Skip to content

Latest commit

 

History

History
57 lines (43 loc) · 2.32 KB

notes.md

File metadata and controls

57 lines (43 loc) · 2.32 KB

Internal [internal.thm]

edit /etc/hosts file to set the ip to hostname
reference


recon

  • nmap scan

    • found 2 open ports > ssh@p22 & http@p80

  • default Apache2 server page when visited ip

  • detected sys from scan > linux

  • gobuster scan (main ip)

    • found 2 intresting subdirectries > /blog & /wordpress

  • /blog looks like wordpress powered site

  • gobuster scan (/blog)

    • /wp-content
    • /wp-includes
    • /wp-admin

  • wpscan (/blog)

    • wp ver: 5.4.2
    • found username: admin

hacking

  • brute force wp w/ admin & rockyou.txt

  • got login admin:my2boys for wp admin

  • editing 404.php in login > appearence > theme editor w/ pentestmonkey's reverse shell script

  • set up listener (nc -lnvp 4444)

  • visited http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php & got reverse shell

  • current user: www-data

  • ran python3 -c 'import pty;pty.spawn("/bin/bash")' to get proper bash shell

  • found user /home/aubreanna

  • found credentials aubreanna:bubb13guM!@#123 @ /opt/wp-save.txt

  • got flag 1 > THM{int3rna1_fl4g_1} @ /home/aubreanna

  • found jenkins.txt @ /home/aubreanna which says Internal Jenkins service is running on 172.17.0.2:8080

  • it seems like an local service is running @ 172.17.0.2:8080

  • after checking running processes (ps aux), got aubrean+ 1524 0.0 0.0 1148 4 ? Ss 11:37 0:00 /sbin/tini -- /usr/local/bin/jenkins.sh

  • it indicates that a jenkins service is running on the server

  • doing port forwarding using ssh: ssh -L 9999:localhost:8080 aubreanna@10.10.43.21

  • namp scan to see it port forwarded successfully (nmap -p 9999 localhost -A -sC -sV -o nmap_pf.log, results)

  • found jenkins login page on localhost:9999

  • brute forced logins admin:spongebob (hydra results - https://infinitelogins.com/2020/02/22/how-to-brute-force-websites-using-hydra/)

  • got reverse shell from _manage jenkins > console scripts > pasting java reverse shell (https://notchxor.github.io/oscp-notes/3-Exploiting/6-reverse-shells/)

  • found /opt/note.txt using find . -type f -name "*.txt"

  • found root credentials root:tr0ub13guM!@#123

  • found flag 2 > THM{d0ck3r_d3str0y3r} @ /root