dailybugle

General

This is a writeup of the room https://tryhackme.com/room/dailybugle.

Writeup

First a nmap scan, where the output from the vuln scripts was useful. E.g., it provided the Joomla version and a relevant CVE.

nmap -sV -oN nmap.out --script=vuln <ip>

The output proposes, among other things, an Apache httpd 2.4.6 ((CentOS) PHP/5.6.40) webserver running on port 80 and ssh on port 22. Accessing the website immediately reveals the answer to the first question, "Access the web server, who robbed the bank?".

Next up is the question "What is the Joomla version?", which can be answered looking through the nmap output.

For the next question, "What is Jonah's cracked password?", we get the hint of a python script and I ended up using this one: https://github.com/stefanlucas/Exploit-Joomla.

python joomblah.py http://<ip>
...
 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: fb9j5_users
  -  Extracting users from fb9j5_users
 [$] Found user ['811', 'Super User', 'jonah', '[email protected]', '$2y$10$0veO/JSFh4389Lluc...', '', '']
  -  Extracting sessions from fb9j5_session

From the above output, jonah seemed to be an appropriate guess for a username, where the hash to crack is $2y$10$0veO/JSFh4389Lluc....

The hash was successfully cracked using john and rockyou.txt as wordlist, providing the answer to the question.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Having credentials, login on the webpage served at the ip address is now possible, but it didn't give me much, hence I continued to enumerate.

gobuster -u <ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
...
/templates            (Status: 301) [Size: 236] [--> http://10.10.7.36/templates/]
...
/administrator        (Status: 301) [Size: 240] [--> http://10.10.7.36/administrator/]
...

http://<ip>/administrator seems interesting, and the credentials can be used on the login page here as well. Access to the Joomla administrator dashboard is now possible.

After looking extensively through the administrator dashboard, it appears one can create php files under Extensions -> Templates -> Templates. Either looking under Extensions -> Styles or in the sourcecode of the webpage shown at <ip>, reveals the template in use is Protostar.

I created a shell.php file and copied the contents of this https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php, adjusting the ip address and port accordingly.

Next is setting up a listener.

nc -lvnp <port>

Remember there was a page http://<ip>/templates> as well, hence accessing http://<ip>/templates/protostar/shell.php will get us a reverse shell. Note, this obviously depends on where the shell.php file is created.

Anyway, we initially get a reverse shell as the apache user. Doing a cat /etc/passwd yields the following of interest. 

root:x:0:0:root:/root:/bin/bash
...
jjameson:x:1000:1000:Jonah Jameson:/home/jjameson:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
...

So, some user jjameson exists and has the home folder /home/jjameson, but the already found credentials does not work upon su jjameson.

During enumeration of var/www/html a configuration.php file is found and it contains credentials. The password for the above mentioned user can be found in here, making us able to answer the question "What is the user flag?".

Moreover, we can now ssh in as jjameson and get a stable shell.

It is often a good idea so see which commands a user can run as sudo, as this might be a free ticket to root. In this case:

[jjameson@dailybugle ~]$ sudo -l
Matching Defaults entries for jjameson on dailybugle:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User jjameson may run the following commands on dailybugle:
    (ALL) NOPASSWD: /usr/bin/yum

Having a look at https://gtfobins.github.io/gtfobins/yum/#sudo suggests a method to obtain root by loading a custom plugin.

At this point, privilege escalation and finding the answer to "What is the root flag?" is pretty straight forward.

PreviousskynetNextGeneral

Last updated