Nmap
Right off the bat we get some very useful information after running Nmap:-
- 4 ports are open; 22, 80, 139 and 445
- Site is running off WordPress 5.0
Getting both flags
Before we go any further, we have to modify the /etc/hosts file.
After visiting blog.thm, we immediately find two usernames we can possibly use to login to the WordPress panel.
- bjoel
- kwheel
In addition, the login page for WordPress is at "/wp-login.php".
At this point, it's wise to fire up wpscan and check out what we can find.
wpscan --url http://blog.thm/ --enumerate u
As you can see, wpscan also discovers the same usernames.
Again, using wpscan and the usernames we found, we can attempt to brute force the login page.
This can also be done with other tools but it's a matter of personal preference.
First, add the usernames we found to a file called "usernames":-
kwheel
bjoel
And then use wpscan to brute force:-
wpscan --url http://blog.thm/wp-login.php --usernames usernames --passwords /usr/share/wordlists/rockyou.txt
Give it some time to run, and you'll find the password for Karen Wheeler (kwheel):-
[+] Performing password attack on Wp Login against 2 user/s
[SUCCESS] - kwheel / cut******
After logging in, you'll see that there's nothing really interesting here.. we can't mess around with themes, and the drafted post has no valuable information.
However! It does reveal 2 important details:-
- The site runs off WordPress 5.0 (which we also discovered using Nmap)
- It's using the Twenty Twenty theme
So in a dead end like this one, the best bet is to look for vulnerabilities.
Now you can use Google or searchsploit to find a vulnerability/exploit, but the ones I found did not work.
So I turned to Metasploit.
Pick the first (0) module, and set the required options.
Run the exploit, and you'll get a meterpreter shell, this will come in handy later on.
After digging around, we find what we presume to be the user flag in /home/bjoel/user.txt, but that's just a distraction as the actual user flag is somewhere else.
You may notice I downloaded a pdf from Billy's home folder, it has a hint, but its not relevant.. and you can solve this machine without reading it at all
So after looking around a bit more, using find to find any other user.txt files yields nothing, so it's time to look at privilege escalation vectors.
After dropping into a shell, use the find command and you'll notice an interesting file with the SUID bit set; checker.
Running checker says "Not an admin", so to find out what the program is actually doing we can use:-
ltrace checker
As you can see, the script checks whether the user running it is an admin by using getenv("admin").
So we set the variable $admin to 1 by running:-
export admin=1
And we're root!
That's it :) We can then use find again, which reveals the user flag at /media/usb/user.txt and the root flag is at its typical location /root/root.txt.
