# THM - Minion ## 0. Setup [Link to room](https://tryhackme.com/room/minion) Add minion.thm to /etc/hosts: ```bash sudo nano /etc/hosts ``` Put ` minion.thm` as a new line in the file ![](/files/oDlCa3bZA7vsN7RDmmbb) Optional setup: I like to save the target IP as a variable called TGT which can be used in commands and save having to type it out each time. Also makes copying commands from my notes a lot easier ![](/files/p7W35nIjWkz4wPm03AST) ## 1. Recon and Enumeration ### 1.1 nmap Use nmap tool to start to built up a picture of what is running on the machine: Note: $TGT is the target machine IP as described in the setup section ```bash sudo nmap -A -T4 -p- $TGT ``` Options explained: -A runs Version detection as well as default set of scripts, -T4 is the timing template to use (0: slowest, 5: quickest), -p- scan all ports **Nmap results:**

nmap results

Points of interest from nmap results: * Web service running on port 80: Apache 2.4.41 * There is a robots.txt file * WordPress V 6.0.2 * /wp-admin/ (WordPress admin area) ## 1.2 View website We can navigate to the website in browser either using the target IP `http://` or by using the hostname we saved in /etc/hosts `http://minion.thm` Loading up the website we are shown our first flag
From here I generally will browse the website as a user would (alongside viewing page sources and keeping our nmap scan results in mind) to get an idea of the websites functionality and purpose before using enumeration tools Following the link to the Flag 1 post there is a mention of the **author "minion"**
There is also a comment section at the bottom of the page. I made note of this incase it could be used in the exploitation phase for possible XSS. () I did not any more pages of notable importance browsing through the site so I chose to move on at this point. Our nmap results showed from the **robots.txt** file that /wp-login/ is to be ignored by web crawlers. This is sometimes a clue for where to find sensitive information on websites so it is worth taking note as well as wordpress sites commonly using this as an admin area. robots.txt can be viewed in the browser or using commands such as curl and is often worth checking out. ![](/files/FHgDKfKQPB4jvBlLVakd) From viewing robots.txt we can see the site appears to be running PHP as well as giving us a link to a sitemap. Browsing to the sitemap and following the users link we can see another mention of the user "minion" if we had missed it before ![](/files/DGYjT8dfrqpu4AL1jJ3h) We can view the disallowed page by navigating to it directly in the browser where we find we get redirected to a **login page**.

login page

## 2. Exploitation My first process was to try and use XSS in the comments section, however, comments require admin approval before they will be dispalyed properly. ### 2.1 Login page To see how the page responds to input we can try credentials we do not think will work test:test ![](/files/x1BEsI8ZYARmjYAbDbBS) Error shows no username "test" registered. This is a **useful error message** compared to a typical "user and/or password incorrect" seen on most site as we can identify if a username is valid without knowing the password. We can try common usernames (root, admin) and also 'minion' (the author of the flag post) Entering **minion** gives a different error message that the password is incorrect but confirms the username exists. ![](/files/C2J8HyHI40qaEGZDw16p) Brute forcing the login can be achieved with a number of tools. I used burpsuite at first but with the delayed response time form the site I changed over to use WPScan #### WPScan Using our found valid username "minion" we can try to brute force the login. At first I set max-threads set to 40 but it was timing out and eventually got the command to work at 5, which is the default amount if the options is not used. Command: ``` wpscan --url http://minion.thm/wp-login.php --usernames minion --passwords /usr/share/wordlists/rockyou.txt --max-threads 5 ``` ![](/files/fWoNe0U4lQrdMi5NFNbJ) Password successfully found so we now have **valid login credentials** minion : yellow ## 3. Post Compromise Enumeration ### 3.1 Wordpress User Compromise Once we logon we can see that comments awaiting approval if any were made ![](/files/ywFmovMxtaZjy2lMxfp9) Approving the comments and going back to the post page shows XSS to be working but I did not explore this route any further ![](/files/nViSnIAgSVgUrDvWBLRn) ### 3.2 PHP Reverse Shell As we know the site runs PHP (Wordpress sites almost always run PHP and robot.txt lists a .php file) my focus turned to finding somewhere that a PHP shell could be upladed to. Originally I tried in the upload media section but .php extensions are not allowed and file signatures are checked as renaming the extension was still found to be invalid. From previous experience I have known there to be .php files in the theme files so I looked in here. The theme in use contained .html files, however other themes were available and browsing to **TWENTY TWENTY-ONE theme** found the desired .php extension files. ![](/files/RcXvW6fG66SF2KXkmL5g) ![](/files/tM81Zi4R3muONkp66PfN) I decided to use the 404.php file as it can reliably be called upon by browsing to page that doesn't exist. I inserted the well known **PHP shell** from pentestmonkey which can be found at: making sure to change the ip and port number to match my workstation and the netcat listener I set up. ```bash nc -nvlp 4444 ``` ![](/files/Tap4p20Lr96wmJibMY6O) ![](/files/EAdauDYjjsN8YSdVnPjb) Once the PHP is pasted in and the port and IP values are set appropriately click the update file button underneath to save the changes ![](/files/LVTiSsuL9FaORF084EHR) Now that the PHP shell code exists in the TWENTY TWENTY-ONE theme it needs to be activated which can be done through the dashboard. ![](/files/LiUdCSV1AVYR0mrbbYKc) ![](/files/P4Rp04kwmDJVQA7j2nzm) Browsing to a URL that doesn't exist (e.g ) will return the desired 404 response code leading to the themes 404.php being loaded If the payload is executed properly this will cause the page to "hang" as we now have a **web shell established** as www-data. ![](/files/wPsnWNhezmqGlpaq9OUx) ### 3.3 Enumeration with established shell It is not necessary but it makes life a lot easier if you stabalise your shell. I used a common python technique demonstrated here: [Python Shell Stabalisation](https://tldr-writeups.gitbook.io/tutorials) which I recommend using With the web shell stabalised I started to gather information: `cat /etc/passwd`

etc/passwd

`ls /home` ![](/files/3Tuui2dZSTTvLwsayKaM) This shows two users of interest: **Gru** and **Minion**. Looking back at the THM room we are in search of flags so I ran a find command to check for accessible flags: ```bash find / -type f -name "flag*" 2>/dev/null ``` which didn't return any useful results so I used -iname to make the search **case insensitive** picking up the next challenge flag ```bash find / -type f -iname "flag*" 2>/dev/null ``` The available flag is in /srv/www/wordpress alongside other files from the minion.thm site Looking into the files gives database information in wp-config.php One line that stands out is define( 'DB\_PASSWORD', 'SuperDuperStrongPasswordThatIsLong' ); It is worth noting that a tool such as [linpeas ](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)could be used to find this information as well.

wp-config.php

## 4 Priv esc After not finding any SUID files or cron jobs in /etc/crontab to use for priviliege escalation I decided to try and move across to the minion user hoping that the password we found on the wordpress site had been reused Command: ``` su minion Password: yellow ``` ![](/files/PWxuKrAOMjD3izxbjSBb) **SUCCESS** as well as access to **flag 3** there is also a file called "notes" ![](/files/Bw2Elk34rDszYW9E47V1) I checked if minion had any sudo rights but no luck here ![](/files/DpzVZaknyv4m6q1CgfEq) So using the info from "notes" it follows to move across to the other user Gru. Trying the database password from wp-config.php: ``` su gru Password: SuperDuperStrongPasswordThatIsLong ``` ![](/files/i0WaqLml89HxfrCP93Od) gives the next challenge **flag 4** in Gru's home folder. Checking for sudo rights this time returns the ability to run **gawk** as sudo. ![](/files/QXu1mEUrqBiKijIzEj9I) Checking GTFO bins shows us a command that can be used to elevate to privileged access: ``` sudo gawk 'BEGIN {system("/bin/sh")}' ``` ![](/files/8MlxahAvbd7q3y3y4S3Z) Now that we have a root shell we can find the rooms final flag in the /root folder. Thanks for reading my writeup of the Minion room. ## TLDR * Scan machine and discover website * Flag 1 found on webpage * Brute force login for user "minion" * Edit 404.php theme page (2021) to create reverse shell * Flag 2 found in /srv/www/wordpress * Switch user to minion using password reuse to find flag 3 * Switch to Gru using DB password to find flag 4 * Elevate to root shell using sudo gawk from GTFO bins * Final flag in /root --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tldr-writeups.gitbook.io/writeups/tryhackme-writeups/thm-minion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.