VulNet: Internal
Scanning
Lets run nmap scan to find open ports and the services running on them.
Enumeration
Lets check port 9090 which is running SMB
Lets first look at what shares are on the system
The Shares disk is interesting , lets try to access it as an anonymous user
We were able to access it, lets cd into these directories and transfer all the files onto our machine
Lets read the services.txt file
Looks like we have the first flag.
Lets read the other files
There is nothing interesting, lets look at the other services running on the machine, lets first look at the RPC service running on port 111.
Looks like we have a directory, lets mount it onto our machine. First lets create a directory called mount and then use the command to mount the directory.
Lets look for interesting files in the directory. There is an interesting file in the redis directory.
There is a lot of information when we cat it, so lets look for pass strings so that we can get some information about the passwords and this is a configuration file
Now that we have the password, lets try to access redis and look for the second flag
We have the second flag. Now lets look at the auth Key, but we cannot GET the key so lets look at its file type
Now that we know its a list key type, lets read it.
We have a base64 strings, lets decode it
Looks like we have the credentials for the rsync service running on the system. Lets look at it in more detail and see what interesting files we can find.
Exploitation
Now we can get the files onto our machine or we can try to upload our ssh key and then login using ssh into the machine.
First we have to create our ssh key and then upload it to the machine.
Now we can login
Lets read the user flag
Privilege Escalation
Looking around there is an interesting directory
Lets look at this directory and read the readme file
Lets look at the ports running on the machine
Something is running on port 8111. Lets set up port forwarding so that we can see what is running on this port.
Now lets go to localhost:8111 in the browser.
We have a TeamCity login page. Clicking on the Super User option, we need an authentication token to login, lets look for this on the machine
We have tokens, lets use one of them and login. (None of them work except the last one)
We are logged in.
Lets try to create a new project
Lets create a new Built Configuration
Now lets go to the homepage and click on the project name
Lets go to Edit Configuration Settings and then go to Built Steps and select python
Lets add a reverse shell to the Custom Script command option that we can choose
Lets now start a netcat listener on our machine
Lets save the file and run it by click run.
We have a shell as root, lets read the root flag.
Last updated