Blog TryHackMe Box Writeup

In every penetration testing practice we start by examining the target, starting with information gathering :

Lets start by using nmap as our information gathering tool of choice

Scan Results with Nmap.

we found a couple of ports open with the shown services in the screenshot above ^

next lets start enumerating our target with our tool of choice “gobuster” >

Enumeration Results with GoBuster.

Found two Users using auxiliary tool in Metasploit.

as we can see in the results above we found two usernames : bjoel and khweel , maybe lets try to bruteforce the login page with those users in mind? with common passwords perhaps?

Moving along

Next we run the wpscan tool for conducting a vulnerability test on the wordpress webpage in this case we are looking for the password for the user khweel >>>

Running WpScan Tool against the user file with the known wordlist “RockYou”

BINGO!

the password for khweel is found, which is “XXXXX”


after some digging I found out that Wordpress 5.0 is vulnerable to multiple vulnerabilities.

one of those vulnerabilities is : WordPress Crop-image Shell Upload



using this exploit which is also available in metasploit we can use it as follows :

using the RCE To get a shell.

Exploit Completed and Gained an initial Shell.

After laying foothold on the machine, and looking for a possible prevesc, I’ve found some creds ;

define(‘DB_USER’, ‘wordpressuser’);
define(‘DB_PASSWORD’, ‘LittleYellowLamp90!@’);

lets keep these credentials for later we might need them and might not!

we run this command to check for SUID files and directories that www-data has acess to :

find / -perm -4000 2>/dev/null

one interesting directory is /usr/sbin/checker, lets check it out :

Checker Executable in sbin. (interesting PrevESC)

Reverse engineer it with ltrace..

And finally I managed to crack this open and get Root!

thanks for reading everyone and see you in the next one!

Gained Root on the box !