VulnNet: Internal Write-Up

VulnNet: Internal is a boot2root room on TryHackMe. It has Easy difficulty. After getting the Redis password from NFS, it was possible to get the password for Rsync. With that password it was possible to upload a authorized_keys file. After connecting to the machine over SSH, there was a Teamcity instance running behind the firewall. The Teamcity port was forwarded to the attacker machine. This allowed connecting to the instance. Login was possible with authentication keys, which could be obtained through logs. After loggin into Teamcity, a malicious build pipeline was created. This pipeline has set the SUID bit on /bin/bash. This allowed elevated privileges to root.


After running the Nmap scan a lot of ports were discovered:

Nmap scan result


First of all connection to SMB was tried. Running showed was readable without authentication:

Output of smbmap

Connecting to the share showed two directories: temp and data.

Directories inside shares

The directories were further inspected. The data directory contains two text files called “data.txt” and “business-req.txt”. The “temp” directory contains a text file called “services.txt”.

Contents of data directory on shares
Contents of temp directory on shares

All three files were downloaded to the attacker machine and inspected further. “services.txt” contains the first flag:


Next NFS was further inspected. It allowed access to the directory /opt/conf:

Inspecting network file shares on target

Next this directory was mounted to the attacker machine with the command . The directory structure is as follows:

Folder structure of network file share

Interestingly, the redis directory contained the redis.conf file:

redis.conf in network file share

With this file it was possible to recover the Redis password:

Password for Redis instance

With that password it was possible to connect to the Redis instance.

Successfull login to Redis

The next flag was inside the “internal flag” key. It was also possible to obtain the authentication credentials for the Rsync service.

Obtaining second flag
Obtaining base64 encoded authentication list
Decoding base64 with CyberChef


Next the Rsync service was inspected. First of all a Nmap scan with the script “rsync-list-modules” against port 873 was run. This revealed the directory name “files”.

Nmap on port 873

It was possible to copy the files with . Inside the directory there was the user flag.

Obtaining user flag and listing directory

Next it was time to upload an authorized_keys file. First an SSH key was generated:

Generating SSH key for access

Next the public key was copied to . After uploading the .ssh directory with the previously obtained password and the command , it was possible to connect via SSH:

Connecting via SSH

Privilege Escalation

During enumeration there was an interesting directory called “TeamCity” inside the root directory (“/”). TeamCity is a CI/CD Server build by JetBrains. These build server often run as root. So it is a good point for privilege escalation.

TeamCity directory in root directory

The README revealed that TeamCity is running on port 8111:

Readme of TeamCity

Next it was checked if anything is listening on port 8111. And indeed there was a service listening.

Checking if something is listening on port 8111

So next port 8111 was forwarded to the attacker machine with the command . This allowed the attacker to display the web app in a browser.

Landing page of TeamCity

The attacker chose the “Log in as a Super user” option. The web app asked for a authentication token.

Asking for authentication token

The authentication token could be found inside the logs on the machine:

Finding authentication token inside logs

With this token, it was possible to login to the web interface:

Landing page after authentication

Next a new project was created with the name “test2”:

Creating a new project

After the project was saved and a new build configuration was created by clicking the button “Create build configuration”:

Creating a new build configuration

“test build” was chosen as the build configuration name:

Adding build configuration

Next a build steps was added by navigating to “Build Steps” and clicking on the button “Add build step”:

Adding build step

The build script contained the command . This will add the SUID bit to the binary. This was used to elevate current privileges on the machien to root.

Creating the build step with malicious script

Finally the build pipeline was run:

Running pipeline

After the pipeline finished successfully, the SUID bit was set on . This allowed for root privileges. The privileges were used to obtain the root flag at .

Successfully running build script
SUID bit was set on /bin/bash


First of all the SMB share should be protected by authentication. Especially if it contains sensitive data and anonymous login is not needed. It is also recommended to protect the NFS. It contains configuration files with passwords.