Network Security — Introduction to Offensive Security-TryHackMe Walkthrough

11 min readOct 6, 2024

Learn about network security, understand attack methodology, and practice hacking into a target server.

Site Link: https://tryhackme.com/r/room/intronetworksecurity

Task 1 Introduction

A computer network is a group of computers and devices connected with each other. Network security focuses on protecting the security of these devices and the links connecting them. (In more precise terms, network security refers to the devices, technologies, and processes to protect the confidentiality, integrity, and availability of a computer network and the data on it.)

Network security consists of different hardware and software solutions to achieve the set security goals. Hardware solutions refer to the devices you set up in your network to protect your network security. They are hardware, so you can literally hold them. A hardware appliance might look something like the image below.

Examples of hardware appliances include:

Firewall appliance: The firewall allows and blocks connections based on a predefined set of rules. It restricts what can enter and what can leave a network.
Intrusion Detection System (IDS) appliance: An IDS detects system and network intrusions and intrusion attempts. It tries to detect attackers’ attempts to break into your network.
Intrusion Prevention System (IPS) appliance: An IPS blocks detected intrusions and intrusion attempts. It aims to prevent attackers from breaking into your network.
Virtual Private Network (VPN) concentrator appliance: A VPN ensures that the network traffic cannot be read nor altered by a third party. It protects the confidentiality (secrecy) and integrity of the sent data.

On the other hand, we have software security solutions. Common examples are:

Antivirus software: You install an antivirus on your computer or smartphone to detect malicious files and block them from executing.
Host firewall: Unlike the firewall appliance, a hardware device, a host firewall is a program that ships as part of your system, or it is a program that you install on your system. For instance, MS Windows includes Windows Defender Firewall, and Apple macOS includes an application firewall; both are host firewalls.

According to the Cost of a Data Breach Report 2021 by IBM Security, a data breach in 2021 cost a company $4.24 million per incident on average, in comparison with $3.86 million in 2020. The average cost changes with the sector and the country. For example, the average total cost for a data breach was $9.23 million for the healthcare sector, while $3.79 million for the education sector.

Answer the questions below

1 What type of firewall is Windows Defender Firewall?

Answer: Host Firewall

Task 2 Methodology

Every “operation” requires some form of planning to achieve success. If you are interested in wildlife photography, you cannot just grab a camera and head to the jungle unless you don’t care about the outcome. For a safe and successful wildlife photography tour, you would need to learn more about the animals you want to shoot with your camera. This includes the habits of the animals and the dangers to avoid. The same would apply to a military operation against a target or breaking into a target network.

Breaking into a target network usually includes a number of steps. According to Lockheed Martin, the Cyber Kill Chain has seven steps:

Recon: Recon, short for reconnaissance, refers to the step where the attacker tries to learn as much as possible about the target. Information such as the types of servers, operating system, IP addresses, names of users, and email addresses, can help the attack’s success.
Weaponization: This step refers to preparing a file with a malicious component, for example, to provide the attacker with remote access.
Delivery: Delivery means delivering the “weaponized” file to the target via any feasible method, such as email or USB flash memory.
Exploitation: When the user opens the malicious file, their system executes the malicious component.
Installation: The previous step should install the malware on the target system.
Command & Control (C2): The successful installation of the malware provides the attacker with a command and control ability over the target system.
Actions on Objectives: After gaining control over one target system, the attacker has achieved their objectives. One example objective is Data Exfiltration (stealing target’s data).

Another analogy would be a thief interested in a target house. The thief will spend some time learning about the target house, who lives there, when they leave, and when they return home. The thief will determine whether they have security cameras and alarm systems. Once enough information has been gathered, the thief will plan the best entrance strategy. Physical theft planning and execution resemble, in a way, the malicious attack that aims to break into a network and steal data.

In the next task, we will carry out a practical example of the Cyber Kill Chain.

Answer the questions below

2.1 During which step of the Cyber Kill Chain does the attacker gather information about the target?

Answer: Recon

Task 3 Practical Example of Network Security

We will try to hack into a target Linux system in this task. We assume that you have never used a Linux system before, and we will explain accordingly.

Start the AttackBox by clicking on the blue “Start AttackBox” button at the top right of the room. Start the attached machine by clicking on the green “Start Machine” button at the top right of this task. It usually takes a minute or two to load fully. Once they are both ready, you should use the AttackBox, which uses the right half of your screen by default.

On the AttackBox, start the terminal by clicking on the terminal icon shown in the image above. You will be writing all the commands you need on the terminal shown below.

The first step of our attack is Recon; we can speed up our reconnaissance activities using different tools that gather information about the various aspects related to the target. For simplicity, we will use a single tool in this task, Nmap, short for Network Mapper. Nmap is a network scanner that helps us discover running machines and any programs running on them that are visible to the outside world. The IP address of the target is MACHINE_IP. We can scan it by running nmap MACHINE_IP at the terminal prompt.

AttackBox Terminal

root@AttackBox# nmap MACHINE_IP
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-06 17:38 EEST
Nmap scan report for 10.20.30.130
Host is up (0.00024s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

We just discovered three services running:

FTP server: FTP stands for File Transfer Protocol and is used to transfer files between machines.
SSH server: SSH stands for Secure Shell and is used for secure remote login. In other words, it allows you to execute commands on a remote system securely.
HTTP server: HTTP stands for Hypertext Transfer Protocol and is used for the web. Whenever you are browsing the web, you are using HTTP or HTTPS. HTTPS is the secure (encrypted) version of HTTP.

You can also notice that Nmap reports on whether the host is up based on whether it receives any response from it. This is useful to know when no ports are open or accessible.

