I’ve started to hack machines in TryHackMe for OSCP exam in this quarantine times and decided to write walkthrough of those machines which hacked successfully. This post is for Daily Bugle’s machine walkthrough.
Let’s Begin :) Note that enumeration is always key :)
As per usual, We will start with nmap scanning for getting information ports. Use following command for get available ports.
nmap -sV -sC -T4 <your-machine-ip>
Result of nmap scanning
The nmap scanning results showing just three ports as open:
- SSH on port 22 (OpenSSH 7.4)
- A web server on port 80 (Apache 2.4.6, also Joomla CMS)
- A mysql on port 3306 (MariaDB)
Currently, We don’t have any important information now. We can start by looking web server. When we go to url (http://your-ip), we see a blogsite by using Joomla engine. If we get more information about website, we can search directories of that site with GoBuster or JoomScan. I prefered to use JoomScan by following command.
joomscan -u http://<your-ip>/
Result of joomscan
We see that what joomla version is and joomla’s administrator url. Also, we search exploit using joomla (3.7.0) version number with searchsploit, it shows that 3.7.0 is vulnerable to SQL Injection.
When I was searching exploit a little time, I had found it on Github - Exploit for Joomla 3.7.0 (CVE-2017-8917) then run python script.
Result of Joomblah
After running script, We have following credentials of user.
- User name: jonah
- Password hash: [REDACTED]
- User rol: super user
Hashed password starts with $2y$, which means it is a bcrypt hash. We can use john tool which come as installed in Kali to crack password with rockyou list. Following command gives us to his password. It takes a few minutes.
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt password_hash
Now, we have credentials for Joomla administrator login page (We found with joomscan). Firstly, I tried to connect to machine quickly via ssh (People mostly use same credentials everywhere) but username and password are not valid. I logged in administrator page and investigated panel. After nearly half an hour later, I discovered that We can edit and run php code in protostar template where is in at Extensions -> Templates Menu.
After learning this trick, I added PentestMonkey’s PHP Reverse Shell code to index.php file then got revere shell successfully via nc.
I did some digging on this machine then came accross configuration.php file in /var/html/www and found current username in home directory.
We have second credentials now. It can be tried anywhere.
- User Name: jjameson
- Password: [REDACTED]
First question is to what is user flag? (for jjameson)
I tried username and password to ssh connection via following command.
User flag is in user.txt file in /home/jjameson
After catching user flag, I examined following things for privilege excalation in system.
- SUID files
- sudo -l command
jjameson user uses sudo to run Yum which is the primary tool for getting, installing, deleting, querying, and managing Red Hat Enterprise Linux RPM software packages. After quick search, I found code to become root by running yum at GTFOBins
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
sudo yum -c $TF/x --enableplugin=y
Second question is to what is root flag? (for root)
If we run abow code, we can get root shell. Root flag is in root.txt file in /root/
That’s all, It is pretty machine. See you next blog post :)