Tryhackme | Blog

A medium level Tryhackme room that exploits image cropping to privesc.The vulnerability is documented in CVE-2019–8943

First and foremost, add blog.htm to your /etc/hosts file like said in the room:

In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.

Let’s first do some scanning to see where we can get a foothold.

Samba is an open port.

Checking out the website everything is just normal like it should be. I usually check out if robots.txt is on the website.

And apparently there is.

Navigating to it just seems like a normal Wordpress login. Let’s check out the Samba shares on port 139. I used enum4linux to enumerate the samba share and I got some interesting shares.

BillySMB looks odd.

Let’s connect to the share and checkout what is it contents.

Looks interesting.

After checking out all them, all of them were just rabbit holes and was a waste of time. I did a scan on the website using wpscan and I got some interesting stuffs.

kwheel and bjoel

Which one do we choose? Well since we know the user kwheel is referring to Karen Wheeler which is Billy Joel’s mother. I assume by the post by her, she must not be very IT illiterate and probably has a weak password.

Let’s try brute-forcing the login page using her credentials. If you are not sure how to brute force post-form logins. I recommend you check out this write-up.

Great now we have the password.If you remember in our Nmap scan, the Wordpress version is 5.0 which is vulnerable to CVE-2019–8943. If you don’t know, you can search up “Wordpress 5.0 exploit” and there will be entries for it. Let’s use Metasploit for this.

Options

So we can use kwheel as the USERNAME and [REDACTED] as the password.Next set up RHOSTS and we can run our exploit.

Get a shell in meterpreter by using the command shell. And now we can navigate to bjoel’s home directory.

Apparently it’s a fake flag. Let’s run this command to find some SUID binaries.

find / -perm -u=s -type f 2>/dev/null

One SUID caught my attention which is

/usr/sbin/checker

Checking it out on GTFObins checker doesn’t seem like a normal binary so it must be a custom let’s use ltrace to check it out

getenv("admin")                                  = nil
puts("Not an Admin")                             = 13
Not an Admin
+++ exited (status 0) +++

Hm look’s like it fetches “admin” and prints out if the person is an admin or not. Let’s try setting the “admin” value to something else.

$ export admin=1

And suddenly we are root. Let’s grab the root flag at /root

Root flag

And let’s find the real user.txt flag

$ find / 2>/dev/null | grep user.txt

After a while, we find out that the user.txt is set in /media/usb

User flag

For the last few questions the answers are already there.