VulnNet: Internal Write-Up

VulnNet: Internal is a boot2root room on TryHackMe. It has Easy difficulty. After getting the Redis password from NFS, it was possible to get the password for Rsync. With that password it was possible to upload a authorized_keys file. After connecting to the machine over SSH, there was a Teamcity instance running behind the firewall. The Teamcity port was forwarded to the attacker machine. This allowed connecting to the instance. Login was possible with authentication keys, which could be obtained through logs. After loggin into Teamcity, a malicious build pipeline was created. This pipeline has set the SUID bit on /bin/bash. This allowed elevated privileges to root.

Enumeration

After running the Nmap scan sudo nmap 10.10.37.188 -p- -vv -oN nmap/all_ports a lot of ports were discovered:

Nmap scan result

SMB

First of all connection to SMB was tried. Running smbmap -H 10.10.37.188 showed shares was readable without authentication:

Output of smbmap

Connecting to the share showed two directories: temp and data.

Directories inside shares

The directories were further inspected. The data directory contains two text files called “data.txt” and “business-req.txt”. The “temp” directory contains a text file called “services.txt”.

Contents of data directory on shares
Contents of temp directory on shares

All three files were downloaded to the attacker machine and inspected further. “services.txt” contains the first flag:

NFS

Next NFS was further inspected. It allowed access to the directory /opt/conf:

Inspecting network file shares on target

Next this directory was mounted to the attacker machine with the command sudo mount -t nfs 10.10.37.188:/opt/conf ./conf_mount. The directory structure is as follows:

Folder structure of network file share

Interestingly, the redis directory contained the redis.conf file:

redis.conf in network file share

With this file it was possible to recover the Redis password:

Password for Redis instance

With that password it was possible to connect to the Redis instance.

Successfull login to Redis

The next flag was inside the “internal flag” key. It was also possible to obtain the authentication credentials for the Rsync service.

Obtaining second flag
Obtaining base64 encoded authentication list
Decoding base64 with CyberChef

Rsync

Next the Rsync service was inspected. First of all a Nmap scan with the script “rsync-list-modules” against port 873 was run. This revealed the directory name “files”.

Nmap on port 873

It was possible to copy the files with rsync -av rsync://rsync-connect@10.10.37.188/files ./rsync_files. Inside the directory there was the user flag.

Obtaining user flag and listing directory

Next it was time to upload an authorized_keys file. First an SSH key was generated:

Generating SSH key for access

Next the public key was copied to sys-internal/.ssh/authorized_keys. After uploading the .ssh directory with the previously obtained password and the command rsync -av sys-internal/.ssh/ rsync://rsync-connect@10.10.37.188/files/sys-internal/.ssh , it was possible to connect via SSH:

Connecting via SSH

Privilege Escalation

During enumeration there was an interesting directory called “TeamCity” inside the root directory (“/”). TeamCity is a CI/CD Server build by JetBrains. These build server often run as root. So it is a good point for privilege escalation.

TeamCity directory in root directory

The README revealed that TeamCity is running on port 8111:

Readme of TeamCity

Next it was checked if anything is listening on port 8111. And indeed there was a service listening.

Checking if something is listening on port 8111

So next port 8111 was forwarded to the attacker machine with the command ssh -i vulnnet sys-internal@10.10.37.188 -L 8111:localhost:8111. This allowed the attacker to display the web app in a browser.

Landing page of TeamCity

The attacker chose the “Log in as a Super user” option. The web app asked for a authentication token.

Asking for authentication token

The authentication token could be found inside the logs on the machine:

Finding authentication token inside logs

With this token, it was possible to login to the web interface:

Landing page after authentication

Next a new project was created with the name “test2”:

Creating a new project

After the project was saved and a new build configuration was created by clicking the button “Create build configuration”:

Creating a new build configuration

“test build” was chosen as the build configuration name:

Adding build configuration

Next a build steps was added by navigating to “Build Steps” and clicking on the button “Add build step”:

Adding build step

The build script contained the command chmod +s /bin/bash. This will add the SUID bit to the bash binary. This was used to elevate current privileges on the machien to root.

Creating the build step with malicious script

Finally the build pipeline was run:

Running pipeline

After the pipeline finished successfully, the SUID bit was set on bash. This allowed for root privileges. The privileges were used to obtain the root flag at /root/root.txt.

Successfully running build script
SUID bit was set on /bin/bash

Mitigation

First of all the SMB share should be protected by authentication. Especially if it contains sensitive data and anonymous login is not needed. It is also recommended to protect the NFS. It contains configuration files with passwords.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Listing on CEX Coinsbit 🔥

Social Engineering Attacks

{UPDATE} Peg Solitaire Puzzle Hack Free Resources Generator

Cornix Review 2021 — Is it the Best Crypto Telegram Bot?

Enterprise Security Frameworks for EOS Block Producers

Dear $WSPP & $GWSPP holders on Binance Smart Chain, today we are super happy to be able to offer a…

GDPR in the Coronavirus Age

HTB Fuse [writeup]

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

Anonymous Tryhackme Write-up

Tryhackme Easy Peasy Walkthrough

THM — Lockdown Write-Up

Brute It [TryHackMe Writeup]