Hacking Bill Joel Blog — TryHackMe

The intermediate level machine to hack into the Bil Joel Blog.

The goal of this room was :-

>Wordpress Enumeration
>Gaining a shell using a unique vulnerability for a specific Wordpress version
>Getting root privileges using a very creative vulnerability

Initially I scanned for reconnaissance for open ports and services.

I found the webpage running, after enumeration it was Wordpress site. Brute forcing the directories showed up the admin page.

I used WPSCAN to enumerate all the users available were kwheel, bjoey.

Great, now we got usernames and now I brute forced the webpage and got the credentials of user kwheel. Since it’s version was 5.0, so after some googling, I imported the exploit module and was able to gain access successfully using meterpreter.

I than ran the command find / -perm -4000 2</dev/null. From all the files the interesting one came out was /usr/sbin/checker. It was first unreadable.

After reverse engineering by ltrace

This was the ltrace output:-

getenv(“admin”) = nil
puts(“Not an Admin”
Not an Admin
) = 13
++ + exited(status 0) ++ +

What this “checker” is doing is calling a getenv() on “admin” variable and returning its value i.e. “nil”, because the “admin” environment variable does not exist, so on running “checker” it’s giving the output “Not an admin”

We can give admin variable any value to exploit the vulnerability of “checker” and get root privileges. I gave my name ;-)

And we are root!!!. During enumeration user.txt flag was found at /media/usb.

That’s all for now!!

Until Next Time,

For any doubts feel free to ping me:-

LinkedIn :-https://www.linkedin.com/in/user-neeleshpatel/

“i missed the event for the hack also”

— — — — — — — — — — — — —




Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

🔸2 SINSO to 10,000 Random winners

How to configure IP cam recording in router NAS Storage

Serious & Cool People Collection Live Now: How to buy NFTs on PowerFan with MATIC tokens on the…

The Perl of Death

{UPDATE} 疯狂消泡泡2016:免费经典开心爱梦幻 Hack Free Resources Generator

Top 6 Cyber Security Jobs Roles

Hola Infosec!

Hack The Box: Forest Write-up (#42)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

Hack The Box: Fawn

Cybersecurity Basics You Need to Know

How to install Impacket tools in any linux