TryHackMe-Internal
This is a Hard Rated CTF on TryHackMe.The client requests an external, web app, and internal assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test)
Firstly we need to add the ip of our target machine in the /etc/hosts in kali
we begin with an nmap scan on All ports(-p-) and find 22 and 80 open
On visiting port 80 in browser, we find apache server running so lets find all directories using dirsearch which is much faster than dirbuster(You can install it from github)
We find a login page for wordpress
On using the username and password as admin:admin we get a error which says that the password entered for the username admin is incorrect.This means we have a valid username called “admin” and we can bruteforce the password.
But before bruteforcing, lets enumerate wordpress a bit more using wpscan
We found the version but nothing interesting…so lets proceed with bruteforcing.This can also be done by wpscan
and we finally found the password and now we can log in as admin.
Now we need to get a shell.In wordpress, This can be done by uploading a malicious plugin or editing the code of a theme.We will go with the second option.Do read this guide as we will be following the same process shown in this article.
We edit the default theme(twentyseventeen) and on the right side we see a file called 404.php which we will edit and put the code of php reverse shell from pentestmonkey.Make sure to change the IP and Port in the script.
After saving, we just have to start our netcat listener and visit the url in our browser(make sure to change your ip)
10.10.245.72/wordpress/wp-content/themes/twentyseventeen/404.php
And we finally get a shell.However we need to make it stable which can be done by running the command:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
After lots of digging,we find a username:password info in the /opt directory.We cam use these credentials to access SSH.
We found the first flag.
We also find an info of Jenkins running on port 8080 in jenkins.txt. Jenkins is a server used by developers for continuous development and building.Now this is a place where i was stuck and got a hint of ssh tunnelling on a discord server.Moreover the direcroty called “snap” gives us a hint of Docker running.
Running the command ss -tulpn shows us all the hidden listening ports and we find 8080 running as well.This can be accessed by reverse ssh tunnelling.If you are new to this concept, do solve the room GameZone on tryhackme which explains it pretty well(however its a paid room)
Now all we have to do is add the ip and port in /etc/hosts of our kali machine
This is the command we use for SSH Tunnelling
ssh -L 8080:localhost:8080 aubreanna@ipaddress
Once done, we have to type localhost:8080 on our browser and we finally find the Jenkins login page.
We can try using dirsearch to find all directories but are unable to find anything interesting.Lets bruteforce the login page with username “admin” and for password we will use rockyou.txt.For this work, lets fire up Burp.
Intercept the request > send to Intruder > highlight the password field > use sniper attack. In the payloads we have to load the rockyou.txt list which can be found in /usr/share/wordlists/rockyou.txt
And we finally find the password spongebob .This does not take much time as the password is present within the 100 words of rockyou.txt
ATTACKING JENKINS
Use admin:spongebob to login into Jenkins
Go to Manage Jenkins > then go to Script Console
Now Jenkins has a place called Script Console where you can run a script called Groovy Script(read the first line….it says “type in an arbitary groovy script”) Basically we have to put a Groovy Reverse Shell and run it to get a shell.
You can refer to this article as a guide-https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6
The Groovy reverse shell can be found in-https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#groovy
Once we have put the code, dont forget to change your ip and port.The ip will be that of your kali machine(tun0). Also a small change we have to make in the script is replacing cmd.exe to /bin/bash as we are attacking a linux target.(i found this info on github after using google)
This is what my final script will looked like-
And we finally got a shell which we need to stablize by running
python -c ‘import pty;pty.spawn(“/bin/bash”)’
In the /opt directory we find some credentials.
ssh to the root user using the password we found and we are in!
And We finally found the root flag!!!
This was was a fun ctf.Althrough it is rated hard, however i found it a bit easy since i had worked with jenkins and wordpress in previous ctfs.The only tricky part was finding out about ssh tunnelling and this room sure was a bit lengthy.Shout out to Joe Helle (The Mayor)for developing this room and i hope you learned from this walkthrough-ZEUS