Let’s try to gather more information about the FTP server.

We will connect to the target FTP server by typing on the AttackBox’s terminal ftp MACHINE_IP.
Next, we will try to log in using the login anonymous to see if this FTP server supports anonymous logins. To our luck, it worked.
We try to see the files available using the command ls, short for list. We get a list of the filenames along with their details.
If you are curious about any file, you can download it using get filename. I wonder what the file secret.txt contains, so let’s download it using get secret.txt.
Once you download the files, type exit or bye to quit the FTP client.

The above interaction with the FTP server is shown in the terminal output below.

AttackBox Terminal

root@AttackBox# ftp MACHINE_IP
Connected to MACHINE_IP (MACHINE_IP).
220 (vsFTPd 3.0.3)
Name (MACHINE_IP:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,20,30,130,181,190).
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp        425351 Apr 06 11:22 2680-0.txt
-rw-r--r--    1 ftp      ftp           356 Apr 06 11:22 2680.epub
-rw-r--r--    1 ftp      ftp        251857 Apr 06 11:22 55317-0.txt
-rw-r--r--    1 ftp      ftp           358 Apr 06 11:22 55317.epub
-rwxr-xr-x    1 ftp      ftp           214 Apr 06 11:22 backup.sh
-rw-r--r--    1 ftp      ftp            23 Apr 06 11:22 secret.txt
226 Directory send OK.
ftp> get secret.txt 
local: secret.txt remote: secret.txt
227 Entering Passive Mode (10,20,30,130,159,46).
150 Opening BINARY mode data connection for secret.txt (23 bytes).
226 Transfer complete.
23 bytes received in 0.00107 secs (21.48 Kbytes/sec)
ftp> exit
221 Goodbye.

Looking at the files, we notice six files: three txt files, two epub files, and one sh file. The first two extensions are for text files and ebooks, while the sh extension indicates that the file is a shell script. A shell script usually contains a group of commands that needs to be performed repetitively.

After we downloaded the file secret.txt with the FTP command get secret.txt and exited the FTP client using exit, we returned to the terminal. Let’s display the contents of the file secret.txt using cat secret.txt.

AttackBox Terminal

root@AttackBox# cat secret.txt 
password: [redacted]

We have kept the password hidden so you can try it for yourself. Repeat the above steps till you can display the contents of secret.txt and use it to answer the first question in this task.

It must be the password of one of the accounts unintentionally copied to a public FTP server. Let’s try it to see if it works with the root account. The root account has full privileges on a Linux system, meaning that it can read and write any file and install and remove any program. At the terminal, we type ssh root@MACHINE_IP. We will be asked for the password, so let’s try the password we discovered in the FTP server.

AttackBox Terminal

root@AttackBox# ssh root@MACHINE_IP
root@MACHINE_IP's password: 
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-107-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage  System information as of Thu  7 Apr 08:16:42 UTC 2022  System load:  0.15              Processes:              225
  Usage of /:   64.6% of 6.53GB   Users logged in:        0
  Memory usage: 19%               IPv4 address for ens33: MACHINE_IP
  Swap usage:   0% * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.   https://ubuntu.com/blog/microk8s-memory-optimisation0 updates can be applied immediately.
Last login: Thu Apr  7 07:53:28 2022 from 10.10.10.1

Congratulations! You now have complete control over the target server. Let’s collect a couple of flags. After logging in as root, we used the following Linux commands:

pwd, short for print working directory, to see where we are in the system. We are in the /root directory.
ls to list the files. We notice a flag.txt.
Use cat flag.txt to answer the second question in this task.

AttackBox Terminal

root@AttackBox# pwd
/root
root@AttackBox# ls
flag.txt  snap
root@AttackBox# cat flag.txt 
[redacted]

Because we are logged in as root, we have full access to all files, including other users’ files. Let’s try this out. We executed the following Linux commands:

cd /home to go to the directory containing all the users’ home directories. cd is short for change directory.
We run ls while in /home. We notice librarian is one of the users on the system. However, we have system administrator (root) privileges to check the contents of his home folder.
cd librarian to go to the user’s directory.
pwd to confirm that we are at /home/librarian.
ls shows that librarian has a single file flag.txt.
We can print the text file contents using cat flag.txt. Use this to answer the third question in this task.

AttackBox Terminal

root@AttackBox# cd /home
root@AttackBox# ls
ftpsecure  librarian  strategos
root@AttackBox# cd librarian/
root@AttackBox# pwd
/home/librarian
root@AttackBox# ls
flag.txt
root@AttackBox# cat flag.txt 
[redacted]

Let’s summarize what we have done in this task to get root access on the target system of IP address MACHINE_IP:

We used nmap to learn about the running services.
We connected to the FTP server to learn more about its configuration.
We discovered a file containing the root password mistakenly copied to a public folder.
We used the password we found, allowing us to log in successfully.
We gained access to all the users’ files.

Answer the questions below

3.1 What is the password in the secret.txt file? (Question Hint

Open the terminal and Scan the Target with Nmap to find out what services are running on the target machine.

nmap MACHINE_IP

Nmap Scan shows:

Port 21 (FTP): The FTP service is running. This could allow file transfers, and you might want to check if anonymous login is enabled to explore its contents.

Port 22 (SSH): The SSH service is open, allowing secure remote login. You may use this later if you find valid credentials for logging into the machine.
Port 80 (HTTP): The HTTP service is running. This indicates that a web server is accessible, and you might want to explore it in your browser or use tools like Nikto to check for vulnerabilities.

Connecting to the FTP server and When asked for a name type anonymous and List the files on the server