Blog write-up THM

-
Another week, another write-up
Blog is a medium difficulty room created by Nameless0ne on tryhackme.com :-

I'll try my best to explain about all the tools and methodologies,

The goal of this room is to teach:-
  1. Wordpress Enumeration
  2. Gaining a shell using a unique vulnerability for a specific Wordpress version
  3. Getting root privileges using a very creative vulnerability
So let's get started.

So, after starting up the room, the first thing we always do is to run an nmap scan to see all the open ports and services running on the machine.

nmap -sC -sV <machine-IP> -oN nmapscan

-sC:- is used for a script scan
-sV:- Shows us the version of all the services running
-oN:- stores the result in a file with .nmap format


And by the result we can see:-

PORT    STATE    SERVICE
22         open        ssh       
80         open        http
139       open        netbios-ssn
445       open        netbios-ssn

Ok so let's check on port 80,


The next step usually is to run a quick directory scan, which will reveal more information on the website;

For this I tried a tool called dirsearch, it's pretty fast and easy to use,

python dirsearch.py -u <URL> -e <extensions like php,txt,aspx etc.> -w <wordlist>



Well after observing the directory scan it looks like we have a Wordpress based website on our hand,

The enumeration phase is not completed though we still have SMB shares to look at for more information.

For this I'll use a tool called enum4linx

It's a good tool to enumerate windows and linux samba shares,
enum4linux <machine-IP>



Look at that juicy share BillySMB,

let's look into it and see if we can find anything good, for this we'll use smbclient.

It is an FTP like client to talk/access SMB resources and shares on a server.

smbclient //<machine-IP>/BillySMB


We have a 3 media files named Alice-White-Rabbit.jpg, tswift.mp4, check-this.png


We'll use a tool called steghide, it is a stenography tool which can hide and extract data from various types of audio and image files.

To extract data we'll use the following command:-
steghide extract -sf <filename>
Steghide has 2 options:-
  • embed ( to hide data in an image)
  • extract ( to take data out of an image)
-sf flag is used with extract option and it is used to select a the stego file


Looks like we found a rabbit hole.

After messing around with the other 2 files found in this SMB share it just leads to a song by Billy Joel and a song by Taylor swift.

So this whole SMB share shenanigan didn't lead us anywhere.

Now back to our "Wordpress based website"

To enumerate wordpress we can use a tool called wpscan.

wpscan is a vulnerability scanned tool, it can enumerate versions,plugins,themes,users and can also be used as a brute force attack tool.

we'll use the following commands for scanning this website:-

wpscan --url http://<machine-IP>/


A simple wpscan shows that we have xml-rpc enabled on the website, whenever this file is enabled on any wordpress website, the website becomes vulnerable to brute-force attack,

To read about this vulnerability in detail check out this website:-


We were also able to find out about the Wordpress version this site is using which will become useful later on,


Now all we need to find is users against whom we can perform a brute-force attack,

wpscan --url http://<machine-IP>/ -e u

-e :- this flag tells wpscan to enumerate, this flag requires an argument,
u :- it is the argument we feed to -e, this tells wpscan to enumerate user ID's

-e flag has many options to gather all kinds of information such as version, plugins used, databases, themes used etc.


Looks like we were able to find some users.

Now towards attack phase,

To perform brute-force with wpscan:-

wpscan --url http://<machine-IP>/ -U <usernames.txt> -P <password-list.txt>

For this attack is used rockyou.txt  password list and I added the names of users in a .txt file


We didn't find any password for any other users, except for kwheel, so let's login with her credentials.



Nice, we have an authenticated account.

Now, where to go from here?

Let's go back to the version we found for Wordpress;

To find information and vulnerabilities on this particular version of wordpress, I used a tool called searchsploit which was suggested by my friend mastardet.
searchsploit <service-name>


Searchsploit result shows a vulnerability that can be exploited using Metasploit.

So let's fire up our msfconsole (command to start up Metasploit) and jump to the next phase of our attack.

> use exploit/multi/http/wp_crop_rce
>set <option-name>
>run
You can read more about this vulnerability here:- CVE-2019-8942 and 8943


Yay!! We have a shell as www-data
After getting a shell, we'll find ways to escalate our privileges.
find / -perm -4000 2>/dev/null

What this command will do is find and list all the SUID files and directories that www-data has read permission to;


There is a very interesting SUID /usr/sbin/checker, let's check it out.

To reverse-engineer this I used a command called ltrace.



this is the ltrace output:-

getenv("admin") = nil
puts("Not an Admin"
    Not an Admin
  ) = 13
  ++ + exited(status 0) ++ +

What this "checker" is doing is calling a getenv() on "admin" variable and returning its value i.e. "nil", because the "admin" environment  variable does not exist, so on running "checker" it's giving the output "Not an admin"

We can give admin variable any value to exploit the vulnerability of "checker" and get root privileges.




Hence, this way we got root and cracked the box!!




Comments

Post a Comment

Popular posts from this blog

Daily Bugle Write up

-
Image
Hello fellow hacker, today I'm going to help you solve the machine Daily bugle on TryHackMe:- https://tryhackme.com/room/dailybugle So let's begin. The main objectives of this machine is to:- Compromise joomla CMS via SQL injection vulnerability Cracking hash using a tool called john the ripper. And taking advantage of a b inary called 'yum' that allowed for privilege escalation # First step we begin by running an nmap scan against the target machine:- nmap -sC -sV <target-machine-IP> -oN nmapscans -sC :- this tag runs a script scan on target machine -sV :- this tag detects services and versions of services running on the machine -oN :- this tag allows us to save the result for future reading. As the result shows there's:- PORT       STATE SERVICE ------------------------------------------ 22/tcp       open     ssh 80/tcp       open     http 3306 /tcp   open   ...
Read more

Undiscovered Write-up THM

-
Image
 Hello fellow hackers, I am back with another write-up for you all so let's get started.  Today we are doing Undiscovered box on tryhackme.com created by ch4rm .  The topics we are going to cover are:- Virtual hosts enumeration CMS bruteforcing Getting reverse-shell using an exploit from exploit-db Mounting file system and accessing data of victim machine on our local machine Horizontal privilege escalation using a script on victim machine And finally privilege escalation using vim.basic capabilities So let's get started, Virtual Hosts Enumeration As our general methodology goes, we'll start with an nmap scan # Nmap 7.80 scan initiated Tue Nov 10 01:56:45 2020 as: nmap -sC -sV -oN nmapscans 10.10.122.39 Nmap scan report for undiscovered . thm ( 10.10 . 122.39 ) Host is up ( 0.40 s latency) . Not shown: 996 closed ports PORT STATE SERVICE VERSION 22 / tcp open ssh OpenSSH 7.2 p2 Ubuntu 4 ubuntu2 . 10 (Ubuntu Linux; protocol 2.0 ) | ssh - hostkey: | ...
Read more