Hacking Bill Joel Blog — TryHackMe

The intermediate level machine to hack into the Bil Joel Blog.

The goal of this room was :-

>Wordpress Enumeration
>Gaining a shell using a unique vulnerability for a specific Wordpress version
>Getting root privileges using a very creative vulnerability

Initially I scanned for reconnaissance for open ports and services.

I found the webpage running, after enumeration it was Wordpress site. Brute forcing the directories showed up the admin page.

I used WPSCAN to enumerate all the users available were kwheel, bjoey.

Great, now we got usernames and now I brute forced the webpage and got the credentials of user kwheel. Since it’s version was 5.0, so after some googling, I imported the exploit module and was able to gain access successfully using meterpreter.

I than ran the command find / -perm -4000 2</dev/null. From all the files the interesting one came out was /usr/sbin/checker. It was first unreadable.

After reverse engineering by ltrace

This was the ltrace output:-

getenv(“admin”) = nil
puts(“Not an Admin”
Not an Admin
) = 13
++ + exited(status 0) ++ +

What this “checker” is doing is calling a getenv() on “admin” variable and returning its value i.e. “nil”, because the “admin” environment variable does not exist, so on running “checker” it’s giving the output “Not an admin”

We can give admin variable any value to exploit the vulnerability of “checker” and get root privileges. I gave my name ;-)

And we are root!!!. During enumeration user.txt flag was found at /media/usb.

That’s all for now!!

Until Next Time,

For any doubts feel free to ping me:-

LinkedIn :-https://www.linkedin.com/in/user-neeleshpatel/

“i missed the event for the hack also”

— — — — — — — — — — — — —