Room: Advent of Cyber
Difficulty: Beginner
“McSkiddy has been happy with the progress they’ve been making, but there’s still so much to do. One of their main servers has some integral services running, but they can’t access these services. Did the Christmas Monster lock them out?
Deploy the machine and starting scanning the IP.
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
Question#1 What is the password inside the creds.txt file?
Let’s start off with some enumeration utilizing nmap. Open up your attacking machine (OpenVPN or THM Kali VM) and get to a command line.
nmap -sV -O <target ip>
The -sV will look at the version of services running and the -O will try to check the operating system. Overall, nmap will let us know what ports are open and what they are running so we can formulate a plan.
It looks like we have quite a few things open, but the hint for the question says “NFS”, so let’s try that first.
NFS stands for Network File System. This is basically a file sharing system where people can go to access files remotely. Click HERE to learn more.
Let’s use the following command:
showmount -e <target ip>
If you get an error message, use:
apt install nfs-common
Now try it again.
This export list shows us what we are allowed to look at. Let’s mount it so we can look through the directory that was shared. First we need to create a directory for it to put everything in:
sudo mkdir /mnt/nfsfiles
Now:
sudo mount <target ip>: /opt/files <local-path>
And now open it to see the files available:
ls /mnt/nfsfiles
That is likely the file we need, let’s read it:
cat /mnt/nfsfiles/cred.txt
Good job! Let’s move on.
Question #2 What is the name of the file running on port 21?
The next question mentions Port 21, which is traditionally the FTP port. FTP stands for File Transfer Protocol, which is another way to transfer files. Someone uploads a file to an FTP server and then someone else can connect to it to grab that file. It is not secure, but even worse, a lot of them allow “anonymous” login, which is just username: anonymous and password: anonymous. Let’s try to connect using those credentials:
ftp <target ip>
Not good, McSkiddy. Not good.
Anyways, we’re in. Let’s try to grab that file. First though, do you see how it says that it is transferring files via binary mode? We have to switch to binary.
binary
Now, let’s see what files are on the system:
ls
We can retrieve the file we need by typing:
get <file name>
You now have your answer for question #2. But let’s read what’s in there. Type “exit” to back out of the ftp connection and then:
cat <file name>
Hmmm, this looks like a way into the MySQL database?
Question #3 What is the password after enumerating the database?
The MySQL database is on port 3306. To log in, let’s use the following:
mysql -h <target ip> -u<username> -p<password>
If you get an error message, use these two commands and then try again:
apt install mysql-client-core-5.7
apt install mariadb-client-core-10.1
To show the available databases, type:
show databases;
We can navigate around the database from here to try and find what we need. Let’s choose “data” first:
use data;
show tables;
Let’s keep moving forward:
select * from USERS;
Exactly what we need!
MySQL is actually one of my weaker areas, so I appreciated the chance to mess around with it.
Happy Hacking! ❤
