[Blog] – CTF Walkthrough – TryHackMe

Billy Joel made a blog? First, we need to follow the instructions and add blog.thm to our /etc/hosts file (Windows users, your hosts file is under system32, somewhere).

Right away, browsing to the blog, we can see WordPress, an author level user with the account kwheeler (Karen Wheeler), who is supposedly Billy Joel’s mom and 2 comments created. We make note of the default 2020 theme, as well as the WordPress 5.0 generator meta tag (it’s already vulnerable). We can also add bjoel as target WordPress users from the comments (as well, nmap detected this, so.. doubly exposed).

We’ll be wanting to WPScan this. We also have several SMB shares (samba, ubuntu), Apache 2.4.49, OpenSSH.. at this point, I go ahead and start a brute force on bjoel with the rockyou wordlist (might work), over SSH.

Copy to Clipboard

Choosing Bill Joel’s account instead of Karen didn’t come from nowhere. For starters, kwheeler is the WordPress administrator, we’ll likely get her credentials more easily. But, first and foremost, one of the Samba shares is “BillySMB”, so clearly he has a user level account on the system (or it’s extremely likely).

We notice our hydra bruteforce is bogging down the VM, so we cancel it for now. Lets go ahead and grab the files off of BillySMB.

Copy to Clipboard

While we’re fucking around, WPScan cracks kwheel’s wordpress user wide open, password is cutiepie1. We launch metasploit and run ‘search wordpress 5.0’ and we immediately find remote code execution. Rather than fiddle around outside of a pty, we try to ssh in with those credentials to no avail. So, metasploit it is. We shut down our scanners, brute forcers and all of that. The exploit wp_crop_rce works just fine, gives us www-data user access and we elevate privileges with sudo_baron_samedit. The box is rooted.