Daily Bugle - TryHackMe Room

TryHackMeAdvanced Exploitation
Written By FightTheWest
 
spiderman.jpg
 

The link for this lab is located here: https://tryhackme.com/room/dailybugle

In this room, we will compromise a Joomla CMS account via SQL Injection, practice cracking hashes and escalate your privileges by taking advantage of yum with sudo privileges.

First, we perform an all ports scan to determine what ports are open. To do this, we use the following syntax:

nmap -Pn -p- 10.10.251.179 -oN portscan

This reveals a few ports are open - SSH, HTTP amd MySQL. Knowing these ports are open, we can perform a more detailed scan on these three ports only - saving a lot of time!

servicescan.png

This gives much more information including an SSH version, an Apache version, the entries in a robot.txt file indicating that maybe Joomla is being used and that MariaDB is used for the database.

Our first step should be to check out the website running. Navigating there reveals what looks like a blog of some kind. There is also a login form on the right side that we could possible attack.

site.png

A good habit to get into is to check the source code - it can reveal hidden directories or even credentials. Unfortunately, for this one, there is nothing interesting.

code.png

Next, we can use a directory busting tool like Gobuster with a wordlist to find any directories. After a short while, this reveals a ton of directories but the most interesting one is the /administrator page.

go.png

Another thing we can do is use a possible tool to test a Joomla site. Unfortunately, I had no experience in attacking Joomla sites. However, a quick Google search revealed a possible tool we could use - JoomScan.

You can find it here.

Reading the GitHub page, I ran it with the default simple options at first. It returned some valuable information including the Joomla version running. It also found the same administrator page as before.

scan.png

Researching this specific version revealed a potential SQL injection exploit on GitHub (found here) called Joomblah.

py.png

To run it, we simply type python3 joomblah.py http://10.10.251.179/

error.png

However, this will produce an error. To fix this, we can simply try running it with Python2 instead. This fixes the problem.

py2.png

As you can see, the SQLi found a table and extracted the users from that tables. It also found a “Super User” called jonah with his email and what looks like a password hash.

bcrypt.png

Looking at the hashcat documentation for every type of hash and comparing the first couple of characters of the hash we found identifies it as using bcrypt.

We can try cracking it by first extracting it to a file called “hash” and using John the Ripper and the rockyou.txt wordlist.

crack.png

After a couple of minutes, John the Ripper successfully cracks the password hash revealing the password.

spman.png

If you remember on the main page, there was a login panel on the right side. With the possible username and now cracked password hash, we can try logging in.

in.png

It works! We are now logged in as the “Super User”. Again, due to my lack of knowledge on Joomla, I did a bit of Googling and found an article explaining how to get a reverse shell through Joomla.

rev.png

First, navigate to the Extensions —> Templates section.

templates.png

Inside the Templates, we should see the Beez3 template. Click this template.

click.png

Once in, there should be an option for New File. Let’s click this.

new.png

This should reveal a possible upload page where we can create a new file. I named my file “revshell” with the extension of .php and hit “Create”.

revshell.png

Next, i copied the PentestMonkey reverse shell code into the new box and changed the IP and port number.

php.png

Before executing, we have to start a netcat listener on our machine on the same port we specified in the code.

nc.png

Then, to execute the PHP shell, navigate to the /templates/beez3/revshell.php URL and it should execute.

url.png

Looking back at our netcat session, we should have a shell.

shell.png

With this shell, we can try navigating to the /home directory which we can. However, trying to enter the jjameson folder, we get a permission denied error.

perm.png

This means we are not running as a normal use. There are a number of ways to escalate privileges. For this room, I decided to use the LinPEAS script to automate the process. To get it on the target, i first hosted the script using a Python server on port 80.

host.png

Then, on the target, first navigate to a world-writable directory (/tmp is usually safe). Then, use the “wget” command followed by your IP address and the script name to download it. Once downloaded, make sure to add executable permissions to the script.

chmod.png

Simply run it via “./linpeas.sh” command and leave it for a couple of minutes to run all its tests.

ran.png

Looking through the results, in a file located at /var/www/html/configuration.php, there seems to be a password that could possibly be used somewhere.

nv.png

Looking at this file in more detail, it looks like there is a root user with a password in plaintext. This could be valid credentials.

creds.png

The file also includes a $db variable which could indicate these credentials are used for the database running on the target. To test this, we can try connecting to the MySQL service using the username and the password we just found.

mysql.png

Unfortunately, this does not work. We can also try connecting via SSH as the root user - high hopes but it may work!

fail.png

Again, this fails. However, if you remember we found a home directory caled “jjameson". We can try using SSH as this user instead.

jj.png

And it works. We are able to connect using SSH. With this new shell, we can navigate to the home directory and grab the user.txt flag.

The first thing we can do now is check the sudo permissions for this user since we know the password. The permissions state that we can run /usr/bin/yum as root with NO password.

yum.png

Using GTFOBins and looking at the sudo exploitation for yum, we can spawn an interactive root shell by loading a custom plugin.

sudo.png

We can simply copy this code into our target machine and run the final command - sudo yum -c $TF/x —enableplugin=y

sh.png

This pops us into a shell running as root. With this, we can simply spawn a full BASH shell as root on the target.

bash.png

Finally, we can simply cat out the final root.txt flag to own this machine.

roottxt.png

Alternative Way - SQLMap

Another way is by using SQLMap. Researching the same version of Joomla, you would come across another exploit for SQL Injection. Reading the exploit, it does appear that this version of Joomla is affected by a blind SQL injection in the “list(fullordering)” parameter.

sqli.png

Looking at it, it tells us the exact SQLMap command to use.

sqlmap.png

Knowing this, we can imply run this command using the target machine IP.

running.png

After a while, it will return the available databases. In this case, there are 5.

results.png

Once identified, we can now select the database to use (Joomla) and try to dump the tables.

tables.png

After a while, we get a long list of tables inside the Joomla database. The most interesting of which is the “#__users“ table.

users.png

Knowing this, we can now specify the table to use as well as the database and try to dump the columns.

sql2.png

Again, after a while, we see the columns inside the database - id, name, username, email and password.

cols.png

Now, we simply specify to grab the username from the database and dump all usernames.

jonah.png

Finally, we can also grab the password field and dump all possible password hashes - in this case, there is only one for the jonah user.

We get the same password we did with the Joomblah script but in a different way. It is always good to learn multiple methods and tools.

And that’s it! I hope this writeup helped you learn something new and you had fun.

FightTheWest
Previous

Relevant - TryHackMe Room
Next

Skynet - TryHackMe Room Writeup