Open in app

Sign in

Write

Sign in

Tryhackme — Internal : a diary..

mrZud0k0rn
9 min readMar 7, 2021

--

Disclaimer : All my post are intended for my personal notes, any methodologies, tools or ways that can be suggested are most welcome! :)

So now, I’ve come with the last room under advance exploitation section of ‘Offensive Path’ from Tryhackme.

The last room, relevant, was pretty exhausting for me so I decided to do a much easier room called “Basic Pentesting”, in which I also enjoyed alot, so I started the envitable, to crack internal to root…

Reading the first part of the challenge, I need to put the machine’s IP on my /etc/hosts file, which I did.

I started by running autorecon by Tibs, this will take an hour or more, depends on the number of port, so it is on the top of my to-do list when doing CTF or pentesting if I may say so.

autorecon internal.thm

Autorecon is a great tool, it always make my life easy, it was collections of commands and scripts that you usually run manually, it is also configurable, I write about it when I have time to do so.

Then after that, I also ran masscan, just to discover all ports available from 1–65535.

masscan -e tun0 -p1–65535 — interactive internal.thm

Based on my experience running masscan, it is much faster than nmap port scan, perhaps I need to get rid of nmap port scan now.. I also remembered when I was going back through my notes that I was using Threader3000 by The Mayor, I’ve used it on my first write up, kioptrix lvl 1. I think that I have my proper tools ready now which are…

Autorecon by Tib3rius

masscan

nmap service/detailed scan

Threader3000 by TheMayor

I think these 4 tools are enough to give me all available ports and help me get my initial low level shell on some of my target machines.. I’m excited to write about the combinations of theses 4 great hacking tools!

I also ran nmap service scan against internal, by now I got the result from masscan, while Autorecon is still up and running.

ENUMERATION FOR INITIAL LOW LEVEL SHELL.

I expected that I would get a service shell, since the room is rated hard. (it is!)

So for my initial enumeration, I got the following :

  1. Port 80 which runs Apache httpd 2.4.29 ((Ubuntu))
  2. Port 22 which runs OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) — which is pretty secured for now..

I also read the results of autorecon and found out the ff.

gobuster’s hidden directories are :

result of gobuster ran from autorecon

nikto’s result is

nikto’s result ran from autorecon

so, fight now I’ve got 2 login page, phpadmin and wp-login.php, based on my experience, I got more success in generating reverse shell inside wordpress admin page. However, I need to thoroughly enumerate each page.

I tried on both page, default credentials such as admin:admin admin:password admin:, root:root and root:password. However, I got no success in doing so.

I also tried going an SQL bypass, on both login page. However, I got same result.

I also noticed the wordpress login page, it gives me a hint on what user is available for use. When I tried admin + wrong password, it returns that the password for admin is incorrect.

Comparing this, when I use a non-existent user, like asdf:asdf, it returns that my credentials are unknown.

so we have an admin as username, but I need to look for possible password. I started to run a wpscan against my target.

wpscan — url http://internal.thm/blog — enumerate u

And it confirmed that admin username is a possible credential, I checked for some kind of comments on the blog and admin page, however, I can’t seem to find a clue or combinations that I may use as a password.

Right now, I have no other choice but to try to brute force my way in, and hopefully, I’ll get lucky this time. So, I ran a wpscan brute force.

wpscan — url http://internal.thm/blog/wp-login.php — passwords /usr/share/wordlists/rockyou.txt — usernames admin — max-threads 10

The best feeling ever. I was lucky enough to find my way inside this vulnerable machine. So, I immediately logged in and my first thought is to how to gain my initial low level shell.

I found this article online, that gives me the step by step approach on how to exploit wordpress and get my reverse shell.

So I started my listener and edit the 404.php page of my target, once I updated the file, I directly accessed the 404 page and as expected, it gives me my initial reverse shell.

../wordpress/wp-content/themes/twentyseventeen/404.php

So, as expected, I was in a www-data shell, tried to do a quick sudo -l but failed. I immediately uploaded my 3 linux scripts for my enumeration inside the server.

