# list smb shares
nmap --script "safe or smb-enum-*" -p 139,445 $IP -oN recon/nmap.smb_enum
basic enumeration
enum4linux -avA $IP -u user -p pass > enumeration/enum_4_linux
Read shares
smbclient -N -L \\\\\\\\$IP
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
shares Disk VulnNet Business Shares
IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
Inside shares I found services.txt, data.txt and business-req.txt
NFS
port grabbing
nc -vn $IP 2049
(UNKNOWN) [10.10.87.95] 2049 (nfs) open
mounting
show
showmount -e $IP
Export list for 10.10.87.95:
/opt/conf *
get files
sudo mount -t nfs -o vers=4 $IP:/opt/conf ./nfs
Find a password in ./nfs/redis/redis.conf —> B65Hx562F@ggAZ@F
Redis
banner grabbing
nc -vn $IP 6379
(UNKNOWN) [10.10.87.95] 6379 (redis) open
enumeration
nmap --script redis-info -sV -p 6379 $IP
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-06-05 07:18 CDT
Nmap scan report for 10.10.87.95
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 30.25 seconds
enumerate database
redis-cli -h $IP
10.10.87.95:6379> auth B65Hx562F@ggAZ@F #(password found after nfs port enumeration)
OK
10.10.87.95:6379> keys
(error) ERR wrong number of arguments for 'keys' command
10.10.87.95:6379> keys *
1) "marketlist"
2) "tmp"
3) "authlist"
4) "internal flag"
5) "int"
10.10.87.95:6379> get internal flag
(error) ERR wrong number of arguments for 'get' command
10.10.87.95:6379> get 'internal flag'
"THM{ff8e518addbbddb74531a724236a8221}"
10.10.87.95:6379> lrange 'authlist' 0 0
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
Rsync
enumeration
rsync --list-only rsync://$IP
files Necessary home interaction
Analyse the data collected to identify potential attack vectors. Use this information to plan your penetration test, such as what tools and exploits to use.
After a lot of enumeration, I found a way to access the machine. First, I enumerated the Samba port where I found three text files, with services.txt being the first flag of this room.
The next port I enumerated was Redis, but it was a dead end because I needed credentials to authenticate to the database. So, I moved on to the NFS port.
Network File System (NFS) allows users to share mounted files in a network. This service uses TCP by default to transfer files, but you can also use UDP to improve connection speed (connectionless). After establishing the TCP socket, the NFS server checks the /etc/exports file to see if the user has permissions to access the files. I used the showmount command to search for any files that could be transferred to my local machine, and I found /etc/opt. I accessed this directory and searched for some information. I found an interesting file, ./nfs/redis/redis.conf, where I discovered the password for the Redis database.
Moving forward to the Redis port, I connected with the password and checked the available keys. I found the second flag of this room. I had some trouble with Redis because I hadn’t used it before, but after some research, I understood that these keys can be of different data types. So, to access the authlist key, I needed to use the lrange command (I included the documentation below).
Exploitation
I didn’t need to use a specific vulnerability, running a PoC to get access to this machine or develop a specific script. All I need to do is enumeration, enumeration and enumeration. I got password for database and from it I got password for rsync. Using rsync I was able to see the content of the sys-internal home directory user. To get access I upload my public key into the .ssh directory and now I can connect as sys-internal user using my private key.
First thing I just search in the / directory where I found something interesting. It seems that I found a webserver who runs locally. I check the connections for both ports 80 and 8111 and looks like I found 8111 port open.
Now on your local machine it should run on 8111 port the webserver.
Privilege Escalation
If you open the webserver you will see a login page. I try some SQLi, but nothing, I check for methods, headers, cookies, but nothing. After a time I see that I can login as super user using a token. I search for a token in logs directory and found different tokens. I tried every one until I had success.
Now all I need to do is exploiting this webserver. I create a new project and after this I create a new build configuration
Here in Build Steps I create a new step using the command below. I set /bin/bash with SUID and now you can get root access after you execute in the ssh session.
get root privilege
Reporting
Document all discovered vulnerabilities, exploited systems, and recommended remediation strategies in a detailed report for the client. Give solution for system hardening.
Vulnerabilities
Shared files through Samba service
NFS service
Rsync → see home directory of sys-internal, can upload files
TeamCity webserver
Fixes & system Hardening
The first two aspects mentioned above aren't actually vulnerabilities. However, when using these two services, it's crucial to pay attention to privileges and what you share on the network. Similarly, Rsync isn't a vulnerability, but caution must be exercised regarding the files being shared.
During a penetration test engagement, it's essential to thoroughly examine every service discovered and assess permissions. Ensure that the /TeamCity/logs directory is not accessible to unauthorized individuals, as it could potentially lead to obtaining superuser tokens.
