I ran into a problem with this on the second question: "What type of protocol is SMB?"

Now, the answer they are looking for is "response-request" but googling SMB will tell you that SMB is a client-server communication protocol. The explanation for SMB that the room lists calls it a client-server communication protocol as well. If you look up Samba Richard Sharpe protocol it says HE defines it as a response-request protocol. I used other writeups for the answer or I would have been stuck on this for a while.

Enumerating SMB is where the fun begins, you'll need to know how to nmap here as that will be the first thing you do. Otherwise they introduce Enum4linux here, which is a powerful tool for grabbing Samba and SMB information. The questions in this section all regard using Enum4linux and the information it gives you and the room gives you a good idea on what command lines you'll need to complete it. After this, I learned how to grab necessary information, as well as looking for important shares, like "profiles"

Now to the Exploitation section. In here you will connect to the SMB share, collect some information, then retrieve the flag. To do this, you anonymously connect to the share, where there is a saved .ssh and one readable document. You will need to download the id_rsa files from the .ssh directory and then install that key on your own attackbox to log in as the user with the flag. I found this section straight-forward until I got to the download and installing the RSA keys section. I've learned the commands for these are mget for downloading the files and ssh-add for installing the keys.

Important takeaways:

• Commands: enum4linux, mget, ssh-add

• Understanding what shares or folders can contain relevant information to further a successful exploit

Telnet Is a pretty simple protocol. It's setting up a remote connection to another computer to use the command line there, but it's unencrypted meaning a MitM attack would work best there. This section is about exploiting the actual telnet connection though.

Here is where we find that open port. Running the usual nmap setups won't see anything. That's because the telnet port has been remapped here. Time to run the long one, "nmap -sV -p-". One hour later I'm finally looking at the necessary information to continue this phase.

Now here is the section that broke me before, but I'm determined and ready this time. Here we are going to use msfvenom to create a payload for our target computer. I've learned through a lot of trial and error that this is a very finicky and easily breakable connection. So running into issues usually means terminating the boxes or the connections and somewhat starting over. This time, I actually got the netcat connection up, I could see the flag, but I typed in "more flag.txt". Nothing comes up, ls no longer shows the flag file. Okay, I tried to reconnect the netcat session. No longer able to get there. Tried another port, still nothing. Ended up terminating all the boxes and restarting with the msfvenom payload. Note: USE "HEAD" TO VIEW THE FLAG FILE.

Important takeaways:

• Running multiple terminals and monitoring updates on them.

• commands: msfvenom, netcat/nc

The last section was pretty fun. I even learned something new in the first part: there are 2 kinds of ftp connections. Active FTP is when a user will open the port on their computer and the server is forced to connect to it. Passive FTP is when the server has an open port that user will then target to connect.

This room had a simpler enumeration section, partially due to all the info from the earlier sections. Nmap uses the base -sV option here so it's a quick one. Connecting to the ftp port is simple, but I wasn't sure if I could read the file in that ftp section. I played it safe and downloaded the file to read, and got the user's name as well.

Exploiting FTP here is really just bruteforcing mike's VERY SECURE PASSWORD and accessing the flag there. He is the flag holder for this one. Very simple, straightforward, and if you get lost, not hard to google your way through this part.

Important takeaways:

• Password cracking

• commands: ftp, get

Networking Services 1 is a good room for beginners. It could use a tune up in some spots, or better hints. While I initially struggled with this room a year ago, I am happy to have finally made it through to further my knowledge. I am also pleasantly surprised to learn something new from such a simple room. Just goes to show that there is ALWAYS new information to learn out there.

Per aspera ad astra,

Connor J