LinEnum.sh, linpeas.sh and lse.sh …

Nothing stands out for me, I was looking for a string username or pass / password, but seems that will be a giveaway if it happends. I also checked for cron jobs… but nothing.. I checked for SUID or GUID binaries, by it seems that it was secured.

so, I read thoroughly the scripts and noticed that there are 3 internal ports that didn’t show up on my initial scans. I can use port forwarding, and check those services on my kali. Port 8080 is http, port 3306 is default for mysql and port 38139 is some port I am not familiar with that may or may not be useful.

I use the ssh tunneling to forward the service back to my kali.

ssh -R >kali.Port<:localhost:>internalPort< root@>kali.IP<

I scanned them one by one to give me an idea what service I am dealing with. So, on Port 8080 in which I forwarded to port 8001.

I got Jetty 9.4.30 v20200611 service, I noted this one…

For port 3306 which I forwarded to port 8888.

There a mySQL 5.7.31, I wonder if I can get some credentials here to use on port 8080?

Then the port 38139 which I forwarded to port 9001

???? Perhaps I can skip enumerating this.

Enumerating port internal port 8080.

I got Jenkins running here.

I tried to user my previous credentials found, but no go. I also tried sql bypass injection but still a no.

I search for Jenkins’ version and found it on /oops directory.

It was Jenkins 2.250

I tried to search to searchsploit and google, however, I ended up with nothing.

It was time to enumerate my 2nd port, which is sql. For this service, the most I can do here is to try to log in my found credentials and possibly default creds, however, still a no go….

From here, I decided to take some break, and will re-enumerate from credentials that I have.

  1. I can login to wordpress login page, using the creds admin:my2boys.
  2. I can do a reverse shell inside the wordpress which gives me a low-level service shell.
  3. From inside the server, I can perform an ssh tunnel to reach the internal ports — which is a dead end for me now.

So, I re-enumerate the machine starting from the wordpress application, and here I found an unpublished article.

nice! another credentials I can use to internal ports. I continue to walk through inside the wordpress application and have not found any interesting findings.

It’s time to enumerate the server…

I will try to re-enumerate my target server with using the scripts, since I got nothing but the internal ports so far, my strategy here is to visit most common directories and look for some odd or interesting files…

Walking through inside the server, I have found an interesting file inside the /opt directory.

great! a user credentials! I can now su to user and run the scripts again.

I switched to the user and transfer my privEsc scripts again.

After running the scripts, I got nothing again but the internal listening ports. So I decided to carefully check my privileges.

Since my user has ‘adm’ privileges, I read the authentication logs. So I went to /var/log and read the auth.log.

I noticed that the user touched the file /etc/wordpress directory so I decided to take a look at the file.

I found another credentials laying around.

Now, that we have enough credentials, we can try to use this against the jenkins login page.

So, what I was planning was this, I would try to use all my credentials on hand, and if none will work, I will try to brute force my way in using hydra.

I set up my ssh tunnel again, and forward the internal port 8080 to my kali on port 8001.

Access the jenkins and set up burp, to intercept login request.

I’ve tried all the credentials I found but was still empty handed against this jenkins!

So, I have nothing left again but to perform brute forcing… I just wonder what would others would do more before brute forcing???

I set up my hydra, intercept the request, copy the url and post body. I also copied the error message it returns when login failed.

So after sometime, it hit the mark! I got in! silly Mayor, who would have thought of this password… *laughing.inside*

I immediately logged in to docker container, and the first thing that comes to my mind is to search for .txt files like, what Mayor did on the target machine.

I found another interesting file, called note.txt and opening the file gave me the root credentials on the target machine.

I went back to my target machine and su to root user.

and finally cracked the box!!!

Takeaways :

  1. Manual enumeration is important, don’t rely on scripts especially when information or credentials are hidden without the cue words like user, username, pass and password.
  2. Know when to brute force and when to look for credentials. Brute forcing is like a blow to the moon “suntok sa buwan”, it may or it may hit, but in a time limited environment, with a large dictionary as your password list, this may eat up all your time.
  3. Be mindful of internal services, these are services that was not allowed outside, perhaps, most of the time you can find run a network command or this is included in the output of scripts.

I really had fun doing the box, credits to The Mayor and my colleague who nudges me on relevant and internal box.

Tryhackme
Internal
Ssh Tunneling
Port Forwarding
Jenkins

--

--

mrZud0k0rn

Written by mrZud0k0rn

5 Followers

“He-who-must-NOT-be-named”

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams