Try Hack Me: Internal Walkthrough

So I decided to do the Pen Testing Learning Path with Try Hack Me and the Internal machine was in the list, so here we go:

Let’s start with an Nmap scan to see what port are open and what we are dealing with.

nmap -A -oN nmap-scan 10.10.1.54

So we have ssh running on port 22 and an Apache web server running on port 80. Looking at the above the web server is showing the standard Apache web page ‘It Works’. From the above we can also determine that we are working with a Linux system running Ubuntu.

Port 80 Apache Web Server:

As per Nmap we have the standard Apache landing page. Let’s run Gobuster to see if there are any hidden files or directories.

gobuster dir -u http://internal.thm -w usr/wordlist/dirbuster/directory-list-2.3-medium.txt -t 60

Straight away we find some interesting directories: /blog, /wordpress and /phpmyadmin.

Navigating to /blog

From the Gobuster site we can conclude that this is a CMS running wordpress. Using Wappalyzer for Firefox we can gain a lot of additional information:

So we can see that we are running Wordpress Version 5.4.2 on a Ubuntu system with an Apache 2.4.29 web server.

Let’s run a wpscan and see what we get:

wpscan --url http://internal.thm/blog -e

Using -e will

So we have a potential user ‘admin’, navigating to:

http://internal.thm/blog/wp-admin

We can see by entering any password that the login page basically confirms the username ‘admin’ and that the password is incorrect.

Using wpscan, we can see if we can brute force the password using the Rockyou.txt file.

wpscan --url http://internal.thm/blog -u 'admin' -P /usr/share/wordlist/rockyou.txt -t 25

Wpscan finds a password for admin, meaning that we can log into the Wordpress Admin page:

Looking around the admin page we notice a ‘private’ post:

Navigating to this page shows some credentials:

Logging out of Wordpress and trying the new credentials does not work, so I have to assume that this user is not registered on the Wordpress site. I then tried to ssh in as the user, but again that did not work.

Reverse Shell:

Having access to the admin usually means installing a php reverse shell, which can be done either through a Plugin such as ‘Hello Dolly’ or by modifying the code on one of the template pages, I usually use the 303 page. The reverse shell of choice for me with Wordpress is that one by Pentest Monkeys; however, you could use MSVENOM to create a Meterpreter Reverse Shell.

Edit the code and change the IP address and port to that of the attaking machine. In the Wordpress admin section, navigate to ‘Appearance’ / ‘Theme Editor’ and choose the 404 Template from the Theme Files. Delete all the information and copy and paste the php reverse shell code.

Update File and then setup a listener on the attacking machine on the port you specified in the php reverse shell script. I am going to use Pawncat as my listener.

Once the page has been updated, go back to the main site and navigate to a made up page name. This should activate the reverse shell due to a 404 error.

Were in and haven a low level www-date shell. Let’s explore further.

Navigating to the /home directory we see a user ‘aubreanna’ but we do not have sufficient privileges to access the directory.

Searching around all the directories, I came across an interesting file in /opt:

Interesting, let’s see if we can ssh in as aubreanna:

Yes, we are logged in as user ‘aubreanna’, let’s see if we can now access the /home directory:

OK, so we have the user.txt file, we also notice that there is another file called ‘jenkins.txt’:

We can check this with Netstat:

netstat -ano

So we have a Jenkins service running on 172.17.0.2:8080. As this is running on an internal port we cannot access it from our attacking machine. To get around this we can use a reverse ssh or ssh tunnel as it is also known. We can do this from the attacking machine using the ssh -L function; however, first make sure ssh is running on the attacking machine.

ssh -L 8080:172.17.0.2:8080 aubreanna@internal.thm

We can see in the above screen shot that we now have another IP address showing ‘IP address for docker0: 172.17.0.1’

From here we can open our browser and navigate to:

127.0.0.1:8080

The standard default login details according to Google for Jenkins are admin:admin, unfortunately this does not work but we can trying fuzzing the password using for example Hydra or Zap. To start with lets capture the request / header. Again you can use Burp or Zap to do this.

To brute force the password I will use Hydra; however, I could have used the fuzzer on Zap, but could not be bothered to check through the response times.

Using the above information, we can start to construct the brute force attack using the http-post-form on Hydra, OK it a long one:

hydra -l admin -P /usr/share/wordlists/rockyou2.txt -s 8080 127.0.0.1 http-post-form “/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password” -V -f

We have the password, so lets log into Jenkins, and we are in

To exploit this we will run a Groovy script using Jenkins Script Console that can be accessed through ‘Manage Jenkins’ menu.

Click on the ‘Script Console’

The Groovy Reverse Shell can be downloaded from:

Simply change the IP and Port to the attacking machine and setup a Netcat listener and hit ‘Run’

nc -lnvp [PORT]

We are logged in as user jenkins. Let upgrade our shell for more functionality:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Background the session using Ctrl Z

Enter:

stty raw -echo;fg

And press enter until you are back into a fully interactive TTY shell.

OK , we still need to escalate our privileges to Root, so more enumeration. Enumeration like the last privesc only involved searching through directories for information, so heading to the /opt as last time we again see a note:

So we have root credentials. Initially I thought I could simply su root, but this did not work, so time to ssh in as root with the new credentials:

And we have the root.txt.

Again, I really enjoyed the diversity of this box. The Jenkins section was very similar to the Jenkins machine on HTB; however, I loved the reverse ssh method.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yebberdog

Yebberdog

More from Medium