{THM} Blog

Last updated 1 year ago

{THM} Blog

Introduction

Billy Joel made a blog on his home computer and has started working on it. It's going to be so awesome!

Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole…

In order to get the blog to work with AWS, you'll need to add blog.thm to your /etc/hosts file.

Step 1 - Enumeration

Let begin. As usual, for the first part we need to do some scanning.

nmap -sC -sV blog.thm

I forget to put IP in my hosts. NVM. I put already after scanning.

We the result we now know there is 4 open port where ssh, http and 2 smb.

This is landing page for blog.thm. We notice this is ~~wordpress 5.0~~

<meta name="generator" content="WordPress 5.0" />

Next with further investigation, we have 2 user for this wordpress which

kwheel
bjoey

find author for this wordpress to know user

Next, moving part to login page.

We got correct username but wrong password. Let crack it using wpscan.

Step 2 - Brute-force

Using command for bruteforce login page wp-admin.

wpscan --url http://blog.thm/ --usernames kwheel --passwords rockyou.txt

Kwheel : <redacted>

We in BOIS!!.

Step 3 - Vulnerability Wordpress 5.0

After looking and play around, we notice media got something interesting. Next we look into any exploit in this cms version.

For this I run metasploit.

msf6 exploit(multi/http/wp_crop_rce)

Next configure the things needed

After providing the options needed.

Step 4 - Gaining Access

We in as www data and make it stable. We get another rabbit hole that asked to TRYHARD more!.

Step 4 - Privilage Escalation

For this exploitation. It have multiple way

Using wp-config which contain credential
Exploit SUID

For this writeup, I will share the method exploit SUID.

find / -user root -perm /4000

We find that one file run as root. Let check what it is.

This file will check either we are root or not. To check the source, using ltrace.

So the program reads the value of the environment variable “admin”. If the variable does not exist getenv returns a null pointer. If this is the case, the program will output “Not an Admin” and exit.

However, if the environment variable “admin” is set to any value, then the else clause will be executed. The program sets the user id to 0 (root) and spawns a bash shell.

We in. Let find the root and user text.

find / -file user.txt 2>/dev/null

Previous{THM} Boiler Next{THM} VulnNet

Last updated 1 year ago