So I decided to do the Pen Testing Learning Path with Try Hack Me and the Internal machine was in the list, so here we go:
Let’s start with an Nmap scan to see what port are open and what we are dealing with.
nmap -A -oN nmap-scan 10.10.1.54
So we have ssh running on port 22 and an Apache web server running on port 80. Looking at the above the web server is showing the standard Apache web page ‘It Works’. From the above we can also determine that we are working with a Linux system running Ubuntu.
Port 80 Apache Web Server:
As per Nmap we have the standard Apache landing page. Let’s run Gobuster to see if there are any hidden files or directories.
gobuster dir -u http://internal.thm -w usr/wordlist/dirbuster/directory-list-2.3-medium.txt -t 60
Straight away we find some interesting directories: /blog, /wordpress and /phpmyadmin.
Navigating to /blog
From the Gobuster site we can conclude that this is a CMS running wordpress. Using Wappalyzer for Firefox we can gain a lot of additional information:
So we can see that we are running Wordpress Version 5.4.2 on a Ubuntu system with an Apache 2.4.29 web server.
Let’s run a wpscan and see what we get:
wpscan --url http://internal.thm/blog -e
Using -e will
So we have a potential user ‘admin’, navigating to:
http://internal.thm/blog/wp-admin
We can see by entering any password that the login page basically confirms the username ‘admin’ and that the password is incorrect.
Using wpscan, we can see if we can brute force the password using the Rockyou.txt file.
wpscan --url http://internal.thm/blog -u 'admin' -P /usr/share/wordlist/rockyou.txt -t 25
Wpscan finds a password for admin, meaning that we can log into the Wordpress Admin page:
Looking around the admin page we notice a ‘private’ post:
Navigating to this page shows some credentials:
Logging out of Wordpress and trying the new credentials does not work, so I have to assume that this user is not registered on the Wordpress site. I then tried to ssh in as the user, but again that did not work.
Reverse Shell:
Having access to the admin usually means installing a php reverse shell, which can be done either through a Plugin such as ‘Hello Dolly’ or by modifying the code on one of the template pages, I usually use the 303 page. The reverse shell of choice for me with Wordpress is that one by Pentest Monkeys; however, you could use MSVENOM to create a Meterpreter Reverse Shell.
Edit the code and change the IP address and port to that of the attaking machine. In the Wordpress admin section, navigate to ‘Appearance’ / ‘Theme Editor’ and choose the 404 Template from the Theme Files. Delete all the information and copy and paste the php reverse shell code.
Update File and then setup a listener on the attacking machine on the port you specified in the php reverse shell script. I am going to use Pawncat as my listener.
Once the page has been updated, go back to the main site and navigate to a made up page name. This should activate the reverse shell due to a 404 error.
Were in and haven a low level www-date shell. Let’s explore further.
Navigating to the /home directory we see a user ‘aubreanna’ but we do not have sufficient privileges to access the directory.
Searching around all the directories, I came across an interesting file in /opt:
Interesting, let’s see if we can ssh in as aubreanna:
Yes, we are logged in as user ‘aubreanna’, let’s see if we can now access the /home directory:
OK, so we have the user.txt file, we also notice that there is another file called ‘jenkins.txt’:
We can check this with Netstat:
netstat -ano
So we have a Jenkins service running on 172.17.0.2:8080. As this is running on an internal port we cannot access it from our attacking machine. To get around this we can use a reverse ssh or ssh tunnel as it is also known. We can do this from the attacking machine using the ssh -L function; however, first make sure ssh is running on the attacking machine.
ssh -L 8080:172.17.0.2:8080 aubreanna@internal.thm
We can see in the above screen shot that we now have another IP address showing ‘IP address for docker0: 172.17.0.1’
From here we can open our browser and navigate to:
127.0.0.1:8080
The standard default login details according to Google for Jenkins are admin:admin, unfortunately this does not work but we can trying fuzzing the password using for example Hydra or Zap. To start with lets capture the request / header. Again you can use Burp or Zap to do this.
To brute force the password I will use Hydra; however, I could have used the fuzzer on Zap, but could not be bothered to check through the response times.
Using the above information, we can start to construct the brute force attack using the http-post-form on Hydra, OK it a long one:
hydra -l admin -P /usr/share/wordlists/rockyou2.txt -s 8080 127.0.0.1 http-post-form “/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password” -V -f
We have the password, so lets log into Jenkins, and we are in
To exploit this we will run a Groovy script using Jenkins Script Console that can be accessed through ‘Manage Jenkins’ menu.
Click on the ‘Script Console’
The Groovy Reverse Shell can be downloaded from:
Simply change the IP and Port to the attacking machine and setup a Netcat listener and hit ‘Run’
nc -lnvp [PORT]
We are logged in as user jenkins. Let upgrade our shell for more functionality:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Background the session using Ctrl Z
Enter:
stty raw -echo;fg
And press enter until you are back into a fully interactive TTY shell.
OK , we still need to escalate our privileges to Root, so more enumeration. Enumeration like the last privesc only involved searching through directories for information, so heading to the /opt as last time we again see a note:
So we have root credentials. Initially I thought I could simply su root, but this did not work, so time to ssh in as root with the new credentials:
And we have the root.txt.
Again, I really enjoyed the diversity of this box. The Jenkins section was very similar to the Jenkins machine on HTB; however, I loved the reverse ssh method.
