TryHackMe Blog Room WriteUp — Beginner Room
Today we are going to solve tryhackme’s blog room which difficulty level is medium and this room is web based so, here we will practice our web enumeration skills from previous blogs.
The first thing we have to do is add the machine ip and hostname to /etc/hosts.
sudo nano /etc/hosts
After this we will do hacker 101 which is enumeration. let’s start our enumeration from nmap.
nmap -sC -sV 10.10.202.10
That’s a lots of open ports which is obviously a good thing for us. I don’t think ssh version is vulnerable. Then we see port 80 which is running apache webserver in ubuntu and the results are pretty interesting too. The webserver have wordpress CMS(Content Management System) and it’s version is 5.0. Here, we got our 2 answers:
What version of the above CMS was being used? 5.0
What CMS was Billy using? wordpress
Now we know port 80 is using wordpress so we can enumerate further using wpscan.
wpscan --url http://blog.thm --enumeratewhile it’s running let’s check another open port SMB. Let’s try to see what shared files are there for our guest user using smbmap.
There are three SMB shared but we have only access to SMB shared called “BillySMB”. Now let’s recursively download everything in BillySMB with smbget.
smbget -R smb://10.10.202.10/BillySMB
We got 3 files one is mp4, one is png and one is jpg file. Let’s see if there is anything embedded in jpg file using steghide.
And yes there is a txt file embedded. We can extract it without password let’s do that using steghide again.
steghide extrace -sf Alice-White-Rabbit.jpg
Is this supposed to be funny? Let’s check png file. It’s a qr code let’s see what is there. i am using online qr code decoder for that
Let’s visit that link.
HAHA funny. Nothing here too. Let’s check our last file which is a video and that is useless too.
So, what now? umm! wait we have wpscan running. Let’s check it’s result there.
We got loads and loads of information and most importantly we found out that wordpress version 5.0 is insecure. Let’s see if there is any CVE for this version.
Yes sir, there is CVE for this vulnerable version of wordpress. But inorder to use this exploit we will need wordpress user and pass. For that we will again use wpscan first to enumerate users and then to bruteforce password.
wpscan --url http://blog.thm --enumerate u
Time to do some bruteforcing guys.
wpscan --url http://blog.thm --passwords /usr/share/wordlists/rockyou.txt -users kwheel, bjoel
We found valid user and password. Now time to exploit. You can use exploit from exploit-db but i am using metasploit. Been a long time since i have used that haha.
and we got the connection. let’s search for user.txt now.
find / -type f -name user.txt
Funny. let’s leave privilege escalation job to linpeas. After a while, in SUID section, I found a custom SUID file checker because all the items were red and green except this one.
I tried to directly run /usr/sbin/checker from shell but came across this error.
Let’s run ltrace.
The code looks for the value in admin environment variable. It’s making a call to getenv to check if an admin environment variable is declared. If admin is declared then it will set the uid to 0 and make a system call to spawn a shell.
Let try to export admin variable and run the checker file again.
okay ladies and gentleman we are root now and we own that system haha. Now let’s search for our flags.
root flag is located in the root directory. And we find our rest of our answer and flag here
And with that we have successfully completed another ctf. Damn we are becoming hackers now haha. I hope this blog was fun and you learned something from it. Make sure to share this and follow me. ❤
