WordPress Blog | TryHackMe WalkThrough
Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome!
Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole…
In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.
First we do nmap scan
as you can see, there are 4 ports open. Let’s try to discover samba port.
Download all file on BillySMB, looks we get three files.
there are images with jpg extension. There doesn’t seem to be anything interesting, but we try to look for hidden information there, we find the text file.
let’s try to download the text embedded in the image.
It looks like we don’t get anything in that file, just a rabbit hole.
switch to the website from the target IP, you can see there is a website with the content “a note from mom”
with this little information, let’s try to enumerate using gobuster. We get a few directories, the /admin directory is the one that caught my attention.
let’s try to access that directory, and it looks like the directory is successful to access.
because the cms used is wordpress, let’s try to re-enumerate it using wpscan. but I didn’t find any interesting information.
Look into REST end points. users can be listed with the route “/wp-json/wp/v2/users” and we can find two usernames.
let’s try to do brute force for both usernames to login to the admin directory.
We managed to do brute force with username kwheel.
Yes, we have entered, let’s try to find information, look at the version of Wordpress being used.
i tried to find a vulnerability that exists in this version of wordpress, and i found it in exploit database.
we try to do the same thing in msfconsole, and we find it, then use this payload.
do “show options” it looks like we need a username, password, rhost, and lhost. and we already have all that information :)
set the required options and run the exploit, and boom… we’re in.
let’s try to find more information.
log in using the shell.
Let’s try opening the wp-config.php file to find interesting information in it. and we find the database with the password.
We try to enter the MySQL database, with the password that we got.
we try to find interesting data, we find two username and password hashes, I try to crack it, but I can’t crack it.
let’s try the suid executable contained in it. kita menemukan checker.
let’s try to execute it. and i get root access :)
let’s try to find the flag we were looking for, and we found it.
we found another flag :)
Where was user.txt found?
Answer: /media/usb
What CMS was Billy using?
Answer: wordpress
What version of the above CMS was being used?
Answer: 5.0
D0N3! ; )
Happy Hacking… :)
You can follow me on social media:
