TryHackMe Writeup: Internal Penetration Test
Challenge URL: https://tryhackme.com/room/internal
Testing started by associating the given IP address of 10.10.2.181 with the URL internal.thm. This was done by editing the local machines Hosts file.
Next, I ran a port scan against the host. Two ports were reported as open. SSH and HTTP
Since the nmap scan reported back a web server, I visited the host with a browser and was presented with a generic apache page. So I fuzzed directories with dirb to see if there were any live sites available. A Wordpress blog was found. More interesting than that though, was a WP Admin login.
Since I didn’t have any valid users, I started trying to brute force users by just guessing the most common ones. Using “root” as the user, the error message “Unknown username. Check again or try your email address.”. I then tried “admin” and got a different error stating “The password you entered for the username admin is incorrect”. This indicates that “admin” is a valid username. So a login request was captured and sent to Burp Intruder in an attempt to crack the password with the seclists “rockyou.txt” file. When reviewing the results, one password resulted in a “302” redirect. The password was used and login as admin was successful.
While reviewing the admin dashboard, it was noted that there was a private post that was not revealed while visiting the blog page unauthenticated. The post had some interesting content. Namely, a set of credentials that could be used for later exploitation. <REDACTED>. Success!
Having noted that NMAP had located an open SSH server earlier, I attempted to log into that with William’s creds. But no dice. I did however take that username and attempted to brute force SSH with Hydra. But that’ll take a while, so we will circle back. I continued exploring the wp-admin dashboard.
While perusing the site, it was determined that the server was running MySQL and PHP. Using that knowledge, I tried to find a spot to upload and execute a PHP webshell. First, using the media upload page, I tried to upload the shell. However, the file was rejected. I also discovered a “theme editor”. Within that editor, it was determined that I could add custom PHP code. However, the current theme didn’t allow for any changes. So I switched the active theme to the “twentyseventeen” theme, which allowed me write access. I overwrote the code for the “404.php” file with the custom webshell from pentestmonkey and successfully saved it. I then opened a netcat listener, visited the theme page and VOILA!
The first thing I did was upgrade the current crappy shell to a fully interactive python shell. Once I determined that python was installed, I went ahead and executed a new pty shell.
Once in, I cat’d the contents of /etc/passwd to find other users. A user named aubreanna was the only one found. Interestingly, the user “William” we found earlier was not found. So we stopped the hydra brute force that was running in the background, updated the username, and started the attack again. While this was running, we continued perusing the file system.
I uploaded the LinPEAS linux enumeration tool to the target machine and ran it. Several noteworthy pieces of information were found. This included Wordpress DB creds!
Can I use these creds to log into the PhpMyAdmin page…..
While interesting, the new database connection didn’t yield much useful information. However, the LinPEAS script that was run earlier found some unusual files. What happens if I cat them?
Sweet. Maybe now I can SSH in with aubreannas creds
Now lets grab that first flag!
There was another interesting file in the directory with the flag. Could it be…. Yes, another asset!
I needed to pivot my traffic from my localhost into the internal machine in order to view this Jenkins server. So after setting up an SSH tunnel, I browsed to the asset. I was presented with a login screen. Now I need to brute force my way in.
With my ssh dynamic tunnel in place, I configured burpsuite to use that tunnel so that I can capture the login request. Then, using the username “admin” and a fake password, I captured the request with burp, sent it to intruder, selected the password parameter, loaded rockyou as the wordlist, then launched the attack.
While fuzzing with intruder, I noticed that one response was smaller than the rest. Assuming this is the password, I attempted to log into Jenkins
Great, now that I’m in I need to peruse the site for anything useful. I found a script console that allows us to execute code on the server. Maybe we can find a reverse shell and get access to the server as a different user. Lets give it a shot.
Great! I have a shell…. But meh… Its not interactive. So lets fix that
Now that I have a shell, lets see if we can find any interesting text files. Once we finished searching the file system, one file stood out….
Whats in it?
Is this really the root password? Lets ssh back in as aubreanna and give it a try
Now all that was left was to read the flag and go have a beer!
