Write-up

Step-by-step guide on the approach taken to pwn the machine.

Objectives

Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole...

Reconnaissance

First, we perform a port scan using Nmap to identify open services on the target machine.

sudo nmap -Pn -sCV -F -T5 <ip_victim>

The result shows the following open ports:

  • 22 (SSH)

  • 80 (HTTP)

  • 139 (NetBIOS)

  • 445 (SMB)

When visiting port 80, we discover that the website is running WordPress. Upon clicking any link, we are redirected to blog.thm, which means we need to add it to our /etc/hosts file to continue.

User Enumeration:

We identify two potential users:

  • Karen Wheeler (username: kwheel)

  • Billy Joel (username: bjoel)

To confirm the existence of these users and look for any other potential accounts, we use wpscan:

wpscan --url http://blog.thm/ --enumerate u

This confirms that only the two users are present.

Gaining a Shell

Next, we attempt to gain access to the WordPress admin panel by brute-forcing the credentials of the users. We use wpscan with the rockyou.txt wordlist:

wpscan --url http://blog.thm/ --usernames kwheel,bjoel --passwords /usr/share/wordlists/rockyou.txt

After approximately 17 minutes, we successfully crack kwheel's password.

WordPress Exploit (Version 5.0):

Once inside the admin panel, we confirm that the WordPress version is 5.0. Searching for vulnerabilities on Exploit-DB, we find an exploit targeting the Crop-image feature in WordPress 5.0.

The exploit suggests using Metasploit:

msfconsole

We configure the exploit with the correct parameters (RHOSTS, LHOST, RPORT, LPORT, PASSWORD, and USERNAME) and run it to gain a shell.

Reverse Shell:

Once we have access to the system, we improve our shell's interactivity with the following command:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Privilege Escalation

Searching for user.txt:

We perform a search for the user.txt file:

find / -type f -name "user.txt" 2>/dev/null

At this point, we realize we need to escalate privileges to access this file.

SUID Search:

We search for files with the SUID bit set:

find / -type f -perm -04000 -ls 2>/dev/null

We find a file named checker. When executed, it returns the message "Not an Admin". After inspecting it with ltrace, we see that it checks the admin variable but receives nil.

We modify the admin variable using export:

export admin="1"

This allows us to bypass the check and run the script as root.

Finding the Flags:

Once we have root privileges, we search for user.txt again and find it in a different location. We also obtain root.txt, completing the machine.

PreviousBlogNextTechnical Report

Last updated