TryHackMe Vulnet Internal - Writeup
TryHackMe Vulnet Internal - Writeup¶
Vulnet is an easy/medium difficulty TryHackMe machine.
VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can’t make a properly secured web application so they gave up on that idea. Instead, they decided to set up internal services for business purposes. As usual, you’re tasked to perform a penetration test of their network and report your findings.
There are four flags that need to be submitted in order to complete the challenge:
- Service Flag
- Internal Flag
- User Flag
- Root Flag
Port 139 & 445 - SMB¶
Let’s enumarate with enum4linux
enum4linux - a 10.10.132.157 ========================================= | Share Enumeration on 10.10.132.157 | ========================================= Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers shares Disk VulnNet Business Shares IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.132.157 //10.10.132.157/print$ Mapping: DENIED, Listing: N/A //10.10.132.157/shares Mapping: OK, Listing: OK //10.10.132.157/IPC$ [E] Can not understand response: ==================================================================== | Users on 10.10.132.157 via RID cycling (RIDS: 500-550,1000-1050) | ==================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-1569020563-4280465252-527208056 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-21-1569020563-4280465252-527208056 and logon username '', password '' S-1-5-21-1569020563-4280465252-527208056-513 VULNNET-INTERNAL\None (Domain Group) [+] Enumerating users using SID S-1-5-32 and logon username '', password '' [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\sys-internal (Local User)
Let’s access to
//10.10.132.157/shares with smbclient using a null session.
Inside /tmp we will get the services.txt flag
Port 2049 - nfs_acl¶
Port 2049 is open and noticed that there was a lot of output for port 111. I can see in the output for port 111, that the service NFS was present in the output. This indicates that I might be able to list and download (and maybe upload) files.
More about NFS:
Port 6379 - Redis¶
Port 6379 is open, and now we have a password.
More about Redis:
Port 873 - Rsync¶
In the “authlist” key, we found a base64 encoded value, when decoded gives us the credentials for the rsync service.
More about Rsync:
Let’s get a shell
I now have a SSH access to the target machine.
Root Privilege Escalation - TeamCity¶
More about TeamCity:
Taking a look into the server, inside
/TeamCity/logs there is a file called
catalina.out, there we can find the token to log in a super admin.
Created : Aug 8, 2021