Transcript
Christopher: Today we're gonna walk through the 10 steps needed to complete the TryHackMe Network Services challenge SMB portion, all mapped to the Mitre ATT&CK Matrix and there will be no spoilers with this walkthrough that would rob you of any learning opportunities on the specific techniques.
So stay tuned to learn how to exploit SMB for the TryHackMe Network Services Box and discover the 8 MITRE ATT&CK Matrix TTPs used in this box
So when we're walking through the network services box on, TryHackMe. The first thing that we're gonna tackle is SMB. Now there are some questions that the user has to answer, but we're mainly just gonna cover the actual hands on keyboard attack portion. So we're gonna start here. We're gonna see step one, the MITRE ATT&CK TTP is T1423. That is network service scanning. It's part of the discovery tactic. Okay, so as the attacker, what we're gonna do is we're gonna do step one. We're gonna start scanning the network. What we're gonna have find is step two. That's gonna lead us to network share discovery. Okay? So T1135.
We're gonna scan the network. We're gonna scan for services. We're gonna, step two is gonna be network share discovery. So one thing about these walkthroughs is think of it like an escape room, right? You can get clues as to what you're supposed to do, but I'm not gonna tell you exactly how to do it.
So step three. Here we see that we are going to find SMB shares that's T1021.002.
If you'll see that this T 1 0 2 1 0 0 2, it's actually highlighted red for each of these walkthroughs, one MITRE TTP will be highlighted as essentially the root cause for this entire attack chain. If you want to learn how to stop a chain if you could only address one thing, if you could only fix one thing, it's gonna be what's highlighted in red.
So we see that according, in my opinion, SMB shares step three is the root cause. So there will be a corresponding 60 second attack video for each of, highlighted Red MITRE, attack matrix TTPs that are discovered to talk about what they do, the mapping NIST controls to them, and any tools that could be used to test the mitigations.
So anyway, step three, SMB shares remote services. Step four is gonna be, okay, so we have the SMB shares. Now we're gonna collect data. That share. So that's data from local Systems Collection T1105.
That will lead us to step five, which is local accounts discovery, local account discovery, T1078.003. That's gonna lead us to step six, which is file and directory discovery. So we're gonna use the local accounts to continue to look further for things, which is gonna lead us to step seven, private keys, unsecured credentials, T1552.004.
So just walking through this phase again, we got local accounts, account discovery. We take a local account, we use that account to discover another file, and in that file we find unsecured credential. That leads us to step eight local accounts. So again, we're gonna take these credentials and maybe examine them a little bit further to get T 1 0 7 8 3 local account discovery.
Now we're gonna take that account that we just discovered. We're gonna use it in step nine, SSH remote services. So we're continually evolving our. Level of access. It's not necessarily a privilege escalation, but we're continuing to evolve how we are able to access this host. So from step nine, we're gonna be able to ssh, we're gonna remote in, which will lead us to step 10 data from local systems collection, T 1, 0 0 5.
Step 10 is the user capturing the flag. So if you look through all 10 of these steps, again, we're gonna, it starts at network discovery. You scan. You discover a network share, you are able to do something with those shares. You can gather data from the share that's discovered. You know you're gonna discover a local account.
Within that local account. You'll be able to go back and look for something else, which is an unsecured credential. You'll be able to take that unsecured credential, elevate your access, get a new account, SSH back in, and gather the. And that is the SMB portion of TryHackMe Network Services.
So thanks. If you found this walkthrough helpful, definitely hit the subscribe button and get notified whenever more walkthroughs like this come out and I will see you around. Thanks.