THM - Billy Joel blog.
Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome!
Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole….
This is another medium rated box.
nmap says we’ve got 22 (SSH), 80 (HTTP) plus 139 and 445 (SMB).
We can enumerate the shares with smbclient and then login to the BillySMB share, from where we can retrieve a PNG image of a QR code, an MP4 and a JPEG of the White Rabbit from Alice in Wonderland. The QR code leads to a Billy Joel YouTube video and the JPEG can be popped open with steghide to reveal a message advising it is a rabbit hole. The video is a Taylor Swift song interwoven with a goat bleating.
Let’s put aside the contents of the SMB share for now.
Firstly we add blog.thm to /etc/hosts. This may not be necessary but I usually do it anyway.
The website makes it pretty obvious it’s running WordPress, so we’ll run wpscan:
root@kali:/opt/tryhackme/blog# wpscan --url http://blog.thm -e -v
From this we get two usernames (bjoel and kwheel), and learn that XMLRPC is open. There is an authenticated RCE vulnerability in this version of Wordpress, but we’ll need some credentials so an XMLRPC password attack seems a reasonable course of action.
Wpscan can do the XMLRPC attack, but I used Burp Turbo Intruder. Doing we, so obtain the password cutiepie1 for user kwheel.
There is a metasploit module we can use to run the exploit, which is
msf5 exploit(multi/http/wp_crop_rce) >
Once I’m in I just drop into shell and spawn bash:
python3 -c 'import pty;pty.spawn("/bin/bash");'
We can find the database credentials in wp-config.php:
/ MySQL database username /
/ MySQL database password /
And then we can log into the database:
www-data@blog:/dev/shm$ mysql --host=127.0.0.1 --port 3306 -u wordpressuser -p
Enter password: LittleYellowLamp90!@
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 38102
Server version: 5.7.30-0ubuntu0.18.04.1 (Ubuntu)
Once we are in, we can get the hashed passwords:
mqsql> show databases;
mysql> use blog;
mysql> show tables;
mysql> select * from wp_users;
select * from wp_users;
and for kwheel:
Hashcat happily cracks cutiepie1 for kwheel, but won’t do the bjoel hash with rockyou and best64 rules, so presumably we need to look elsewhere.
With some enumeration (via linenum.sh or otherwise) we can find a slightly unusual binary: /usr/sbin/checker
Running this binary we get the message ‘Not an admin’. Curious. We can download the file and trivially dissamble it with Ghidra, which reveals the following:
Essentially if the environment variable ‘admin’ exists and is not zero, we will get a root shell.
So let’s do that then
It’s fairly simple:
And that’s it. Now run
And we get:
And we can retrieve the flags.