Nmap
Right off the bat we get some very useful information after running Nmap:-
- 4 ports are open; 22, 80, 139 and 445
- Site is running off WordPress 5.0
![](https://assets-global.website-files.com/65253d038bc23c6041109654/6555003cf5153b14e722c1dd_bl1.png)
Getting both flags
Before we go any further, we have to modify the /etc/hosts file.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/655500fd7078335f6228c4ce_bl2.png)
After visiting blog.thm, we immediately find two usernames we can possibly use to login to the WordPress panel.
- bjoel
- kwheel
![](https://assets-global.website-files.com/65253d038bc23c6041109654/655501a21fd0fb591032773a_bl3.png)
In addition, the login page for WordPress is at "/wp-login.php".
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65550226abd61293c3106710_bl4.png)
At this point, it's wise to fire up wpscan and check out what we can find.
wpscan --url http://blog.thm/ --enumerate u
As you can see, wpscan also discovers the same usernames.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/655502cd3a999003c2d6f953_bl5.png)
Again, using wpscan and the usernames we found, we can attempt to brute force the login page.
This can also be done with other tools but it's a matter of personal preference.
First, add the usernames we found to a file called "usernames":-
kwheel
bjoel
And then use wpscan to brute force:-
wpscan --url http://blog.thm/wp-login.php --usernames usernames --passwords /usr/share/wordlists/rockyou.txt
Give it some time to run, and you'll find the password for Karen Wheeler (kwheel):-
[+] Performing password attack on Wp Login against 2 user/s
[SUCCESS] - kwheel / cut******
After logging in, you'll see that there's nothing really interesting here.. we can't mess around with themes, and the drafted post has no valuable information.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65550474f011d7e659d6efaa_bl6.png)
However! It does reveal 2 important details:-
- The site runs off WordPress 5.0 (which we also discovered using Nmap)
- It's using the Twenty Twenty theme
So in a dead end like this one, the best bet is to look for vulnerabilities.
Now you can use Google or searchsploit to find a vulnerability/exploit, but the ones I found did not work.
So I turned to Metasploit.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/655505eb17e332a702441d44_bl7.png)
Pick the first (0) module, and set the required options.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65553b84d2a712bf075c63f0_bl8.jpeg)
Run the exploit, and you'll get a meterpreter shell, this will come in handy later on.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65553b9093ef9c4a5f70360f_bl9.jpeg)
After digging around, we find what we presume to be the user flag in /home/bjoel/user.txt, but that's just a distraction as the actual user flag is somewhere else.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/6555148d315e0c4831ea0ec5_bl10.png)
You may notice I downloaded a pdf from Billy's home folder, it has a hint, but its not relevant.. and you can solve this machine without reading it at all
So after looking around a bit more, using find to find any other user.txt files yields nothing, so it's time to look at privilege escalation vectors.
After dropping into a shell, use the find command and you'll notice an interesting file with the SUID bit set; checker.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/6555196a905776a1496c4741_bl11.png)
Running checker says "Not an admin", so to find out what the program is actually doing we can use:-
ltrace checker
As you can see, the script checks whether the user running it is an admin by using getenv("admin").
![](https://assets-global.website-files.com/65253d038bc23c6041109654/655521c1399744b3e2346d49_bl12.png)
So we set the variable $admin to 1 by running:-
export admin=1
And we're root!
That's it :) We can then use find again, which reveals the user flag at /media/usb/user.txt and the root flag is at its typical location /root/root.txt.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65553b9e6a9844a689676cf1_bl13.jpeg)