TryHackMe : BLOG
“Billy Joel made a blog on his home computer and has started working on it.It’s going to be so awesome!”
Five days ago TryHackMe introduced a new and innovative room BLOG and it’s a very very innovative and fun to do.
First things first, we add our Machine IP into our /etc/hosts file as blog.thm and then run our trusty old nmap scan.
The first thing which comes to our attention are the open SMB ports. Like I have said before, we enumerate for Samba shares using enum4linux.
enum4linux -a blog.thm
The BillySMB shares look intriguing. Let’s try to fetch those shares using smbclient.
smbclient \\\\blog.thm\\BillySMB\\
There are three files here : Alice-White-Rabbit.jpg, tswift.mp4 and check-this.png
First we check out the Alice-White-Rabbit.jpg
Our fist hunch should be to check for steganographically embedded in the image which we do with the help of steghide.
There’s a rabbit_hole.txt file embedded in the image which we can extract without any password. Let’ try to fetch this file and see it’s contents.
We appear to have fallen into a rabbit hole and there doesn’t seem to be a way ahead. Next we have move onto check-this.png which seems to be some sort of a QR code.
Scanning the code brings us to Billy Joel’s music video of We Didn’t Start The Fire.
Last but not the least we have tswift.mp4 which is a funny parody of Taylor Swift’s video , I Knew You Were Trouble. Do give it a watch xD.
Jokes apart , we have reached a dead end here. The Samba shares did not turn out to be useful. Now, we head over to Port 80. There we find Billy Joel’s Blog.
It’s a very standard Wordpress website. For enumerating we have a wonderful tool called wpscan which allows us to enumerate for usernames and then bruteforce them.
wpscan — url blog.thm — enumerate u
This gives us the users for this Wordpress Blog. Next we try to brute force our way in as the user kwheel using the same wpscan tool.
wpscan — url blog.thm -P /usr/share/wordlists/rockyou.txt -U “kwheel”
Cool ! So we now have a valid username and password. We login as kwheel with the help of the password we got.
Usually , our first approach would be to find a way to upload a PHP reverse shell somehow but after fuzzing around a lot , I couldn’t find a way to do so. However , the media section looks interesting.
There seem to be some broken images in here. Is this a hint ? A quick CVE search brings us to this page. As a bonus we also have a Metasploit Module for this !
Fire up msfconsole and load up the exploit (exploit/multi/http/wp_crop_rce)
Once we have loaded up our exploit, type in show options and then set the options as required.
Once we are armed and ready, we are run our exploit and we get our meterpreter session !
Once we get our meterpreter session , we switch to a shell for our convenience.
Once in, spawn a TTY shell using python.
python -c 'import pty; pty.spawn("/bin/sh")'
Once in , let’s identify the user we have broken in as.
So , we have broken in as www-data. Now, we can fetch the user.txt in the home directory of the user bjoel but it won’t be of any avail. Our next target should be Privilege Escalation. Our good old friend sudo -l won’t be of much use right now , so we move onto SUID. Get back to meterpreter and upload suid3num.py on our victim machine. Running the script gives us a very interesting SUID.
The checker binary looks interesting. Download the binary and analyze it using Ghidra.
A quick inspection reveals a very interesting piece of code.
This piece of code is very very crucial for us. Basically , the code looks for the value in “admin” environment variable. If it’s empty we would get a “Not an Admin” message, else we would get a shell with UID 0 !
We export an environment variable as “admin” as follows and then run the checker binary and boom we get root !
Once root , getting the root flag is a piece of cake. Next we need to find our user flag. The find command reveals two such flags. Inspecting them would reveal the user flag.
With this we successfully complete another Box. The privilege escalation here was very unique and fun and made the box incredibly interesting. Hope this write up has been helpful !
