[THM] Internal

This room was created by The Mayor and is rated as hard. It was a fun room which has two ways to be solved. Let’s dive in.

Enumeration

Kick it off with an initial NMap Scan.

NMap Scan

Upon checking port 80 there is only the default apache page. I used GoBuster to brute-force the directories.

GoBuster results

A little brute-force

Taking a look at the blog directory it seems to be a WordPress website. WPscan and CMSMap don’t point anything interesting. There was a user that you could see on the blog and that was admin. Use WPScan to brute-force the user.

Successfully brute-forcing the admin user

Once the password is find login to the admin panel. Taking a look through the posts there is a private one which contains an username and password.

Username and pass found

Trying to connect to SSH fails. I made a simple bash to create a wordlist using arnold + numbers from 1 to 999 and brute-force SSH.

Bash script

I sent the output to a text file and tried logging in SSH. No success.

Gaining initial access

After a little research it seemed that you can edit the 404 file of the theme. To do that go to Appearance, Theme Editor and select on the right side the 404.php file. Copy and paste your php reverse shell and click on Update file.

Editing the 404 file

To access the reverse shell and gain initial access create a listener and navigate to: http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php.

Receiving the connection

Running LSE on the target system shows us there is a service running on port 8080.

Internal service

I used pysoxy on target system to create a socks5 server on target machine and be able to reach out to the service running on port 8080.

Downloading and running pysoxy

I edited FoxyProxy add-on from firefox to be able to connect to the service running on port 8080. The FoxyProxy configuration looks like this:

FoxyProxy configuration

Note: The IP is the IP of the target machine which is running our socks server and the port is 9050 by default but you can change the port if you want to.

Horizontal privilege escalation

Once the FoxyProxy settings are done, activate the proxy and connect to 127.0.0.1 (localhost) on port 8080. There is a Jenkins instance running.

I tried the default username (admin) and a few common passwords with no success.

I configured proxychains so i route my traffic and be able to brute-force the login panel.

Proxychains configuration

Use hydra to brute-force the login panel (proxychains4 -q hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 8080 127.0.0.1 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username and password" -t 16.

Successful hydra attack

Log into the Jenkins instance and go to the script console. I used a reverse shell from here (I used the Linux rev shell).

Reverse shell

Configure the reverse shell by putting your IP and a port, create a listener on you machine and run the script.

Receiving the connection

Privilege escalation

I ran linux smart enumeration and it showed that the user was running in a docker container.

LSE output

I started to enumerate the system even further. I came across a text file (as i was searching for a bunch on extensions that might help me).

Finding the file

By viewing the content of the file there is a username and password.

File content

By using the provided username and password you can gain access to the admin user (root).

Gaining root

You can now grab the root & user flags.

Note: I know there is another way in which you should find another text file which contains the second user, proxy the traffic using SSH to the Jenkins instance, get access to the third user and then finding the other file to gain root. However this is how i solved the box since at first i didn’t find the first text file :).

Hope you enjoyed the write-up and learned something new.