Today, I will guide on doing Internal Challenges Room. In this room, we will do role play in Blackbox Penetration Testing where it will involve a real-life scenario.
This room have been labelled as difficulty rated HARD
The following is the scenario of the room itself.
As usual, we will need to deploy the machine in order to play with it.
Now, we have to enumerate the details on the machine to see what has been configured inside by running nmap -sC -sV <IP Address> -PN
From the nmap output above, i just notice that the port open for the machine can be listed as
- 22: OpenSSH 7.6p1
- 80: Apache 2.4.29
When i open the website using the normal way, we have directed to a Default Page of Apache2
Let’s run some enumerate activity on the website itself and see the result if there’s anything that we can access by running the command dirb <IP Address>
From the output, i notice that /blog and /wordpress is been installed on the machine. Let’s dive deep into the website interface
The interface doesn’t look attractive for a website that used for blog purpose. However, i notice there is a link to Internal and let’s click the link to see where the link directed.
Once we have clicked the link, the website has shown the 404 pages which it’s odd for those websites.
In order to make the error disappear, we have to modify the hosts file at /etc/hosts
After we have modified the host file, let’s access the website using internal.thm/blog to see if it works!
This website looks more like WordPress theme, so let’s run wpscan to guess the username and password. Firstly, we need to retrieve the username before proceed with cracking of the password.
The command that we can used here as follows:
wpscan –url internal.thm/wordpress/ -e u
You will the result as been shown below
We have successfully gained the username for the wordpress login, finally we can retrieve the password for the username “admin”
wpscan –url internal.thm/wordpress/ -e u admin -p /usr/share/wordlists/rockyou.txt
We have gotten the username and password for the WordPress credentials. Let’s login the Dashboard via credentials that we gained.
However, the Dashboard will re-directed to a different page when we key-in the username and password. So, we have to disable the redirection code by using the burp suite community.
We need to remove the redirection code from the request payload to look exactly like the screenshot above.
Once we click the forward button, it will direct to the Dashboard page such as below:
We need to find a place for us to plant a reverse shell in order for us to get access to the server. While roaming inside WordPress Dashboard, I did found a nice place to insert PHP Powershell which in Theme Editor 404.php
Before clicking the Update File button, we need to start the nc listening function for us to gain the shell connection back.
We can finally click the update file button and reverse shell connection will revert to us.
So, let’s again roaming but this time within the server. After a while, i have a feeling to access /opt/ directory which there’s a strange file resides there.
While doing this activity, my machine IP has expired and I forgot the take screenshot of the wp-save.txt file so I will start the machine with new IP.
We got aubreanna and the password while checking inside wp-save.txt so we can access the user via ssh.
ssh aubreanna@<IP Address>
Once we successfully login the server via ssh, let’s check what is stored inside.
While i read the user.txt file, i notice there’s another that caught my attention more which jenkins.txt
The file contains a message saying “Internal Jenkins service is running on 172.17.0.2:8080”
We need to access the Jenkins website by running the command below:
ssh firstname.lastname@example.org -L <any port>:172.17.0.2:8080
Now, let access the website by going localhost<any port>
We can assume that username that used here is admin but sadly, we don’t have the password for that.
Let’s run hydra tools to crack the password
The result would be something like below:
As we have successfully retrieve the username and password, let’s try login the Jenkins Login.
Wuhuu! We finally login to Jenkins. Now, let’s find a way to insert a reverse shell inside the website.
I found out that Script Console which we might able to insert any code into it.
For this activity, we will run an Java shell rather than our normal PHP reverse shell.
As usual, we need to start our nc listening function before clicking the “Run” Button.
We will get the shell connection back such as follows:
We will get a reverse connection without bash $ interface. In order to see bash format, we can run bash -i as follows
Again, let’s do adventure trip in this username shell and found
We got password for root inside /opt/note.txt file. Finally, we can access root access by put the password.
Normally, root flag is been stored at /root/ directory
We need to read what is written inside the root.txt to finish this room by executing cat root.txt
Happy Learning Guys!