Blog
Last updated
Last updated
To set up a domain for the room, the author recommends adding "blog.thm" to the /etc/hosts file. This step is crucial for creating a designated domain for the machine.
To begin, perform a comprehensive scan of the machine's open ports using both rustscan and nmap. This dual approach ensures a thorough examination of the network, providing a more detailed understanding of the available services and potential vulnerabilities.
nmap
rustscan
Before to access the website I try to get some info about shares using enum4linux tool.
I downloaded three files, but they didn't contain useful information. Now, I'm moving on to check the website to see if there's anything there that could help.
We already found a user so I use wpscan to brute force and get password for this user. After minutes of waiting I got nothing so I enumerate for users and I found another user -> kwheel
Found the password for kwheel user
In the room description, there's a crucial clue pointing to a specific CVE that we need to leverage. This information is key to advancing in the challenge.
There are 2 methods to do this machine. We can use a script or metasploit framework.
I get access on the machine and after a lot of enumeration I found a file with suid tag -> /usr/sbin/checker
Let's download the file and employ reverse engineering tools and techniques to understand its functionality.
Upon examining the source code, it appears that setting the environment variable "admin" to 0 will grant root privileges when the code is executed. To proceed, simply set the "admin" variable to 0 before running the code. This should elevate the privileges as intended.
