Introduction
Welcome to the first vulnerable machine we will exploit in Hack The Box; before we start, we must know how to connect to the target’s network and know our way around the terminal. If you are not familiar with it, then you should go to this “article,” which will guide you on how to set up your own machine.
Let’s start our journey!
Internet Protocol
Internet Protocols are a set of rules that govern the transfer of data and communications across the network. Simply put, it is like a bus or car on the Internet, as it works to transfer data to the place it is directed to. As we all know, there are types of cars and buses! There are also countless types of Internet protocols, and we can find them on the Internet Assigned Numbers Authority (IANA) website, which is responsible for managing and maintaining the assignment of various Internet protocol parameters here: https://www.iana.org/protocols
Since there are many Internet protocols, let us take several examples, such as the File Transfer Protocol (FTP), the protocol responsible for transferring files from the computer to the server and vice versa. There is another example: HTTP, which stands for Hypertext Transfer Protocol, is one of the most widely used Internet protocols. It enables transferring text, images, videos, and other multimedia content over the World Wide Web. When you access a website in your web browser, it is often HTTP that’s responsible for fetching and displaying the web pages.
Telnet
Telnet protocol, short for Teletype Network, is a terminal emulation program commonly used to access remote servers. It is a simple command-line tool that runs on a computer, allowing users to send commands remotely to a server and administer that specific server as if sitting in front of it. Telnet was developed in the early days of computing and provides a direct way to interact with servers.
However, it is essential to note that Telnet is not secure. When you use Telnet, your data is transmitted in plain text, which means malicious actors can intercept it. For this reason, it is generally not recommended for transmitting sensitive or confidential information. Instead, for secure remote connections, alternatives like SSH (Secure Shell) are preferred.
Telnet finds its usage in a variety of scenarios. System administrators and network engineers often use it to configure and manage network devices such as routers and switches. It is also valuable for checking whether specific network ports on a server are open or closed, a task commonly known as port scanning. By typing commands through Telnet, you can create folders, run programs, delete files, and transfer files between your local machine and the remote server.
Enumeration
When we begin the first step of the penetration testing process on any specific target, there is an essential initial step, which is called the Enumeration step. This step consists of documenting the current state of the target and collecting as much information as possible about it. Let us assume that we are currently on the same network that provides the target with the Internet; here, we can access it directly like any other user. For example, if the target is a web server running a web page, we can go to its IP address to find out what the page contains. If the target is a storage server, we can connect to it using the same IP address to retrieve the files stored on it, provided we have access credentials. However, the main question here is how do we find these services. We cannot search for it manually because it will take time and effort.
All servers use ports to deliver data to clients. The first step in the enumeration phase is to scan these ports to know what ports are open on the target network to identify potential vulnerabilities that may appear from the services you are running on. To quickly search for these ports, there is a tool called Nmap, which enables us to know which ports are open on a specific network. Furthermore, after identifying the open ports on the target, we can exploit them and try to access them manually by using specific tools to see if we can access them.
Note: You must remember that in the information stage, it is not speed in gathering information but accuracy. If a critical resource on the target is missed during the enumeration phase of the test, you may lose a vast and vital attack vector that will reduce your work time on the target.
We must ping the target’s IP address to see whether our packets reach their destination. But first, we must know what the target’s IP address is, as shown in the image below 10.129.88.233
We send the ping using the following command ping {Target_IP_Address}, and in our case, ping 10.129.88.233, as shown below.
After successful responses from the target, we conclude that the connection is stable. We can now begin the port scanning process and see what ports are open on this network using the Nmap tool, which will send a request to the target’s ports in the hope that it will respond.
We will use the following command nmap -sV {Target_IP_Address}. Note that we used the ‘-sV’ flag to perform service version detection, as identifying the specific service versions that operate on these open ports is valuable information for understanding the program and potential vulnerabilities in it, whether they are old or new.
We notice that port 23 is open, which refers to the Telenet protocol.
Foothold
We now begin the next stage of the process, which is footholding. After collecting the required information about the target and the presence of potential vulnerabilities, which in our case is an open Telnet port, we begin trying to log in by using the command telnet {Target_IP_Address}
Here comes the guessing stage! Sometimes, the user leaves some important accounts without passwords or blank passwords for quick access. This is a significant security problem with some network devices or hosts, making them vulnerable to brute-force attacks, where a hacker can attempt to log in sequentially several times using a list of usernames with or without entering a specific password.
Some typical accounts have self-explanatory names, such as:
- admin
- administrator
- root
We tried the first two options, hoping that they would be correct and we would enter the server, and the result, as shown below, failed!
After the last attempt by entering root, we successfully logged in, as shown below, and accessed the server.
Now, after entering the server, we can send the ‘ls’ command to see what is inside the directory and search for what we want in the target server, which is the flag.
We can run the cat flag.txt command in order to see all the file contents, which is the required flag.
Congratulations. We got our flag from the targeted server using telnet protocol! Now, we can submit the captured flag inside the machine box.
Conclusion
In this walkthrough, we’ve learned how to connect to a target’s network, understand essential protocols, and access remote servers. We’ve explored the basics of enumeration and the significance of open ports, concluding with successful access to our target server.