https://tryhackme.com/room/blog billy joel made a wordpress blog.
Notes
Billy Joel thinks he’s hot shit and made a blog. Our task is to enumerate the machine and find 2 flags. He also has some weird shit going on in his laptop and we need to watch for rabbit holes.
Start by nano /etc/hosts and adding the blog to our hosts file.
Also started an nmap scan and with smbclient we find some strange files, probably the rabbit hole, but save them for later regardless.
Going to start some gobuster scans.
gobuster dir -u http://blog.thm -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 100 -x txt,php
nothing really here other than robots.txt.
running wpscan give us wordpress 5.0 which has a few exploits in searchsploit. one is a metasploit plugin WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit) php/remote/46662.rb running this looks like we need a username and password.
running hydra on bjoel seems to take a while maybe kwheel will return results.
hydra -l kwheel -P /usr/share/seclists/Passwords/rockyou.txt blog.thm http-form-post "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+in&testcookie=1:The password you entered"
and we get a pass kwheel:cutiepie1 with these creds we can run the shell upload exploit in metasploit console and get a www-data shell.
sudo -l gives us nothing but find -perm -u=s 2>/dev/null gives us a file called checker. checking the operation of this file it seems to be a code to check if we are admin or not.
setting our admin enviroment variable to 1 export admin=1 will setiud(0) and spawn us a root shell.
we can then use find to see the user.txt is stored in /media/usb/, then cat /root/root.txt for the final flag.