This room was created by The Mayor and is rated as hard. It was a fun room which has two ways to be solved. Let’s dive in.
Enumeration
Kick it off with an initial NMap Scan.

Upon checking port 80 there is only the default apache page. I used GoBuster to brute-force the directories.

A little brute-force
Taking a look at the blog directory it seems to be a WordPress website. WPscan and CMSMap don’t point anything interesting. There was a user that you could see on the blog and that was admin
. Use WPScan to brute-force the user.

Once the password is find login to the admin panel. Taking a look through the posts there is a private one which contains an username and password.

Trying to connect to SSH fails. I made a simple bash to create a wordlist using arnold + numbers from 1 to 999 and brute-force SSH.

I sent the output to a text file and tried logging in SSH. No success.
Gaining initial access
After a little research it seemed that you can edit the 404 file of the theme. To do that go to Appearance, Theme Editor and select on the right side the 404.php file. Copy and paste your php reverse shell and click on Update file.

To access the reverse shell and gain initial access create a listener and navigate to: http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php.

Running LSE on the target system shows us there is a service running on port 8080.

I used pysoxy on target system to create a socks5 server on target machine and be able to reach out to the service running on port 8080.

I edited FoxyProxy add-on from firefox to be able to connect to the service running on port 8080. The FoxyProxy configuration looks like this:

Note: The IP is the IP of the target machine which is running our socks server and the port is 9050 by default but you can change the port if you want to.
Horizontal privilege escalation
Once the FoxyProxy settings are done, activate the proxy and connect to 127.0.0.1 (localhost) on port 8080. There is a Jenkins instance running.
I tried the default username (admin) and a few common passwords with no success.
I configured proxychains so i route my traffic and be able to brute-force the login panel.

Use hydra to brute-force the login panel (proxychains4 -q hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 8080 127.0.0.1 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username and password" -t 16
.

Log into the Jenkins instance and go to the script console. I used a reverse shell from here (I used the Linux rev shell).

Configure the reverse shell by putting your IP and a port, create a listener on you machine and run the script.

Privilege escalation
I ran linux smart enumeration and it showed that the user was running in a docker container.

I started to enumerate the system even further. I came across a text file (as i was searching for a bunch on extensions that might help me).

By viewing the content of the file there is a username and password.

By using the provided username and password you can gain access to the admin user (root).

You can now grab the root & user flags.
Note: I know there is another way in which you should find another text file which contains the second user, proxy the traffic using SSH to the Jenkins instance, get access to the third user and then finding the other file to gain root. However this is how i solved the box since at first i didn’t find the first text file :).
Hope you enjoyed the write-up and learned something new.