This is the write-up for TryHackMe’s room named — Internal
This room can be found here:- https://tryhackme.com/room/internal
Task at hand is simple — Treat this as a Real Life PenTest and find out User.txt and Root.txt as proof of exploitation.
Ensure that you modify your hosts file to reflect internal.thm e.g. update /etc/hosts file with:
10.10.155.251 internal.thm
Enumeration
# Identify the list of services running on the target machine
sudo nmap -sS -Pn -T4 -p- 10.10.155.251
# Perform further information gathering on the open ports identified above
sudo nmap -O -A -Pn -T4 -p22,80 10.10.155.251
So we have a Apache Web Server running on port 80 and SSH on port 22.Lets Brute Force directories of the Web Server to see if we can find anything. We will come back to SSH enumeration if needed.
Gobuster
A Simple gobuster scan reveals a WordPress site which we can enumerate further using WPScan.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://internal.thm -t 40
WPScan
Let’s enumerate the WordPress site for all plugins and users using
wpscan --url http://internal.thm/wordpress/ --enumerate u,ap
