THM: Blog Room Writeup

Here is the link of this great room: Blog by Nameless0ne.

Let's start guys..

Enumeration

First I ran the nmap scan:










1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress.
2. The blog contains a single post by a user named Karen Wheeler for Billy joel.

3. To enumerate the users on the blog I will be using WPscan.
        wpscan --url blog.thm -e u
This command will list all the users on the Blog, bjoel & kwheel.
4. Let's try to find out the password of these users using the same tool again. 
        wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm
5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name)
6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some kind of RCE!!
7. Lil bit enumeration showed us that the wordpress is using version 5.0 which is vulnerable to Remote code execution vulnerabilty via Crop-image functionality.
8. So let's get the exploit in our computer and start hacking.

But before that let's enumerate our SMB service too ;) ( I won't take long)
        smbclient -L blog.thm -U Anonymous

After that I used  smbclient \\\\blog.thm\billySMB -U Anonymous

I downloaded all these files to my machine, analyzed them using Steghide, binwalk and exiftool and you know what this is a rabbit hole!

9. Back to our exploit. Fire up Metasploit(don't forget, always keep them updated)

10. Fill up all the options, also set the username and password which you got from the previous WPscan attack.
11. This will give us a nice Meterpreter shell. Enter 'shell' in the Meterpreter command line and then start enumerating the machine.

Privilege Escalation

12. So our first flag user.txt is not at its usual location /home/bjoel/user.txt. Then I tried using the find command but no success.
13. After some enumeration I find out there is a unusual suid binary lying out there..

        find / -perm -4000 2>/dev/null

14. The binary which stands out is Checker.
15. So I downloaded the binary and reversed it using Radare.
    > r2 -AAAA checker
    > pdf @main

For simplicity I am adding the C source code which I got from Ghidra.


{
  char *pcVar1;
  
  pcVar1 = getenv("admin");
  if (pcVar1 == (char *)0x0) {
    puts("Not an Admin");
  }
  else {
    setuid(0);
    system("/bin/bash");
  }
  return 0;
}

So what this function is doing is that it is calling getenv( ) on admin and returning its value which is obviously null, because the environment variable named 'admin' does not exist.. right?
So if we add an environment variable and set its value to not null then we could execute our 'else' part of the code..which is calling the Bash as root.. simple.

        > export admin = '1'
This command creates a new variable with the value 1. And now we run the checker binary..
exploit binary
Getting Root

And you got the root.

Capturing Flags

1. Root flag is at its normal place.
2. For user flag

And this is it. :)
Thankyou for reading it.
                                                - DarkRider88

Comments

Post a Comment

Popular posts from this blog

LOOKING GLASS Write-up | TryHackMe | by Valerie23

Image
LOOKING  GLASS: https://tryhackme.com /room/lookingglass   NMAP Starting with a simple nmap scan to see which ports are open and what services are running on these ports. Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name). When we try connecting to port 9000 it tells us to go " lower " which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible. So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" . So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa. So lets try to find the real port while shrinking the range  ssh toii@10.10.128.154 -o StrictHostKeyCheckin...
Read more

GamingServer | TryHackMe | by Valerie23

Image
LINK TO THE ROOM:  GamingServer NMAP SCAN Let’s do nmap first and see what do we get. nmap -Pn -sV 10.10.159.106 The results come back showing : Port 22 & 80. Since we don't have any credentials lets enumerate port 80 first. GOBUSTER  Lets fireup a gobuster scan for finding hidden directories. gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50 WEB ANALYSIS Visiting port 80. And checking its source code gives us a username. Lets visit some of the interesting directories that we found earlier from gobuster scan. /uploads It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file. And now we are going to visit another directory /secret to find the secrets. Looks like a ssh key but encrypted. In order to decrypt the ssh key we first need to copy and paste it into a file then find its password. Used commands: locate ssh2john /usr/share/john/ssh2john.py sshkey > key_hash Now the fil...
Read more