Pages

Monday, July 20, 2020

THM :Blog (Billy Joel made a Wordpress blog!)

Hi All ,

 Today we are going to play with Billy Jo in Tryhackme the blog room yes let s start :

I used to start my enumeration process by nmap the target :



so we have ssh http and samba services in this server oook great let s see what's in the web server




Powered by wordpress the first thing that came to my mind is wpscan to get some information about the version :



Yes it s version 5.0 so it suffer from an RCE if you have an author account so we need an account ok 😃 we have an samba service so let's move to see if their s any information that can help (enum4linux result):


HUuuum a directory that can be listed :


Let's explore those files : nothing found stupid hole not rabbit hole

So in the main page i noticed that we have two author bjoel and kwheel :



so i think i have to try a bruteforce and one of them will give me access

result (rockyou password list): for bjoel nothing found and for kwheel password found ,and now i have all the necessary to RCE

I googled a lots of resources about the vulnerability so as a security noob i m not going to make the exploit manually so i m going to use metasploit :


Yeees i m in the server ok let s look for user flag :


HHH ok joel nice message

so i can't find the user text from this position so i m thinking to enumerate get root directly

i used LinEnum.sh script and found something new :


it s the first time that i see a binary file like that so i decided to download it to my local machine to explore the file



I have a little experience with binary exploitation after disassemble :


so the binary call the C function getenv which return the value of an environment variable great in our case which variable :


so it look for an admin variable in the system as first test i tried to create an envi variable 'admin' without any value result :





so which value i have to give to this admin variable from analysis of the binary it seems 0 :


after the call of getenv function we have a comparison between 0 and a value in the stack to make decision in the jump intruction (je) :


Yeeees we did it :


Now reading root.txt and  user.txt is piece of cake

I hope that you enjoyed reading see you next time


Kind regards

Abdel




at

4 comments:

Subscribe to: Post Comments (Atom)

Offensive Lab : simple Format string challenge

 Hi All  Today i will write about a very easy challenge from Offensive LAB where you can solve it through using reverse engineering techniq...

  • Tryhackme : Dav
    Hi All I m trying to do Dav box in Tryhackme so here s my note during the process of pentesting : after a scan with nmap i found http port 8...
  • TryHackme : Boiler CTF
    HI All Lets play another box in tryhackme and learn something new today it will be Boiler CTF room I used to start any box  enumeration wi...