Daily Bugle - TryHackMe Room
The link for this lab is located here: https://tryhackme.com/room/dailybugle
In this room, we will compromise a Joomla CMS account via SQL Injection, practice cracking hashes and escalate your privileges by taking advantage of yum with sudo privileges.
First, we perform an all ports scan to determine what ports are open. To do this, we use the following syntax:
nmap -Pn -p- 10.10.251.179 -oN portscan
This reveals a few ports are open - SSH, HTTP amd MySQL. Knowing these ports are open, we can perform a more detailed scan on these three ports only - saving a lot of time!
This gives much more information including an SSH version, an Apache version, the entries in a robot.txt file indicating that maybe Joomla is being used and that MariaDB is used for the database.
Our first step should be to check out the website running. Navigating there reveals what looks like a blog of some kind. There is also a login form on the right side that we could possible attack.
A good habit to get into is to check the source code - it can reveal hidden directories or even credentials. Unfortunately, for this one, there is nothing interesting.
Next, we can use a directory busting tool like Gobuster with a wordlist to find any directories. After a short while, this reveals a ton of directories but the most interesting one is the /administrator page.
Another thing we can do is use a possible tool to test a Joomla site. Unfortunately, I had no experience in attacking Joomla sites. However, a quick Google search revealed a possible tool we could use - JoomScan.
You can find it here.
Reading the GitHub page, I ran it with the default simple options at first. It returned some valuable information including the Joomla version running. It also found the same administrator page as before.
Researching this specific version revealed a potential SQL injection exploit on GitHub (found here) called Joomblah.
To run it, we simply type python3 joomblah.py http://10.10.251.179/
However, this will produce an error. To fix this, we can simply try running it with Python2 instead. This fixes the problem.
As you can see, the SQLi found a table and extracted the users from that tables. It also found a “Super User” called jonah with his email and what looks like a password hash.
Looking at the hashcat documentation for every type of hash and comparing the first couple of characters of the hash we found identifies it as using bcrypt.
We can try cracking it by first extracting it to a file called “hash” and using John the Ripper and the rockyou.txt wordlist.
After a couple of minutes, John the Ripper successfully cracks the password hash revealing the password.
If you remember on the main page, there was a login panel on the right side. With the possible username and now cracked password hash, we can try logging in.
It works! We are now logged in as the “Super User”. Again, due to my lack of knowledge on Joomla, I did a bit of Googling and found an article explaining how to get a reverse shell through Joomla.
First, navigate to the Extensions —> Templates section.
Inside the Templates, we should see the Beez3 template. Click this template.
Once in, there should be an option for New File. Let’s click this.
This should reveal a possible upload page where we can create a new file. I named my file “revshell” with the extension of .php and hit “Create”.
Next, i copied the PentestMonkey reverse shell code into the new box and changed the IP and port number.
Before executing, we have to start a netcat listener on our machine on the same port we specified in the code.
Then, to execute the PHP shell, navigate to the /templates/beez3/revshell.php URL and it should execute.
Looking back at our netcat session, we should have a shell.
With this shell, we can try navigating to the /home directory which we can. However, trying to enter the jjameson folder, we get a permission denied error.
This means we are not running as a normal use. There are a number of ways to escalate privileges. For this room, I decided to use the LinPEAS script to automate the process. To get it on the target, i first hosted the script using a Python server on port 80.
Then, on the target, first navigate to a world-writable directory (/tmp is usually safe). Then, use the “wget” command followed by your IP address and the script name to download it. Once downloaded, make sure to add executable permissions to the script.
Simply run it via “./linpeas.sh” command and leave it for a couple of minutes to run all its tests.
Looking through the results, in a file located at /var/www/html/configuration.php, there seems to be a password that could possibly be used somewhere.
Looking at this file in more detail, it looks like there is a root user with a password in plaintext. This could be valid credentials.
The file also includes a $db variable which could indicate these credentials are used for the database running on the target. To test this, we can try connecting to the MySQL service using the username and the password we just found.
Unfortunately, this does not work. We can also try connecting via SSH as the root user - high hopes but it may work!
Again, this fails. However, if you remember we found a home directory caled “jjameson". We can try using SSH as this user instead.
And it works. We are able to connect using SSH. With this new shell, we can navigate to the home directory and grab the user.txt flag.
The first thing we can do now is check the sudo permissions for this user since we know the password. The permissions state that we can run /usr/bin/yum as root with NO password.
Using GTFOBins and looking at the sudo exploitation for yum, we can spawn an interactive root shell by loading a custom plugin.
We can simply copy this code into our target machine and run the final command - sudo yum -c $TF/x —enableplugin=y
This pops us into a shell running as root. With this, we can simply spawn a full BASH shell as root on the target.
Finally, we can simply cat out the final root.txt flag to own this machine.
Alternative Way - SQLMap
Another way is by using SQLMap. Researching the same version of Joomla, you would come across another exploit for SQL Injection. Reading the exploit, it does appear that this version of Joomla is affected by a blind SQL injection in the “list(fullordering)” parameter.
Looking at it, it tells us the exact SQLMap command to use.
Knowing this, we can imply run this command using the target machine IP.
After a while, it will return the available databases. In this case, there are 5.
Once identified, we can now select the database to use (Joomla) and try to dump the tables.
After a while, we get a long list of tables inside the Joomla database. The most interesting of which is the “#__users“ table.
Knowing this, we can now specify the table to use as well as the database and try to dump the columns.
Again, after a while, we see the columns inside the database - id, name, username, email and password.
Now, we simply specify to grab the username from the database and dump all usernames.
Finally, we can also grab the password field and dump all possible password hashes - in this case, there is only one for the jonah user.
We get the same password we did with the Joomblah script but in a different way. It is always good to learn multiple methods and tools.
And that’s it! I hope this writeup helped you learn something new and you had fun.