VulnNet: Internal Write-Up

VulnNet: Internal is a boot2root room on TryHackMe. It has Easy difficulty. After getting the Redis password from NFS, it was possible to get the password for Rsync. With that password it was possible to upload a authorized_keys file. After connecting to the machine over SSH, there was a Teamcity instance running behind the firewall. The Teamcity port was forwarded to the attacker machine. This allowed connecting to the instance. Login was possible with authentication keys, which could be obtained through logs. After loggin into Teamcity, a malicious build pipeline was created. This pipeline has set the SUID bit on /bin/bash. This allowed elevated privileges to root.

Enumeration

Nmap scan result

SMB

Output of smbmap

Connecting to the share showed two directories: temp and data.

Directories inside shares

The directories were further inspected. The data directory contains two text files called “data.txt” and “business-req.txt”. The “temp” directory contains a text file called “services.txt”.

Contents of data directory on shares
Contents of temp directory on shares

All three files were downloaded to the attacker machine and inspected further. “services.txt” contains the first flag:

NFS

Inspecting network file shares on target

Next this directory was mounted to the attacker machine with the command sudo mount -t nfs 10.10.37.188:/opt/conf ./conf_mount. The directory structure is as follows:

Folder structure of network file share

Interestingly, the redis directory contained the redis.conf file:

redis.conf in network file share

With this file it was possible to recover the Redis password:

Password for Redis instance

With that password it was possible to connect to the Redis instance.

Successfull login to Redis

The next flag was inside the “internal flag” key. It was also possible to obtain the authentication credentials for the Rsync service.

Obtaining second flag
Obtaining base64 encoded authentication list
Decoding base64 with CyberChef

Rsync

Nmap on port 873

It was possible to copy the files with rsync -av rsync://rsync-connect@10.10.37.188/files ./rsync_files. Inside the directory there was the user flag.

Obtaining user flag and listing directory

Next it was time to upload an authorized_keys file. First an SSH key was generated:

Generating SSH key for access

Next the public key was copied to sys-internal/.ssh/authorized_keys. After uploading the .ssh directory with the previously obtained password and the command rsync -av sys-internal/.ssh/ rsync://rsync-connect@10.10.37.188/files/sys-internal/.ssh , it was possible to connect via SSH:

Connecting via SSH

Privilege Escalation

TeamCity directory in root directory

The README revealed that TeamCity is running on port 8111:

Readme of TeamCity

Next it was checked if anything is listening on port 8111. And indeed there was a service listening.

Checking if something is listening on port 8111

So next port 8111 was forwarded to the attacker machine with the command ssh -i vulnnet sys-internal@10.10.37.188 -L 8111:localhost:8111. This allowed the attacker to display the web app in a browser.

Landing page of TeamCity

The attacker chose the “Log in as a Super user” option. The web app asked for a authentication token.

Asking for authentication token

The authentication token could be found inside the logs on the machine:

Finding authentication token inside logs

With this token, it was possible to login to the web interface:

Landing page after authentication

Next a new project was created with the name “test2”:

Creating a new project

After the project was saved and a new build configuration was created by clicking the button “Create build configuration”:

Creating a new build configuration

“test build” was chosen as the build configuration name:

Adding build configuration

Next a build steps was added by navigating to “Build Steps” and clicking on the button “Add build step”:

Adding build step

The build script contained the command chmod +s /bin/bash. This will add the SUID bit to the bash binary. This was used to elevate current privileges on the machien to root.

Creating the build step with malicious script

Finally the build pipeline was run:

Running pipeline

After the pipeline finished successfully, the SUID bit was set on bash. This allowed for root privileges. The privileges were used to obtain the root flag at /root/root.txt.

Successfully running build script
SUID bit was set on /bin/bash

Mitigation

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!