This is VulnNet: Internal from THM. It’s rated as Easy/Medium rated, and says:
VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can’t make a properly secured web application so they gave up on that idea. Instead, they decided to set up internal services for business purposes. As usual, you’re tasked to perform a penetration test of their network and report your findings.
I guess that means this is my pentest report?
Ports
So. Many. Ports. I could dump all of the nmap output here but that’s not my jam. Let’s summarise: we have SSH, RPCBind, rsync, Redis, NFS and some other nonsense we don’t care about. Where to begin?
NFS
Mounting the share of course. Broadly it looked like this:
There was a bunch of configuration stuff in there, including for Redis, which was one of our services:
Redis
With our password we can do this:
Note that there was a flag there too, so get that if you want. authlist was a list, hence the lrange command. You can use redis-cli but you don’t need to. What is the base64?
Creds for rsync.
rsync
rsync is running on Port 873 and we can’t use our creds for SSH. When running like this we need to know the ‘module’ name, so I use an nmap script:
Now we’ve got that, I do this:
And that copies everything in the files module to the what directory on my machine. files (and by extension what) appears to be the /home directory from the server. We have a user called sys-internal. Sys-internal has an SSH directory but no keys. I send my public key up via rsync and then we can log in. Note that in the below, my SSH public key was in the foo.txt file.
Privesc
This blog has no screenshots, and that’s quite deliberate because I want to be able to copy and paste stuff from here, which you obviously can’t do with a screenshot. So some of the privesc I’ll just have to describe.
Anyway, this did take me a little bit to figure out but here goes. Poking around logged in as sys-internal we can find /TeamCity and there is a whole bunch of stuff in there but nothing immediately stands out as useful. Linpeas won’t give us much, but it does show TeamCity running as root, e.g.
For some reason, linpeas won’t show us the open ports:
Crickets. Humph. Now I did go down a different path for a while (Apache XML-RPC) but that wasn’t it; it is TeamCity. Where do we find it? Ask JetBrains:
After installation, the TeamCity web UI can be accessed via a web browser. The default addresses are http://localhost/ for Windows distribution and http://localhost:8111/ for the tar.gz distribution.
I set up a port forward:
ssh -L 9999:127.0.0.1:8111 sys-internal@10.10.4.9
Note the different THM IP is because I did this in two sessions. Once I’ve got the port forward I can access the TeamCity GUI at localhost:9999. There, we can login as the super user but in order to do so, we need a super user authentication token. It’s supposed to be in a particular file; let’s check:
D’oh! Maybe there is another place….?
We have a selection to choose from. Only one works; try and find out which!
Once we log in - now what? I’ve never seen this thing before and what the hell does it do? According to Wikipedia, it’s a:
build management and continuous integration server
Yeah cool. Can I get root or not? According to the documentation:
Using the Command Line build runner, you can run any script supported by the OS.
Wonderful. So the next part was all GUI but it was basically create a project, add a Build Step which was a Custom Script, in my case it was adding a new user to /etc/passwd; the syntax was:
There a few bits you have to fill in and then a ‘run’ button will appear near the top of the page; click it and it completes; the project doesn’t need to do anything else. It’s not too hard to figure out.
Then in my shell:
Yeah baby, that’s the stuff. Good box TheCyb3rW0lf