Understanding Telnet

Telnet is an application protocol which allows you, with the use of a telnet client, to connect to and execute commands on a remote machine that's hosting a telnet server. All about telnet network services



The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.

 

 

 

Replacement

How does Telnet work?

The user connects to the server by using the Telnet protocol, which means entering "telnet" into a command prompt. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the following syntax: "telnet [ip] [port]"



#1 What is Telnet?   

Ans :- Application Protocol



#2 What has slowly replaced Telnet?   

Ans :- SSH



#3 How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

Ans :- telnet 10.10.10.3 23



#4 The lack of what, means that all Telnet communication is in plaintext?

Ans :- encryption

Enumerating Telnet

Lets Get Started

Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

Enumeration

Port Scanning

Exploiting Telnet

Types of Telnet Exploit

•     https://www.cvedetails.com/
•     https://cve.mitre.org/

•     - There is a poorly hidden telnet service running on this machine
•     - The service itself is marked "backdoor"
•     - We have possible username of "Skidy" implicated

 

 

What is a Reverse Shell?

• -p = payload
• lhost = our local host IP address
• lport = the port to listen on
• R = export the payload in raw format

There are 5 pieces of information here:

Frame 1 -- this is showing details from the physical layer of the OSI model (Network Interface layer of the TCP/IP model): the size of the packet received in terms of bytes)


Ethernet II -- this is showing details from the Data Link layer of the OSI model (Network Interface layer of the TCP/IP model): the transmission medium (in this case an Ethernet cable), as well as the source and destination MAC addresses of the request.



Internet Protocol Version 4 -- this is showing details from the Network layer of the OSI model (Internet Layer of the TCP/IP model): the source and destination IP addresses of the request.


Transmission Control Protocol -- this is showing details from the Transport layer of the OSI and TCP/IP models: in this case it's telling us that the protocol was TCP, along with a few other things that we're not covering here.


Hypertext Transfer Protocol -- this is showing details from the Application layer of the OSI and TCP/IP models: specifically, this is a HTTP GET request, which is requesting a web page from a remote server.


This is not a Wireshark room, so we're not going to go into any more depth than that. The important thing is that you understand how the theory you learnt earlier translated into a real life scenario.


With that in mind, click on the second captured packet (in the top window) and answer the following questions:



#1 What is the protocol specified in the section of the request that's linked to the Application layer of the OSI and TCP/IP Models?

Ans :- Domain name system



#2 Which layer of the OSI model does the section that shows the IP address "172.16.16.77" link to (Name of the layer)?

Ans :- Network



#3 In the section of the request that links to the Transport layer of the OSI and TCP/IP models, which protocol is specified?

Ans :- User Datagram Protocol



#4 Over what medium has this request been made (linked to the Data Link layer of the OSI model)?

Ans :- Etnernet II



#5 Which layer of the OSI model does the section that shows the number of bytes transferred (81) link to?

Ans :- Physical



#6 [Research] Can you figure out what kind of address is shown in the layer linked to the Data Link layer of the OSI model?

Ans :- MAC



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

We talked about domains in the previous task -- now lets talk about how they work.


Ever wondered how a URL gets converted into an IP address that your computer can understand? The answer is a TCP/IP protocol called DNS (Domain Name System). dig in Networking tools dig in Networking tools


At the most basic level, DNS allows us to ask a special server to give us the IP address of the website we're trying to access. For example, if we made a request to www.google.com, our computer would first send a request to a special DNS server (which your computer already knows how to find). The server would then go looking for the IP address for Google and send it back to us. Our computer could then send the request to the IP of the Google server.



Let's break this down a bit.


You make a request to a website. The first thing that your computer does is check its local cache to see if it's already got an IP address stored for the website; if it does, great. If not, it goes to the next stage of the process.


Assuming the address hasn't already been found, your computer will then send a request to what's known as a recursive DNS server. These will automatically be known to the router on your network. Many Internet Service Providers (ISPs) maintain their own recursive servers, but companies such as Google and OpenDNS also control recursive servers. This is how your computer automatically knows where to send the request for information: details for a recursive DNS server are stored in your router. This server will also maintain a cache of results for popular domains; however, if the website you've requested isn't stored in the cache, the recursive server will pass the request on to a root name server.


There are precisely 13 root name DNS servers in the world. The root name servers essentially keep track of the DNS servers in the next level down, choosing an appropriate one to redirect your request to. These lower level servers are called Top-Level Domain servers.


Top-Level Domain (TLD) servers are split up into extensions. So, for example, if you were searching for tryhackme.com your request would be redirected to a TLD server that handled .com domains. If you were searching for bbc.co.uk your request would be redirected to a TLD server that handles .co.uk domains. As with root name servers, TLD servers keep track of the next level down: Authoritative name servers. When a TLD server receives your request for information, the server passes it down to an appropriate Authoritative name server.




