THM's Blog

It looks like Billy Joel is in need of a career change and he is starting a blog. I will walk through this room and give some help to people in case you are struggling with it. This room took me a little bit of time to work through, enough with the chit chat let's start the walk through.
The first thing I always do with any room is use nmap to see what ports are open. The specific command is nmap -sV -sC -oA server/nmap IP_ADDRESS
. The output that I got from this room is seen below.

While nmap is running I like to run gobuster to see what other pages are available. gobuster dir -u http://SITE OR IP -w PATH_TO_WORDLIST
. This scan let me know that this is a wordpress site.
So, now it is time to visit the page and see what I can find. I confirm what gobuster tells me as this is a Wordpress site. You can find the version of the page through the nmap scan of the website, I don't want to give away to many answers. ;)

Since I know that this is a Wordpress site I will use wpscan to enumerate the site and see what other information that I can get from it. The first thing that I want to do is see what users can be enumerated with the tool. wpscan --url http://ADDRESS --enumerate u
. This will output two users that can be used to try and login to the admin panel of this site.
WPscan can be used to brute force passwords or you can use hydra to do the same. Hydra will be a faster solution and that is what I am going to use to try and get the password. hydra -l kwheel -P PATH_TO_WORDLIST blog.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username" -vV -f
Hydra will find the password provided the correct word list. When you have that password you can log onto the Wordpress website and take a look around. Once on the site you will notice the version of Wordpress that is running on it.
The next step is to try and figure out how to get onto the server. After some searching I found a vulnerability that can be used through Metasploit. Hint: search for something to do with image.

After running the exploit in metasploit I now have a shell on the box. Time to stabilize the shell. That is done with the following python script python3 -c 'import pty; pty.spawn("/bin/bash")'
. Now I can poke around to see what is available to us. I will now see if I can easily find the user.txt file. Using the find command find / -name user.txt 2>/dev/null
to search the whole system for a user.txt file.
I found one in Billy's home folder but it isn't that easy with this box. Time to do what the text file says and "try harder."

Since the easy way will not work here, I will do the next thing that I usually do and search for files with the setuid set. find / -perm -4000 2>/dev/null
and see what files are returned.

There is one file in that long list that looks interesting. I won't give that away but after taking a look at where it is and what it does I suspect that I can use it to elevate ourselves on this box.

Once you figure out how to run the correct program I can see the user.txt file that I have been searching for. The file is in the /media/usb/
folder and using the cat command I can see the flag in there. The root flag is in the typical folder where root level stuff is stored. Once you have all the flags you can submit them to the room and you now have completed the room.
If you have any feedback or questions please email me. As always have a great day and I hope that this was helpful for you.