Try Hack Me (1)

Nmap: An in depth look at scanning with Nmap, a powerful network scanning tool.

1. Task 12: Searching for scripts

a. Search for "smb" scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server? 
answer: smb-os-discovery.nse

b. Read through previous founded script. What does it depend on? 
answer: smb-brute
atau bisa juga pake cat /usr/share/nmap/scripts/smb-os-discovery.nse tapi nanti harus nyari sendiri. di sisi lain, kalau pake cat bisa tau info-info lainnya juga.

2. Task 14: Practical (me using THM's Attack Box)
a. does the target ip respond to ICMP echo ping request?
answer: No
target ip tidak mengembalikan apa-apa (0 received)

b. Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?
answer: 999

c. There is a reason given for this -- what is it? Note: The answer will be in your scan results. Think carefully about which switches to use -- and read the hint before asking for help!(hintnya disuruh pake -vv)
answer: no response

jadi alasan hasilnya open|filtered karena ke-999 port tidak memberikan respon tapi hostnya aktif karena dia menerima ARP ping (?). hal ini bisa diketahui jika kita menggunakan -vv di mana hasilnya akan lebih banyak daripada ga pakai switch -vv. 
apa itu ARP ping?

d. Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open?
answer: 5
yang port 21/tcp service ftp itu akan dipakai untuk soal selanjutnya.

e. Open Wireshark (see Cryillic's Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what's going on. Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
answer: y

mengecek apakah ftp server di port 21 bisa dimasuki oleh username anonymous, dan ternyata Anonymous FTP login allowed.
maka login dengan nama anonymous:

untuk part wireshark karena aku tidak punya wireshark:

Network Services: Learn about, then enumerate and exploit a variety of network services and misconfigurations.

1. Task 3: Enumerating SMB
a. Conduct an nmap scan of your choosing, How many ports are open?
answer: 3
ini pakai Xmas karena yang kepikiran aja sekaligus bisa nembus firewallnya. soalnya pas kucoba biasa ga ngasih respon apa-apa, jadi biar keliatan langsung pake maldeformed packet scan. di sini statenya open|filtered semua.

b. What ports is SMB running on?
answer: 139/445
dapat ditemukan seperti soal a karena SMB running di netbios dan microsoft. kalau mau lebih dalam lagi melihat version sistemnya, begini:
tp ini aku juga bingung kenapa service port 445 servicenya netbios-ssn juga sedangkan pas ngga pake -sV (Probe open ports to determine service/version info) dia servicenya microsoft-ds.ini:

c. Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?    
answer:WORKGROUP
(ini gatau cara nyarinya kalo ga pake Enum4Linux gmn, karena ga pake ini tulisannya no workgroup available)

d. What comes up as the name of the machine?  
answer: POLOSMB

e.What operating system version is running?
answer: 6.1
(ada di poin f)

f. What share sticks out as something we might want to investigate?  
answer: profiles
dari semua sharename, yang menarik adalah profiles dan kita pengen menyusup nyari informasi orang dari profiles itu.

2. Task 4: Exploiting SMB
(ini ip target machinenya beda sama nomor 1 krn kukerjain di hari berikutnya. tp isinya sama --> you know ip satu mesin bisa berubah-ubah)
a. Great! Now you've got a hang of the syntax, let's have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability. Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn't require authentication to view the files. We can do this easily by:
- using the username "Anonymous"
- connecting to the share we found during the enumeration stage
- and not supplying a password.
Does the share allow anonymous access?
answer:Y
dia allowing anonymous login tanpa password

b. Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
Answer: John Cactus
c. What service has been configured to allow him to work from home?
answer: ssh
ada di "your account has now been enabled ssh"
d. Okay! Now we know this, what directory on the share should we look in?
answer: .ssh
ofc di itunya
e. This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
answer: id_rsa

sejujurnya aku mikirnya authorized_keys tapi isian jawabannya 6 digit. mari kita buka apa isinya:
id_rsa
id_rsa.pub
authorized_key nya tidak bisa didownload

f. Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]". Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server. What is the smb.txt flag?
answer: THM{smb_is_fun_eh?}

from hostinger.co.id
dari cara masuk itu, kan dibutuhkan password. tapi liat writeup orang, dia nyari file information dari id_rsa tadi terus auto logged in di akun cactus.
abis itu nyari di dalem akunnya ada folder atau file apa aja. ketemulah flagnya.
ini nyoba login lagi tapi tanpa command identify file (-i), masih harus masukin password. jadi kemungkinan id_RSA isinya RSA dari password???
oh, iya

3. Task 6: Enumerating Telnet
a. How many ports are open on the target machine? 
answer: 1
tadi scan pake xmas dan semua portnya tertutup (jumlahnya 1000). terus liat hintnya "nmap won't scan all ports by default". karena ini kayaknya portnya banyak, maka scan selanjutnya sekalian pake command (apa si aku lupa namanya - - itu ->> switch neng) yang lengkap biar sekalian kescan semuanya sekalian
tapi lama bgt cuyyy 65535 port. gmn coba strateginya biar bisa cepet? klo dibagi tiap 1000 port harus 65 kali. pake binary search kita gatau berapa yang open. 
jadi cancel operation aja, liat writeup orang :)

b. What port is this?
answer: 8012

c. This port is unassigned, but still lists the protocol it's using, what protocol is this?
answer: tcp

d. Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
answer: 0
ini teh dari awal udah tanpa -p- tag. -p- tag buat cari semua port yhh, bukan default aja (1000). dan juga, telnet itu portnya bukan di standard port (0-1000) melainkan di port 8012 ini

