# Internal

## Nmap

```
sudo nmap 10.10.185.115 -p- -sS -sV         

Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 
(Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Running dirsearch on Port 80 shows we have some interesting directories.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-425bee506c533db6b551a004f1982414df043f51%2Fimage.png?alt=media)

the directory phpmyadmin shows no opportunity to login with the root account. Likely only localhost logins are permitted.

![http://10.10.185.115/phpmyadmin/index.php](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e931e918cea52dfddf6c5ef380adc3807194865f%2Fimage.png?alt=media)

Looking back at the dirsearch results the directory /blog appears to be running wordpress as a subdirectrory was discovered of /blog/wp-admin/.

Further inspection of /blog/ shows we are indeed running Wordpress.

![http://internal.thm/blog/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-010188ede2ff8e138758c2fc608b6a83756fa4fa%2Fimage.png?alt=media)

Running the following wpscan command shows we have a user called admin which is soon bruteforced using the rockyou.txt wordlist.

```
 wpscan --url http://10.10.185.115/blog/ -t 40 -e at,ap,u1-3000,m1-2000 --passwords /usr/share/wordlists/rockyou.txt  
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-628e38a593d874b5aed672e9befa015059695976%2Fimage.png?alt=media)

Heading over to <http://internal.thm/blog/wp-admin/> we can then login with the credentials `admin:my2boys`.

Heading over to Themes and then theme editor allows us to pick a page to edit. In this example I replaced the code in the 404.php file with that of a reverse shell.

![http://internal.thm/blog/wp-admin/theme-editor.php?file=404.php\&theme=twentyseventeen](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e8b1f15a79bae2ed4ee017434c202061e60f5c3e%2Fimage.png?alt=media)

At this point usually all we need to do is browse to the 404.php page to prompt for a call back on `netcat.` This site is set up a bit different and after clicking around and following some links the directory structure for this site appears to be <http://internal.thm/blog/index.php/>.

I then browsed to <http://internal.thm/blog/index.php/0000/0/> to try and get a 404.php page redirect which worked and I was able to get a shell on the system.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-40719dd9a4d9f461a9df63dc9d73db0e36ed03bd%2Fimage.png?alt=media)

From here I found multiple potential credentials on the machine for databases and such. None of these lead me to any escalation until I stumbled upon the /opt/ directory which contains wp-save.txt

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2803e54af7d13bc5fc5d234de41881a1933e302b%2Fimage.png?alt=media)

With the credentials of `aubreanna:bubb13guM!@#123` we can switch to this user. Running cat on the jenkins.txt file reveals the following information:

```
Internal Jenkins service is running on 172.17.0.2:8080
```

From our attacking host we can run the following SSH command to portforward port 8080 over to us on 127.0.0.1.

```
ssh -L 8080:172.17.0.2:8080 aubreanna@10.10.185.115
```

We can then in a web browser head over to <http://127.0.0.1:8080>

![http://127.0.0.1:8080](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c5a32438983a28742732074eb0d51da5c0784153%2Fimage.png?alt=media)

I treid known credentials against this and was unsuccessful in logging in. Bruteforcing with ZAP shows a differential response size header on the payload spongebob.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c669458fdbcde530e14b0aff0239427b3341a802%2Fimage.png?alt=media)

Following the Groovy scipt code here change the cmd string to /bin/bash and the host to your attacking machine VPN interface IP.

<https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ac73b138e0b19c0a3a7cc125837d988745141e1a%2Fimage.png?alt=media)

Checking our `netcat` shell after confirms we are connected as the Jenkins service.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f89567b625e425e36b5f7344cdba0962bfd31e8a%2Fimage.png?alt=media)

Again we have information in the /opt/ directory. This time regarding SSH credentials for the root account.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-135a564460bcc61b006030e7788bea601ea754cc%2Fimage.png?alt=media)

Which are confirmed working for a SSH connection.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-87a4fe90aca229c59247666acb2102056d9d689e%2Fimage.png?alt=media)