TryHackMe: Blog Room Write-Up

Introduction

In this write-up, I will walk through the steps I took to solve the "Blog" room on TryHackMe. This challenge involved reconnaissance, WordPress enumeration, privilege escalation, and exploiting environment variables.

Machine Details

• Room URL: TryHackMe Blog
• Target IP: 10.10.180.14
• /etc/hosts File Update: 10.10.180.14 blog.thm

Enumeration

Nmap Scan

First, I performed an aggressive full port scan to discover open services:

nmap -Pn -p- -sVC -T4 10.10.180.14        

Nmap Findings:

• Port 22 - SSH
• Port 80 - HTTP (Web Server)
• Port 139, 445 - Samba

WordPress Enumeration

Using wpscan, I scanned the WordPress instance for vulnerabilities and user enumeration:

wpscan --url blog.thm -e        

Findings:

• WordPress Version: 5.0
• Active Theme: TwentyTwenty
• Discovered Users: kwheel, bjoel

To attempt brute-force login:

wpscan --url https://blog.thm/wp-login.php -U kwheel,bjoel -P /usr/share/wordlists/rockyou.txt        

Successful credentials:

• Username: kwheel
• Password: cutiepie1

Initial Access

Using the discovered credentials, I logged into the WordPress admin panel and obtained access as www-data.

Privilege Escalation

To escalate privileges, I ran linpeas.sh, an automated enumeration tool, to identify potential privilege escalation vectors.

Exploiting checker

One interesting finding was the presence of a binary named checker. Running ltrace on it revealed that it checks for an admin environment variable.

Tools and Techniques Used:

1. LinPEAS - A script that automates local enumeration and helps find privilege escalation paths.
2. LTrace - A tool that allows tracing of library calls to detect vulnerabilities in binaries.
3. Environment Variable Manipulation - Exploiting misconfigured environment variable checks.

Steps to Exploit:

which ltrace
ltrace checker        

Output:

getenv("admin") = nil
puts("Not an Admin")        

This output indicates that the program checks for an environment variable named admin. If it is set, the program might grant higher privileges. To manipulate this, we export the admin variable and rerun the binary:

export admin=1
checker        

By doing this, we successfully elevate our privileges, leading to access to the following flags:

• User Flag: /media/usb/user.txt
• Root Flag: /root/root.txt

We can find our flag file by using this,

find / -name [file_name] 2>/dev/null        

Conclusion

This room demonstrated key aspects of web application penetration testing, including: ? WordPress Enumeration ? Credential Brute Force ? Privilege Escalation via Environment Variables