Blog

Room Link: https://tryhackme.com/room/blog

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

TCP/80 - HTTP

Kali

TCP/445 - SMB

Kali

Kali

Kali

Kali

TCP/80 - HTTP

If you go to http://$VICTIM/wp-admin the page redirects to a new page so I add blog.thm into my hosts file and then it worked.

Kali

Hydra was taking too long but wpscan was able to find it quickly.

Kali

After logging in the user couldn't really do anything but I noticed wordpress is on version 5.0

Initial Shell

Kali

Victim

Victim

Tried brute forcing the hashes, we got the password for kwheel again but they aren't a user on the actual server. bjoel I wasn't able to bruteforce.

Kali

Found a pdf in bjoels home directory, after opening it up it looks like he was fired so his account is most likely locked anyways so there may be no point trying to break into it.

Kali(receiving)

Victim(sending)

Privilege Escalation

Victim

This script seems to just check if there is a admin environment variable is set, if it isn't it will exit.

Victim

I add the admin environment variable then right away I got root after running the script

Victim

PreviousWonderlandNextBiohazard

Last updated