THM — Daily-Bugle Walkthrough
Hello friends, I want to share a new write-up about how solved the Daily-Bugle room in Tryhackme.
Let’s start
Enumeration:
namp -sV -sC -oA result IP_Machine
Upon reviewing the scan results, we have discovered that the website is running on CMS Joomla, with two ports open for SSH and HTTP service. Let us proceed to test the website.
HTTP Service Enumeration:
I’ll use ‘Gobuster’ to search for any hidden directories.
gobuster dir --url "http://10.10.151.162/" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
After finding the robot file and attempting to locate hidden directories on the website, we need to determine the version of the Joomla CMS, To do that, you can use this command.
curl http://10.10.151.162/administrator/manifests/files/joomla.xml | grep version | cut -d ">" -f 2 | cut -d "<" -f 1
This request involves obtaining information about Joomla CMS by visiting an endpoint. Let’s use Google to search for the version using the keywords “Joomla 3.7.0 exploit”.
Awesome! We have found an SQL injection vulnerability. Let’s exploit it.
Exploitation:
To start using this, you need to clone the repository on your local machine.
git clone https://github.com/stefanlucas/Exploit-Joomla.git
cd Exploit-Joomla/
python3 joomblah.py http://10.10.151.162/
Now we have obtained these credentials, but the password is encrypted. We need to crack the password to log in via SSH service. let's use John to crack this password, Before cracking this hash, we need to analyze the password and determine its format, To do that you need to visit this website and search with the keywords “$2*”
Great, the hash name is bcrypt.
sudo john pass.txt --format=bcrypt -w /usr/share/wordlists/rockyou.txt
I attempted to log in using SSH service, but it didn’t work.
We need to log in to the dashboard website instead.
For guidance on how to take a reverse shell, refer to this write-up for detailed instructions.
We have successfully established a reverse shell connection.
After searching in configuration.php you will find the password.
I tried logging in with these credentials via SSH, but it didn’t work. However, when I tried to log in using the ‘jjameson’ username, it was successful.
Privilege Escalation:
sudo -l
It appears that we can run the "/usr/bin/yum" binary as the root user without being prompted for a password. Let's explore this further by visiting a website.
I was searching the website for information about how to run this binary as a root user now I’m a root.
Thanks for reading.
