Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page
  • FTP
  • NFS
  • MySQL

Was this helpful?

  1. TryHackMe
  2. Advent of Cyber

Elf Applications

Exploiting Application Layer Services

PreviousMetasploit-a-ho-ho-hoNextElfcryption

Last updated 5 years ago

Was this helpful?

Attacking services always starts with enumeration because we need to understand what services are running and where are they running to begin attacking them. To do that we can use nmap. Some services run on specific ports which makes them easy to identify.

Once we have identified a service we can attack it in the most common ways:

  • Exploiting common misconfigurations

  • Using publicly available exploits

Sometimes we can find a service version that has a public exploit online, but that should be used as last resort. Instead, we should try to find ways to exploit common misconfigurations.

FTP

NFS

MySQL

In this challenge we are expected to exploit these three services misconfigurations.

First we need to identify them. To do that we do an nmap scan.

We managed to identify the three services on port 21(FTP), port 2049(NFS) and port 3306(MySQL).

This first question has a hint that says "NFS". So we will start by exploiting NFS misconfigurations.

We know NFS is running by looking at the nmap scan, so the next step will be to see if any shares are available:

We can see that we have /opt/files displayed as a share that we can export, so now we can try to mount the share on our system and see its content:

Inside the share we have creds.txt and the answer to our first question. Now we just need to umount it:

Its time to exploit FTP misconfigurations. With FTP we can try to anonymously login, and once in we can download our upload any files, as well as see the contents of the FTP share.

After getting access with anonymous login to the ftp server, we can see the file on port 21 which is the answer to the second question and contains the credentials to login to the mysql database.

Having the mysql credentials we can try to remotely connect to it and enumerate the database to find the password.