Authoritative name servers are used to store DNS records for domains directly. In other words, every domain in the world will have it's DNS records stored on an Authoritative name server somewhere or another; they are the source of the information. When your request reaches the authoritative name server for the domain you're querying, it will send the relevant information back to you, allowing your computer to connect to the IP address behind the domain you requested.


When you visit a website in your web browser this all happens automatically, but we can also do it manually with a tool called dig . Like ping and traceroute, dig should be installed automatically on Linux systems.


Dig allows us to manually query recursive DNS servers of our choice for information about domains:
dig <domain> @<dns-server-ip>

It is a very useful tool for network troubleshooting.












This is a lot of information. We're currently most interested in the ANSWER section for this room; however, taking the time to learn what the rest of this means is a very good idea. In summary, that information is telling us that we sent it one query and successfully (i.e. No Errors) received one full answer -- which, as expected, contains the IP address for the domain name that we queried.


Another interesting piece of information that dig gives us is the TTL (Time To Live) of the queried DNS record. As mentioned previously, when your computer queries a domain name, it stores the results in its local cache. The TTL of the record tells your computer when to stop considering the record as being valid -- i.e. when it should request the data again, rather than relying on the cached copy.


The TTL can be found in the second column of the answer section:







It's important to remember that TTL (in the context of DNS caching) is measured in seconds, so the record in the example will expire in two minutes and thirty-seven seconds.



Have a go at some questions about DNS and dig.


#1 What is DNS short for?

Ans :- Domain name system



#2 What is the first type of DNS server your computer would query when you search for a domain?

Ans :- Recursive



#3 What type of DNS server contains records specific to domain extensions (i.e. .com, .co.uk, etc)? Use the long version of the name.

Ans :- Top-level Domain


#4 Where is the very first place your computer would look to find the IP address of a domain?

Ans :- Local Cache


#5 [Research] Google runs two public DNS servers. One of them can be queried with the IP 8.8.8.8, what is the IP address of the other one?

Ans :- 8.8.4.4


#6 If a DNS query has a TTL of 24 hours, what number would the dig query show?

Ans :- 86400



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

Domain Names -- the unsung saviours of the internet.


Can you imagine how it would feel to remember the IP address of every website you want to visit? Horrible thought.


Fortunately, we've got domains.


We'll talk a little bit more about how this works in the next task, but for now suffice to know that a domain translates into an IP address so that we don't need to remember it (e.g. you can type tryhackme.com, rather than the TryHackMe IP address). Domains are leased out by companies called Domain Registrars. If you want a domain, you go and register with a registrar, then lease the domain for a certain length of time.


Enter Whois.

Whois essentially allows you to query who a domain name is registered to. In Europe personal details are redacted; however, elsewhere you can potentially get a great deal of information from a whois search.


There is a web version of the whois tool if you're particularly adverse to the command line. Either way, let's get started!


(Note: You may need to install whois before using it. On Debian based systems this can be done with sudo apt update && sudo apt-get install whois)


Whois lookups are very easy to perform. Just use whois <domain> to get a list of available information about the domain registration:









This is comparatively a very small amount of information as can often be found. Notice that we've got the domain name, the company that registered the domain, the last renewal, and when it's next due, and a bunch of information about nameservers (which we'll look at in the next task). Networking in whois lookup




#1 Perform a whois search on facebook.com

Ans :-


#2 What is the registrant postal code for facebook.com?

Ans :- 94025


#3 When was the facebook.com domain first registered?

Ans :- 29/03/1997


#4 Perform a whois search on microsoft.com

Ans :- no answer needed


#5 Which city is the registrant based in?


Ans :- Redmond



#6 [OSINT] What is the name of the golf course that is near the registrant address for microsoft.com?

Ans :- Bellevue Golf Course



#7 What is the registered Tech Email for microsoft.com?

Ans :- msnhst@microsoft.com



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

The TCP IP Model

The TCP/IP model is, in many ways, very similar to the OSI model. It's a few years older, and serves as the basis for real-world networking. The TCP/IP model consists of four layers: Application, Transport, Internet and Network Interface. Between them, these cover the same range of functions as the seven layers of the OSI Model. The TCP IP Model in Networking












You would be justified in asking why we bother with the OSI model if it's not actually used for anything in the real-world. The answer to that question is quite simply that the OSI model (due to being less condensed and more rigid than the TCP/IP model) tends to be easier for learning the initial theory of networking.










The two models match up something like this:


The processes of encapsulation and de-encapsulation work in exactly the same way with the TCP/IP model as they do with the OSI model. At each layer of the TCP/IP model a header is added during encapsulation, and removed during de-encapsulation.


Now let's get down to the practical side of things.


A layered model is great as a visual aid -- it shows us the general process of how data can be encapsulated and sent across a network, but how does it actually happen?





When we talk about TCP/IP, it's all well and good to think about a table with four layers in it, but we're actually talking about a suite of protocols -- sets of rules that define how an action is to be carried out. TCP/IP takes its name from the two most important of these: the Transmission Control Protocol (which we touched upon earlier in the OSI model) that controls the flow of data between two endpoints, and the Internet Protocol, which controls how packets are addressed and sent. There are many more protocols that make up the TCP/IP suite; we will cover some of these in later tasks. For now though, let's talk about TCP.


