TryHackMe - Blog

Basic information
Room name: Blog
Description: Billy Joel made a WordPress blog!
Difficulty: Medium
Room link: tryhackme.com/room/blog​
Step 1 - Reconnaissance
Don't forget to add blog.thm to your /etc/hosts file!
Let's start off with a simple nmap scan.
~# nmap -sV -p- -T5 blog.thm
​
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
​
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel 
Seems like we have an SSH, HTTP,and 2 SMB ports open. Since it's a WordPress exploitation room, we can confidently skip Samba enumeration. (Note: This is not applicable to other rooms. This was intended to skip since all SMB ports here are just rabbit holes)
Let's browse to the HTTP Port and enumerate there.
Step 2 - WordPress Enumeration
As usual, we need to start with user enumeration.
wpscan --url blog.thm -e u
​
# --url = specify url
# -e = enumerate users (u)
After a quick scan we get exactly 2 valid usernames.
Note here: Even though Wpscan was able to identify 4 users, only 2 of them appear to be nicknames with some basic information and API reference.
Step 3 - WordPress Bruteforce
Now, as we have 2 valid usernames, we can start a simple wp-login bruteforce. Use the command below and give it about 2-3 minutes. After that stop it by pressing Ctrl+C and you'll be good to go.
wpscan --url blog.thm -U bjoel,kwheel -P /usr/share/wordlists/rockyou.txt --password-attack wp-login -t 64
Step 4 - User
Now, as we have some valid credentials, we can log in to the account. After a quick enumeration, we discover that the website is using WordPress version 5. A small research led me to CVE-2019-8943. It includes a path traversal and a local file inclusion vulnerability. Happily for us, a given vulnerability has a Metasploit module.
exploit/multi/http/wp_crop_rce
Read more: rapid7.com/db/modules/exploit/multi/http/wp_crop_rce​
Let's use our retrieved credentials to run the exploit. Your settings should look like so:
For ease of usage, run shell command and upgrade to a tty shell using:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Step 5 - Privilege escalation
Both user and root txt files are going to be available after getting root.
Let's look at the SUID files and find a possible privilege escalation vector. Run a simple SUID search using:
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
The one that really stands out is /usr/sbin/checker. It's not a usual binary and it has stand-alone permissions.
Read more about SUID: blog.tryhackme.com/linux-privilege-escalation-suid/​
Download the executable using meterpreter's download function and put it to a decompiling tool (GHydra or Cutter). The main function looks like that:
This single function check if environment variable (getenv) admin is equal to 0 (null). Meaning that making it anything esle should give us root!
export admin=abc
./checker
Bingo! We got root. Now go find the user.txt file using a following command:
find / -name "user.txt" 2>/dev/null
That's all! Thanks for reading :)
Last modified 1yr ago