Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-23 17:37 EDTNmap scan report for 10.10.98.192Host is up (0.20s latency).Not shown: 993 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)|256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)|_ 25682:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo: | program version port/proto service|1000002,3,4111/tcp rpcbind|1000002,3,4111/udp rpcbind|1000003,4111/tcp6 rpcbind|1000003,4111/udp6 rpcbind|10000332049/udp nfs|10000332049/udp6 nfs|1000033,42049/tcp nfs|1000033,42049/tcp6 nfs|1000051,2,334713/tcp mountd|1000051,2,345887/tcp6 mountd|1000051,2,346635/udp6 mountd|1000051,2,355619/udp mountd|1000211,3,443989/tcp6 nlockmgr|1000211,3,446185/tcp nlockmgr|1000211,3,455225/udp nlockmgr|1000211,3,455609/udp6 nlockmgr|10022732049/tcp nfs_acl|10022732049/tcp6 nfs_acl|10022732049/udp nfs_acl|_ 10022732049/udp6 nfs_acl139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)873/tcp open rsync (protocol version 31)2049/tcp open nfs_acl 3 (RPC #100227)9090/tcp filtered zeus-adminService Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s|_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)| smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu)| Computer name: vulnnet-internal| NetBIOS computer name: VULNNET-INTERNAL\x00| Domain name: \x00| FQDN: vulnnet-internal|_ System time: 2021-09-23T23:38:16+02:00| smb-security-mode: | account_used: guest| authentication_level: user| challenge_response: supported|_ message_signing: disabled (dangerous, but default)| smb2-security-mode: |2.02: |_ Message signing enabled but not required| smb2-time: | date: 2021-09-23T21:38:16|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 32.51 seconds
I then ran smbmap -H IP_Address, and got the following output:
[+] Guest session IP: 10.10.98.192:445 Name: 10.10.98.192 Disk Permissions Comment---------------------- print$ NO ACCESS Printer Drivers shares READ ONLY VulnNet Business Shares IPC$ NO ACCESS IPC Service (vulnnet-internal server (Samba, Ubuntu))
I then ran smbclient \\\\10.10.98.192\\shares, and got the following output:
Enter WORKGROUP\kali's password: Try "help" to get a list of possible commands.smb: \> ls . D 0 Tue Feb 2 04:20:09 2021 .. D 0 Tue Feb 2 04:28:11 2021 temp D 0 Sat Feb 6 06:45:10 2021 data D 0 Tue Feb 2 04:27:33 2021 11309648 blocks of size 1024. 3278156 blocks available
In the temp folder, there was the following file:
smb: \temp\> ls . D 0 Sat Feb 606:45:102021 .. D 0 Tue Feb 204:20:092021 services.txt N 38 Sat Feb 606:45:092021
In the data folder, there was the following file:
smb: \data\> ls . D 0 Tue Feb 204:27:332021 .. D 0 Tue Feb 204:20:092021 data.txt N 48 Tue Feb 204:21:182021 business-req.txt N 190 Tue Feb 204:27:332021
Looking through the files, I found the flag for the services.txt:
I then ran a metasploit module auxiliary/scanner/rsync/modules_list. This is what I got from the result from it:
I then read this write-up and realized that I did not use the showmount command. I then followed the write-up to run showmeant -e IP_Address. I then got the following:
I then mounted the system to my machine:
Viewing through the files I came across some sort of password in the redis.conf file:
I then followed the same write-up to understand my next step. This was to use redis-cli in order to connect to the database and see what is there using the pasword we found earlier. I ran redis-cli -h 10.10.98.192 -a <requirepass_from_earlier> in order to login to the database. I then was able to find the flag for internal:
When I ran LRANGE authlist 1 20, I got the following:
The three values were the exact same, and seemed to be base64 encoded. I decoded it online and got the following:
So now we have to connect to rsync with this password:
There is a sys-internal directory that I ave to find a way to get access into. I followed the aforementioned write-up and ran the following commands (tweaked to work for me):
This allowed me to download the folder to my local drive. In that directory, I found the user.txt file:
I got stuck here, so I had to view the write-up again. I was meant to create an SSH keypair and upload it using rsync. So I ran the following commands:
For the previous step, I ended up getting stuck, and found this write-up that actually clarified the situation for me. This same write-up led me to run ss-tulpn to find out what ports were open. I used the same write-up to figure out we have to do port forwarding. In order to do this, I ran the following command: