CTF Walkthrough | TryHackMe | Freshly
Can you root this Wordpress style, SQL injection vulnerable machine? This CTF is about SQL Injection and Wordpress hacking. Developers watch out for the website!! TryHackMe has this amazing box here: https://tryhackme.com/room/freshly. You can always LogIn on TryHackMe, go to rooms → freshly.
Information Gathering:
Nmap helps me gather information on the open ports. Port 80, 8080 and 443 are open ports on this machine. Let’s enumerate to find out some more information about each port.
Port 80: After the nmap results, I went for the port 80 in the hope for a flag or a clue. Not fruitful at all.
Port 8080: I started running a gobuster scan on the port 8080 using the big.txt wordlist. I found the /wordpress after the scan. Clicking the hyperlink confirmed that the /wordpress means there is a wordpress website probably vulnerable.
Once you get the hang of wordpress pentesting, you will see that configuration files are such that the login page comes up at wp-login.php.
I used that information to get to the login page, now the next step is to find the credentials.
I started the gobuster scan on the <IP Address> using the wordlist big.txt. I did find the webpage /phpmyadmin. I ran burpsuite and tried to capture the request, but it wasn’t useful at all. The website wasn’t vulnerable to anything.
This is where pen-testing gets rough on you, it digs deep at your patience. I couldn’t find anything using gobuster and now was the time to switch to nikto. A tool that is not often the choice due to the time it consumes, but it enumerates and gives details that no other tool provides. At least in this case nikto took almost 2 hours but I finally found my /login.php
Brute Forcing:
I just started playing around with the website and found that the username and password field is vulnerable to sql injection.
I captured the request using burpsuite and found information on the post request. I found the necessary fields of the webpage.
Now is the time to introduce a great tool of kali linux, sqlmap. Sqlmap is not allowed in OSCP, but at the moment I’m willing to use the tool for pwning. One of the strong reasons to choose the tool was, I did not know what type of sql injection could be done on the vulnerable website.
sqlmap -u http://<IP address>/vulnerable webpage — data=”user=test&password=test&s=submit” -risk 3 -level 3 -dbs
This machine is vulnerable to time-based blind sql injection. It identified the payload that can be used and also found the information on the available database.
In the previous scan, I found out about the relevant databases that are available
information_schema
login
mysql
performance_schema
phpmyadmin
users
wordpress8080
Wordpress 8080 remember something guys??
Oh yes, now is the time to dump all the information from the database wordpress8080, hopefully get some credentials to login to the wordpress website.
Username: admin
Password: SuperSecretPassword
Brute forcing done right!!
Privilege Escalation:
When I say wordpress hacking, you say php reverse shell!!
Of course, that’s a thing 😂
Alright, heading to the appearance section, I went to the Editor section and decided to edit the themes. I would use this editing section for php reverse shell. You can find the reverse shell here: https://github.com/pentestmonkey/php-reverse-shell
File was successfully updated meaning we can pwn a root shell. Let’s start the netcat listner on port 4444.
Again, once you get the hang of wordpress pentesting, you will see where you can find all the uploaded files. I knew the folder is wp-content/themes/twentythirteen/archive.php
Waiting is over, I got my shell. The user was daemon, but I do have admin credentials from the sql injection part. Before that we need to convert the python shell to bash shell.
I used the found username and password in the sql injection step and elevated my privileges. I am root!!
After searching for quite some time, I did not find the flag. So I went back to my question screen and saw what was precisely asked in the question. They were asking for a secret not a flag.😭
I knew passwd file has the secret saved for all the users of the machine. I cat the contents of the file, here we go!!
Smaash the like button and follow my blog for intriguing information security topics. See you in the next one, peace✌🏽