TryHackMe: Daily Bugle (OSCP approved tools)
This Hard TryHackMe room is a Content Management System using Joomla. The Joomla instance is vulnerable to a public exploit. We then crack the hash obtained using John the Ripper and escalate our privileges with the help of LinPEAS.
- Public Python Script
- John the Ripper
First, we start with a basic nmap scan that shows we have SSH, HTTP, and SQL ports open.
- -vv flag: very verbose. Good for being able to see status and progress.
- -Pn flag: tells nmap to skip the discovery phase. We know the server is up and may not be responding to pings.
nmap -vv -Pn 10.10.52.102
First, we will look at the web server running on port 80 by navigating to
http://10.10.52.201 on a web browser. Some enumeration indicates the site is using Joomla CMS. To determine which version is running, we can navigate to the following path
Now that we know we are working with Joomla version 3.7.0, we can research publicly available exploits for this version and discover that it is vulnerable to SQL Injection (CVE-2017–8917). Instead of using SQLMap (not allowed on OSCP), I decided to use a python script named
This script is easy to use, all you have to provide is the URL. (Note: Ensure you are running this using Python2 or you will receive errors)
python2 joomblah.py http://10.10.52.102
Now that we have a hash, we need to crack it using John the Ripper. First, to figure out we are using a bcrypt hash we need to do some research on the formatting.
john jonahHash --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt
A few minutes later, John cracked the password. Now, we need to find what to do with the password. Trying the username and password with SSH did not work(testing for password reuse), so we pivot to log into the Joomla CMS admin panel (since the creds came from the Joomla Database)
http://10.10.52.102/administrator/ shows an admin panel that we can use to log in. Using Jonah’s creds, we can log in. After looking around, we can see in the templates functionality we can edit PHP templates.
I took this template, copy +pasted Pen Test Monkey’s PHP reverse shell then saved the file. https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php (Note: Ensure you change the IP and Port to match yours when you upload.)
Once you have the shell opened, open a netcat listener with
nc -nlvp 1234 and navigate to the
index.php page within the Joomla CMS. You will get a callback to your listener running as user Apache.
Now that we have our initial shell, we need to laterally move to another user, jjameson. This other user can be found by searching the home directory with
First, we will get
linpeas.sh on the system using wget. Host a Python Simple HTTP server within the directory you have the
linpeas.sh script on your local machine (
python3 -m http.server).
Since we are running as Apache user, we most likely have read, write, execute permissions on the
/var/www/html directory so we will save the
linpeas.sh script there.
chmod 777 linpeas.sh
Now we can run this script using the command
./linpeas.sh. After some output, we can see some interesting things. Most importantly, we see a password within a PHP config file.
We try to use this new password to SSH into the system with username jjameson and we are able to login and read the
Now we need to escalate to root. We will run the
LinPEAS.sh script again from the user of jjameson and provide
LinPEAS.sh the password. We can use the same
LinPEAS.sh script from before in
/var/www/html/linpeas.sh. A new thing jumps out that jjameson can run yum as sudo.
Now using GTFObins, we can see the commands for escalating with yum.
A copy and paste of these commands will give us root.
Now we can cat the root.txt flag and the room is complete!