TryHackMe Writeup: Internal Penetration Test

PwnPalace
7 min readJan 4, 2024

Challenge URL: https://tryhackme.com/room/internal

Testing started by associating the given IP address of 10.10.2.181 with the URL internal.thm. This was done by editing the local machines Hosts file.

Next, I ran a port scan against the host. Two ports were reported as open. SSH and HTTP

Ports 22 and 80 open

Since the nmap scan reported back a web server, I visited the host with a browser and was presented with a generic apache page. So I fuzzed directories with dirb to see if there were any live sites available. A Wordpress blog was found. More interesting than that though, was a WP Admin login.

Blog found
wp-admin found
Blog found
wp-admin login found

Since I didn’t have any valid users, I started trying to brute force users by just guessing the most common ones. Using “root” as the user, the error message “Unknown username. Check again or try your email address.”. I then tried “admin” and got a different error stating “The password you entered for the username admin is incorrect”. This indicates that “admin” is a valid username. So a login request was captured and sent to Burp Intruder in an attempt to crack the password with the seclists “rockyou.txt” file. When reviewing the results, one password resulted in a “302” redirect. The password was used and login as admin was successful.

Enumerating usernames
Password located with Burp Intruder
Admin dashboard

While reviewing the admin dashboard, it was noted that there was a private post that was not revealed while visiting the blog page unauthenticated. The post had some interesting content. Namely, a set of credentials that could be used for later exploitation. <REDACTED>. Success!

Private post found
Credentials found in private post

Having noted that NMAP had located an open SSH server earlier, I attempted to log into that with William’s creds. But no dice. I did however take that username and attempted to brute force SSH with Hydra. But that’ll take a while, so we will circle back. I continued exploring the wp-admin dashboard.

Attempting to log into SSH service
Setting up Hydra to run in the background

While perusing the site, it was determined that the server was running MySQL and PHP. Using that knowledge, I tried to find a spot to upload and execute a PHP webshell. First, using the media upload page, I tried to upload the shell. However, the file was rejected. I also discovered a “theme editor”. Within that editor, it was determined that I could add custom PHP code. However, the current theme didn’t allow for any changes. So I switched the active theme to the “twentyseventeen” theme, which allowed me write access. I overwrote the code for the “404.php” file with the custom webshell from pentestmonkey and successfully saved it. I then opened a netcat listener, visited the theme page and VOILA!

Webshell rejected as media upload
Adding PHP webshell to theme “404” template
Spin up netcat to catch shell
Visiting theme 404 page to activate shell
Access granted

The first thing I did was upgrade the current crappy shell to a fully interactive python shell. Once I determined that python was installed, I went ahead and executed a new pty shell.

Python version
Upgrading shell

Once in, I cat’d the contents of /etc/passwd to find other users. A user named aubreanna was the only one found. Interestingly, the user “William” we found earlier was not found. So we stopped the hydra brute force that was running in the background, updated the username, and started the attack again. While this was running, we continued perusing the file system.

/etc/passwd contents
Hydra attack reset

I uploaded the LinPEAS linux enumeration tool to the target machine and ran it. Several noteworthy pieces of information were found. This included Wordpress DB creds!

Wordpress DB creds

Can I use these creds to log into the PhpMyAdmin page…..

Do the creds work…..
SUCCESS!

While interesting, the new database connection didn’t yield much useful information. However, the LinPEAS script that was run earlier found some unusual files. What happens if I cat them?

Unusual files found by LinPEAS
MORE CREDS!

Sweet. Maybe now I can SSH in with aubreannas creds

SUCCESS!

Now lets grab that first flag!

BOOM!

There was another interesting file in the directory with the flag. Could it be…. Yes, another asset!

Jenkins located

I needed to pivot my traffic from my localhost into the internal machine in order to view this Jenkins server. So after setting up an SSH tunnel, I browsed to the asset. I was presented with a login screen. Now I need to brute force my way in.

SSH Dynamic tunnel
Jenkins server

With my ssh dynamic tunnel in place, I configured burpsuite to use that tunnel so that I can capture the login request. Then, using the username “admin” and a fake password, I captured the request with burp, sent it to intruder, selected the password parameter, loaded rockyou as the wordlist, then launched the attack.

Burpsuite proxy settings
Captured request, with selected parameter to brute force

While fuzzing with intruder, I noticed that one response was smaller than the rest. Assuming this is the password, I attempted to log into Jenkins

Possible password?
VOILA! I’M IN!

Great, now that I’m in I need to peruse the site for anything useful. I found a script console that allows us to execute code on the server. Maybe we can find a reverse shell and get access to the server as a different user. Lets give it a shot.

Groovy reverse shell code
Code inserted into console
Netcat listener to catch shell
Shell caught!

Great! I have a shell…. But meh… Its not interactive. So lets fix that

VOILA!

Now that I have a shell, lets see if we can find any interesting text files. Once we finished searching the file system, one file stood out….

note.txt?

Whats in it?

Wait, what???? No way

Is this really the root password? Lets ssh back in as aubreanna and give it a try

YESSSSSSSSSSSSSS!!!!

Now all that was left was to read the flag and go have a beer!

--

--