Recently, I tried my hand at exploiting several misconfigured or otherwise vulnerable network services, namely SMB, Telnet, and FTP, on machines hosted on TryHackMe, in order to gain a better understanding of some common network vulnerabilities and misconfigurations. I used Kali Linux for my local machine, and connected via openVPN to several vulnerable boxes on TryHackMe. I’ll detail the steps I took to exploit each of these three services, and how that can be avoided with proper configuration.
Firstly, I targeted a machine running an SMB server that was misconfigured to allow anonymous access to shares. To start, I enumerated the machine using nmap, and determined that it was running an SMB server on port 139. Using enum4linux, I then enumerated the SMB shares on the server, and a share titled “profiles” caught my eye. Using smbclient, I was able to connect to the share anonymously, and retrieve poorly hidden RSA keys. From there, it was simply a matter of downloading the keys to my local machine, and using them to SSH into the server and retrieve a flag. Clearly, it is important to properly configure an SMB server so that anonymous access is not allowed.
Next up was a machine with a pre-existing Telnet backdoor. Once again I enumerated the machine using nmap to find an open non-standard port. Using Telnet, I was able to connect to this port, and discovered it was a backdoor into the system. In order to ensure commands I entered were actually being run, I started a tcpdump listener for ICMP packets on my local machine, and pinged my local machine from the target machine. Sure enough, the packets were being delivered, so I then used msfvenom to generate and encode a netcat reverse shell payload. Finally, started a netcat listener on my local machine, and ran the payload on the target machine via the Telnet connection to gain reverse shell access and retrieve the flag.
Lastly, I went up against another machine running a misconfigured FTP server, again allowing anonymous access. After enumerating the machine and discovering the FTP service running, I connected anonymously and found a file with a possible username. From here, I used the username and a password cracker called Hydra to brute force the weak password and connect to the FTP server as a more privileged user. This highlights both the importance of configuring an FTP server properly so as to not allow anonymous access (ideally also using a more secure alternative like SFTP), as well as the importance of strong passwords.
Leave a Reply