As mentioned earlier, TCP is a connection-based protocol. In other words, before you send any data via TCP, you must first form a stable connection between the two computers. The process of forming this connection is called the three-way handshake.


When you attempt to make a connection, your computer first sends a special request to the remote server indicating that it wants to initialise a connection. This request contains something called a SYN (short for synchronise) bit, which essentially makes first contact in starting the connection process. The server will then respond with a packet containing the SYN bit, as well as another "acknowledgement" bit, called ACK. Finally, your computer will send a packet that contains the ACK bit by itself, confirming that the connection has been setup successfully. With the three-way handshake successfully completed, data can be reliably transmitted between the two computers. Any data that is lost or corrupted on transmission is re-sent, thus leading to a connection which appears to be lossless.












(Credit Kieran Smith, Abertay University, TryHackMe)


We're not going to go into exactly how this works on a step-to-step level -- not in this room at any rate. It is sufficient to know that the three-way handshake must be carried out before a connection can be established using TCP.

History:

It's important to understand exactly why the TCP/IP and OSI models were originally created. To begin with there was no standardisation -- different manufacturers followed their own methodologies, and consequently systems made by different manufacturers were completely incompatible when it came to networking. The TCP/IP model was introduced by the American DoD in 1982 to provide a standard -- something for all of the different manufacturers to follow. This sorted out the inconsistency problems. Later the OSI model was also introduced by the International Organisation for Standardisation (ISO); however, it's mainly used as a more comprehensive guide for learning, as the TCP/IP model is still the standard upon which modern networking is based.




#1 Which model was introduced first, OSI or TCP/IP?

ans :- TCP/IP




#2 Which layer of the TCP/IP model covers the functionality of the Transport layer of the OSI model (Full Name)?

ANs :- transport



#3 Which layer of the TCP/IP model covers the functionality of the Session layer of the OSI model (Full Name)?


Ans :- Application



#4 The Network Interface layer of the TCP/IP model covers the functionality of two layers in the OSI model. These layers are Data Link, and?.. (Full Name)?

Ans :- Physical



#5 Which layer of the TCP/IP model handles the functionality of the OSI network layer?

Ans :- Internet



#6 What kind of protocol is TCP?

Ans :- Connection-based



#7 What is SYN short for?

Ans:- Synchronise



#8 What is the second step of the three way handshake?

Ans :- SYN/ACK



#9 What is the short name for the "Acknowledgement" segment in the three-way handshake?

Ans :-  ACK




I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

Greeting there, it is time for another tryhackme CTF write-up. Today, we are going through the Rick and Morty inspired CTF room. This room is called pickle rickkkkkkkkkkkkkkkk. Interesting huh. This is one of the easiest  challenges on the site. Without further ado, let’s get into the challenge.TryHackMe Pickle Rick Walkthrough



We need to find the three secret ingredients in order to turn Rick back to his old self. Rick mentioned something on the webserver. Let’s enumerate the machine by using Nmap scanner.


nmap -A -Pn -sC -sV --script vuln 10.10.28.46







Visit TryHackMe IP Address



Look like a message from Rick. The three secret ingredients are inside Rick’s computer. I have to get it. Before that, let’s check with the source code for more information.






username :-



We have the username now. How about the password? Time to use the gobuster.


gobuster dir -u http://10.10.28.46 -w /usr/share/dirb/wordlists/common.txt







We got robots.txt file inside the webserver. Gonna check it out.




password :-




Let's use gobuster again via GUI based...






Yup, we just missed the portal.php files. Time to visit the portal site.










The portal site has been resolved into a login page. How about trying the login credential we found it earlier (user: R1ckRul3s, pass: Wubbalubbadubdub)?

After Login

[Task 1] Pickle Rick

This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.



#1 Deploy the virtual machine on this task and explore the web application.

What is the first ingredient Rick needs?




ls -la

less Sup3rS3cretPickl3Ingred.txt

OR

http://10.10.28.46/Sup3rS3cretPickl3Ingred.txt








#2 Whats the second ingredient Rick needs?



ls -la /home

ls -la /home/rick

less '/home/rick/second ingredients'




There is another ingredient file hidden inside the file system. There might be another user inside the system.







The second ingredient is inside the rick’s directory.











#3 Whats the final ingredient Rick needs?




I guess the next ingredient locate at /root directory. Before we make a visit to the directory, let see what we can do for the sudo command.



sudo -l









Cool, we can do everything using the sudo command. Let see what is inside the /root directory.



sudo ls -la /root













Yes, the third ingredient is inside the root directory.


sudo less  /root/3rd.txt







We are now gathering all 3 ingredients. yupeeeee!!!!






Video Tutorial :-  soon otherwise search me on youtube kumar atul jaiswal

  

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.






I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)