail ultimately end up on?

ANSWER: Pop/IMAP

#7 Can a Linux machine run an SMTP server? (Y/N)

SMTP Server software is readily bachelor on Windows server platforms, with many other variants of SMTP being available to run on Linux.

Reply: Y

#8 Can a Windows machine run an SMTP server? (Y/N)

SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP being available to run on Linux.

ANSWER: Y


[Task 6] Enumerating SMTP

Before nosotros begin, make sure to deploy the room and requite it some time to kick. Please be aware, this tin can take up to 5 minutes so exist patient!

#i First, lets run a port scan against the target automobile, same as last fourth dimension. What port is SMTP running on?

Reply: 25

#2 Okay, now we know what port we should be targeting, let'south start up Metasploit. What command do nosotros employ to practice this?

ANSWER: msfconsole

#3 Let's search for the module "smtp_version", what's it's full module proper noun?

ANSWER: auxiliary/scanner/smtp/smtp_version

#4 Great, now- select the module and list the options. How do nosotros do this?

Respond: options

#5 Accept a look through the options, does everything seem correct? What is the selection we need to set up?

ANSWER: RHOSTS

#6 Set that to the correct value for your target machine. Then run the exploit. What'southward the organisation post name?

ANSWER: polosmtp.home

#7 What Mail Transfer Agent (MTA) is running the SMTP server? This will crave some external research.

You can find the respond on this website .

ANSWER: Postfix

#8 Skilful! We've now got a good amount of data on the target system to move onto the next stage. Let's search for the module "smtp_enum", what'south it'due south full module name?

Answer: auxiliary/scanner/smtp/smtp_enum

#ix What option do we need to set up to the wordlist's path?

Respond: USER_FILE

#10 In one case we've gear up this option, what is the other essential paramater we need to set?

ANSWER: RHOSTS

#eleven Now, set the THREADS parameter to sixteen and run the exploit, this may take a few minutes, so catch a cup of tea, java, h2o. Keep yourself hydrated!

Answer: No respond needed

#12 Okay! Now that'southward finished, what username is returned?

ANSWER: ambassador


[Chore vii]  Exploiting SMTP

#1 What is the password of the user nosotros institute during our enumeration stage?

Yous tin can use this command:

hydra -t 16 -l [USERNAME] -P [rockyou.txt location] -vV [Motorcar IP Addres] ssh          

Reply: alejandro

#2 Bully! Now, let's SSH into the server every bit the user, what is contents of smtp.txt

You can utilize this command:

ssh administrator@[Motorcar IP Address] Password: alejandro          

ANSWER: I'grand sure you can find information technology in your own efforts 🙂


[Task viii] Understanding MySQL

#1 What type of software is MySQL?

MySQL is a relational database direction system (RDBMS) based on Structured Query Language (SQL).

Answer: relational database management system

#2 What language is MySQL based on?

They use a language, specifically the Structured Query Language (SQL).

Reply: SQL

#iii What communication model does MySQL utilise?

Equally we knoww, it uses a client-server model.

ANSWER: customer-server

#4 What is a common application of MySQL?

Reply: back end database

#v What major social network uses MySQL as their dorsum-end database? This will require further enquiry.

Answer: Facebook


[Chore 9] Enumerating MySQL

Before nosotros begin, brand certain to deploy the room and give information technology some time to boot. Please exist enlightened, this tin can take up to 5 minutes and then be patient!

#1 What port is MySQL using?

ANSWER: 3306

#ii We tin can do this using the command "mysql -h [IP] -u [username] -p"

Answer: No answer needed

#3 Okay, we know that our login credentials work. Lets quit out of this session with "exit" and launch up Metasploit.

ANSWER: No answer needed

#4 Search for, select and list the options it needs. What three options practise we need to prepare? (in descending order).

Answer: PASSWORD/RHOSTS/USERNAME

#5 Run the exploit. By default information technology volition test with the "select module()" command, what result does this give you?

ANSWER: 5.7.29-0ubuntu0.18.04.i

#6 Modify the "sql" option to "evidence databases". how many databases are returned?

ANSWER: iv


[Task 10] Exploiting MySQL

#one Offset, let'due south search for and select the "mysql_schemadump" module. What'southward the module'south full name?

ANSWER: auxiliary/scanner/mysql/mysql_schemadump

#ii What'due south the name of the last table that gets dumped?

Showtime, you must start "mysql" services:

Then nosotros should use msfconsole:

We have to set the parameters:

Then run this payload:

Answer: ten$waits_global_by_latency

#3 Search for and select the "mysql_hashdump" module. What's the module's full name?

ANSWER: auxiliary/scanner/mysql/mysql_hashdump

#4 Again, I'll permit you have it from hither. Set the relevant options, run the exploit. What not-default user stands out to you?

Reply: carl

#v What is the user/hash combination string?

ANSWER: carl:*EA031893AA21444B170FC2162A56978B8CEECE18

#6 Now, nosotros need to crack the password! Let's try John the Ripper against it using: "john hash.txt" what is the countersign of the user we plant?

Respond: doggie

#7 What's the contents of MySQL.txt

ANSWER: I'm sure y'all can find it in your ain efforts 🙂


[Task eleven] Further Learning

#1 Congratulations! You did it!

Reply: No answer needed


So far, I have tried to explain the solutions of the questions as detailed as I can. I hope it helped yous. See yous in my next write-up.