Daily Bugle : TryHackMe Writeup
Daily Bugle is a quite challenging and fun room where we are going to learn how to compromise a Joomla CMS account via SQLi, practice cracking hashes and escalate our privileges by exploiting misconfigured sudo rights.
Setup
Enumeration
Port Scanning
We have 3 open ports : 80, 22 and 3306.
Let’s enumerate each of these services.
Service Enumeration
HTTP
First and foremost, let’s take a quick look at the website using our web browser :
1°) Access the web server, who robbed the bank ?
Once done, let’s browse the /robots.txt file before performing a directory/file enumeration with Gobuster.
Robots.txt
Several websites included the /administrator have the disallow command. This tells to web spiders or web crawlers (e.g : Googlebot, Bingbot) not to access the webpage or set of webpages that come after the command.
With that said, let’s take a quick look at the /administrator webpage.
This is the administrator’s login page. One attack vector that we can use is a dictionary attack. Nevertheless, this could be too noisy.
Therefore, prior performing this attack, let’s first try to look for the default credentials and check if the administrator changed them.
For that, we can simply make a google request :
Unfortunately, Joomla does not use a default password. Indeed, this is set by the administrator during the installation phase.
However, we didn’t say our last word.
Now, let’s check if the version being used by Joomla is vulnerable.
One way to find the version will consist of using joomscan which is Joomla vulnerability scanner. It is installed by default on your Kali machine :
joomscan -u http://dailybugle.thm
Another way to find the version would have consisted to browse the /administrator/manifests/files/joomla.xml webpage :
What is the Joomla version?
Now that we know the version being used by the CMS, we can search for possible exploits related to that version using searchsploit as follows :
searchsploit -s joomla <version>
-s performs a strict search, so input values must exist.
To find more information regarding an exploit, you can use the -p flag followed by the EDB-ID (ExploitDB ID).
Let’s download the exploit using the following command :
searchsploit -m <EDB-ID>
Once done, let’s take a look at how the exploit works.
The downloaded exploit shows us how to exploit the SQL injection vulnerability using an automated tool called SQLMap.
However, we are required to use a python script instead of SQLMap.
To do that, we can use the following google advanced search :
Joomla <version> exploit site:github.com intext:.py
After that, we should normally find the right exploit.
Exploitation
After finding the right repository, let’s clone it, then take a look at its content prior its execution :
According to the help menu of the exploit, we only need to specify the base URL of the Joomla website.
Also, we need to set the execution permission for the exploit, then you can execute the exploit as follows :
As you can see, we successfully exploited the SQL injection vulnerability. This can be confirmed by the extraction of the users from the table: fb9j5_users. Furthermore, we found Jonah user’s hash ($2y$…)
*Instead of using SQLMap, why not use a python script!*
What is Jonah’s cracked password?
First of all, let’s try to find the type of hash using a tool called hashid :
The little issue with hashid is that it returns sometimes a list of possible type of hashes. Therefore, we need to find another way to guest the type of hash being used. In my case, I used Google :
Therefore, we can finally confirm that our hash is a bcrypt hash.
Great! Now, we need to crack the hash and for that we can use a tool such as John the Ripper :
Now that we cracked the hash, we can try to connect to Jonah’s account using ssh :
For an unknown reason, the SSH login attempt failed though I specified the right password. This can either be explained by the fact that Jonah’s Joomla password is different from his system account password or because he has no system account.
However, let’s try to login to the administrator page using the credentials we found :
The login attempt succeeded \0/
Nevertheless, we still don’t have a shell to the target system.
One way to do that will consist of uploading a web shell on the target system, then access to it in order to obtain a shell.
Before that, we need to firstly find the programming language used by the server in backend. According to Wappalyzer (see image above), the target is running PHP. Therefore, we are going to generate a php web shell.
In our case, we will use weevely which is a well-known post-exploitation tool that can be used to generate php web shells.
The web shell will be upload in “Extensions > Templates > Templates” :
Here is how to generate a web shell using weevely :
Once the web shell is generated, we must replace the content of a php file on the web server by the web shell content. In my case, I decided to edit the error.php file :
Note 📝 : You can either edit the error.php script available in “protostar” or “beez3” template. The choice is yours.
Once done, you need to “Save” the file by clicking the green button at the top of the page.
Then, you must access the edited script by browsing http://dailybugle.thm/templates/protostar/error.php using weevely :
Note 📝 : If you used the “beez3” template, you need to browse http://dailybugle.thm/templates/beez3/error.php instead.
Woohoo, it works !
Let’s now try to find the user flag.
For that, we can change our directory to /home , then we can list all the users :
Here we found a user called jjameson on the system. However, we can’t access his personal directory see that we don’t have the necessary permissions.
An important directory to always check after compromising a web server is the web root directory. In GNU/Linux, this is generally located at /var/html/www . This is directory where the websites’ files are stored.
One file that caught my eye was the configuration.php file. As its name suggests, it allows a user to configure settings like the site settings, debug settings, database settings, email settings and so on.
After taking a look at it, I came across an interesting piece of information regarding the database password :
Normally, this password should only work for the MySQL database. Nevertheless, the administrators sometimes reuse their old passwords for other accounts. As a matter of fact, we can try check if the password has been reused for root as well jjameson users.
Here I faced an issue with the TTY. Indeed, weevely does not have a TTY feature. Therefore, commands like su or sudo does not work. To solve that, it’s recommended to use a backdoor module like :backdoor_reversetcp or :backdoor_tcp and then run python -c "import pty; pty.spawn('/bin/bash')" to spawn the pty.
First of all, let’s setup our netcat listener :
Then connect to the listening port using the :backdoor_reversetcp module :
Finally, we get the reverse shell :
After getting the reverse shell, we need to stabilize it. For that, we can use the pty python module :
Let’s now try to login to the root account using the password we earlier found :
Unfortunately, we got an authentication failure which means that the password specified is not the right one for the root user.
Let’s attempt to connect to jjameson account with the password found :
Fantastic! We’ve been able to successfully login to his account using the password we found.
Let’s move to his personal home directory and see what we can find :
Here, we found the user.txt flag.
What is the user flag?
We need now to retrieve the root flag. However, to find that we need to find a way to escalate our privileges. To do that, we can use automated scripts such as LinPEAS or try some manual privilege escalation techniques.
Privilege Escalation
It is always better to perform some manual privilege escalation techniques prior running a tool like LinPEAS at first time.
Some GNU/Linux privilege escalation techniques are :
- Checking the binaries that have the suid and sgid set.
- Checking the configured cron jobs
- Checking the allowed and forbidden commands for a given user
Let’s first take a look at the allowed and forbidden commands for our user jjameson. For that, we need to run the sudo -l command :
As you can see, jjameson can run the /usr/bin/yum command with root privileges without the need of specifying a password.
Let’s check if we can take advantage of that to get a shell with root privileges. To do that, we are going to use this website :
As you can see, we first need to install fpm on our attacker machine. To do that, we must proceed as follows :
1- git clone https://github.com/jordansissel/fpm
2- cd fpm
3- gem install fpm
4- apt-get update
5- apt-get install rpm -yOnce done, let’s create our script :
FYI, the script above is a bash reverse shell.
After that, let’s create our malicious RPM package using fpm :
Once done, let’s upload that to the target system :
Then, we can use wget to download the RPM package as follows :
After all of that, we need to launch our netcat listener, then install the package using the yum command prefixed by sudo :
After the installation, we must normally get a reverse shell with root privileges :
Now, we can retrieve the root flag in its personal directory :
Wrapping Up
To sum up, I found this room really interesting as I went through various techniques and tools like joomscan and joomblah to compromise the target machine, then escalate my privileges.
With that said, I hope you enjoyed the writeup.
If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles.
References
https://www.itoctopus.com/how-to-quickly-know-the-version-of-any-joomla-website
https://www.joomlashack.com/blog/joomla/guided-tour-your-joomla-configurationphp-file/
https://github.com/epinna/weevely3/issues/116
https://gtfobins.github.io/gtfobins
https://github.com/OWASP/joomscan
https://medium.com/@klockw3rk/privilege-escalation-how-to-build-rpm-payloads-in-kali-linux-3a61ef61e8b2
Contact
LinkedIn : https://www.linkedin.com/in/konateolivier/
GitHub : https://github.com/0liverFlow
