Tryhackme — Internal (Linux) (Blackbox)

We begin the scanning with AutoRecon tool

Nmap Result

_full_tcp_nmap.txt

As we can see, there are not many port are open. Port 22 SSH is likely not exploitable with credential so we will begin with HTTP port 80.

Apache default page

Initial Access

Based on our Nikto scan we found the Wordpress login

nikto

Then we attempt to do WPscan and the username admin is found.

Next, we attempt to bruteforce the password with the username admin we found previously.

wpscan bruteforce password

And is SUCCESS, so now we are into the Wordpress. We will inject php code in 404.php here

wordpress 404.php

And we got a shell!

Privilege Escalation

During our enumeration we found some user and able to SSH into it with below credentials

/opt/wp-save.txt

Then we found there is another port 8080 open that is running Jenkins

netstat -tlpn

Then we proceed to do port forwarding so that we are able to access the Jenkins locally.

At first, we try a few credentials that we have previously but none of it success to login.

Then we attempt to bruteforce again using hydra with the username admin

hydra http-post-form

Now we are into Jenkins we can do code execution easily to get a shell.

During our enumeration, we found a password again at /opt/ but this time the user is root

And now it is rooted