e. Based on the title returned to us, what do we think this port could be used for?
answer: a backdoor
karena tadi tidak memindai port semuanya dan udh tau port 8012 yang aktif, maka kita scan di port itu langsung dan ketemunya ini. mungkin pake switch lain bakal bisa lebih rapi ya hasilnya. mari kita nyari switch lain
pake switch -A bisa ketahuan SKIDY'S BACKDOOR

f. Who could it belong to? Gathering possible usernames is an important step in enumeration.
answer: skidy
Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.
4. Task 7: Exploiting Telnet
a. Great! It's an open telnet connection! What welcome message do we receive?
answer: SKIDY'S BACKDOOR

b. Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
answer: N
untuk sembarangan input, kita ga dapet return apa-apa selain line baru kosong
c. Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command. Start a tcpdump listener on your local machine.
If using your own machine with the OpenVPN connection, use:
sudo tcpdump ip proto \\icmp -i tun0
If using the AttackBox, use:
sudo tcpdump ip proto \\icmp -i ens5
This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on. Now, use the command "ping [local THM ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
answer:
woahhh ini perlu banyak langkah sendiri karena aku pakai WSL. ternyata, WSL tidak punya systemd dan akses langsung ke interface tun10. jadi pas dilihat ip yang tercapture di WSL hanya local dan eth0. 

dannn masih kagak bisa listening.........

5. Task 9: Enumerating FTP
a. How many ports are open on the target machine? 
answer: kalo di tempatku 1 tp jawabannya 2, sama port 80 :) port 80 di instance ku closed dhl, pake XMAS scan.
b. What port is ftp running on?
answer: 21

c. What variant of FTP is running on it?  
answer: vsftpd
oh ini kalo scannya pake stealth scan (SYN Scan) port 80 nya kedeteksi. terus itu ftp yang running versionnya vsftpd (mau nyoba semua jenis scan ah, di bawah ini hasil-hasilnya)
eh sama aja kucoba ulangi pake XMAS, skrg port 80 opennnn
d. Great, now we know what type of FTP server we're dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing "ftp [IP]" into the console, and entering "anonymous", and no password when prompted. -> bisa login anonymous
What is the name of the file in the anonymous FTP directory?
answer: PUBLIC_NOTICE.txt
e. What do we think a possible username could be? Now we've got details about the FTP server and, crucially, a possible username. Let's see what we can do with that...
answer:Mike

6. Task 10: Exploiting FTP
a. What is the password for the user "mike"?
answer: password
langkahnya banyak bgt, dibantu gpt krn harus locate rockyou.txtnya
ini pake hydra, download hydra, terus download rockyou.txt dari repo yg dikasih gpt trs locating ke alamat biar sesuai kaya yg dicontohkan.
alamat repo rockyou nya: wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt -O ~/rockyou.txt

b. Bingo! Now, let's connect to the FTP server as this user using "ftp [IP]" and entering the credentials when prompted. What is ftp.txt?
answer: THM{y0u_g0t_th3_ftp_fl4g}






    









Komentar

Posting Komentar

Postingan populer dari blog ini

Nice Netcat...

Gambar
  1. Soal 2. Penyelesaian ini tadi pertama aku masuk ke port di netcatnya. terus ada angk-angka gini: ini karena ada petunjuk "doesn't speak English", ada kemungkinan angka-angka itu mewakili sebuah huruf. karena range angkanya tidak sampe 127, ada kemungkinan ini kode ASCII. lalu aku keinget python bisa men-decodec ASCII pake modul chr(). aku masuk VS Code dan coba buat kode untuk ngubah tiap karakter ke huruf dengan ngeloop tiap-tiap angkanya. aku jadiin angka itu array. tapi aku belum tau cara langsung ngejadiin angka dg urutan menurun yg dienter gitu jadi array, aku ngekomain manual, satu-satu. jadinya gini: arr =[ 112 , 105 , 99 , 111 , 67 , 84 , 70 , 123 , 103 , 48 , 48 , 100 , 95 , 107 , 49 , 116 , 116 , 121 , 33 , 95 , 110 , 49 , 99 , 51 , 95 , 107 , 49 , 116 , 116 , 121 , 33 , 95 , 97 , 102 , 100 , 53 , 102 , 100 , 97 , 52 , 125 , 10 ] itu aslinya nyambung ya, tapi kertasnya gacukup dan aku belum terlalu menguasai text editor di blogger ini jadinya males ngulik y...
Baca selengkapnya

Natas

Gambar
  natas 0 in Natas 0 to Natas 1 password ada dalam bentuk comment in Natas 1 to Natas 2 sama seperti sebelumnya, tapi right-clicking diblok jadinya pake tombol di browser in Natas 2 to Natas 3 bilang nothing in this page setelah buka semua file, ada yang aneh krn ada satu file png yang tidak ditampilkan sama sekai di halaman dan setelah dibuka isinya gelap mungkin ada sesuatu di dalamnya tetapi ternyata tidak ada jadi buka kemungkinan file lain di dalam folder yang menampung ga,bar tadi ternyata beneran ada in Natas 3 to Natas 4 setelah authorized, katanya tida ada apa2 di halaman tersebut. dicari di mana2 juga tidak ada. lalu pada robot.txt yang selalu menjadi opsi pertamaku untuk kasus web didapatkan: wah ada path secret. setelah masukin ke url lalu langsung didapat user.txt yang berisi password in Natas 4 to Natas 5 ada notice perubahan yang intinya harus masuk melalui natas5 untuk menjadi authorized user di natas 4. namun karena benar2 tidak mengetahui bagaimana rujukan dsb di ...
Baca selengkapnya