TryHackMe DailyBugle Writeup – Exploiting Joomla Version 3.7.0

I’m working on the Offensive Pentesting Learning Path on TryHackme, I’ve already reached 3rd level by exploiting 7 machines on my way. Yesterday I was working on a machine called “DailyBugle” – a Joomla CMS based machine with Joomla version 3.7.0 related exploit. Here is my writeup and my way of exploiting the machine. Hope you enjoy reading it.

The machine Dailybugle is fairly straight-forward. One need a basic knowledge of CMS exploitation and fairly basic knowledge of cracking hashes and getting the password. As this machine is part of TryHackMe OSCP learning path one is not allowed to use SQLMAP, apart from that this is a medium hard machine.

TryHackMe DailyBugle Writeup – Exploiting Joomla V. 3.7.0

Enumeration

As usual, I’m going to perform an initial NAMP scan to find open ports, to find running services, get more information on OS version and if possible to find the applications running.

The NMAP port scan shows, SSK on port 22, a web server is running on the default port 80 and MySQL on its default port 3306.

I found-out a website “Dailybugle” is running on the Apache web server. Upon going through the website we noticed “Spider-Man” has robbed a bank 🙂

Enumerating Hidden Directories

I proceed forward after find the website to enumerate the directories. I used GoBuster and found following hidden directories along with an interesting /administrator/

Administrator Login Page

Sweet, when I see this login-page I know there is a vulnerability associated with it. The Joomla can be easily on top of the list of the highest vulnerability found CMS.

Finding Joomla Version and Exploits

In fact, it doesn’t take much time to find exploits related to the Joomla, however each exploit works on particular version of CMS or any application, so I need to find the Joomla version first.

There is a very nice and frequently updating tool that every pen tester use at least once while testing and finding web application version in GitHub called “CMSeek” by Tuhinshubhra. I used it and the tool got me the information I was looking for. The Joomla version 3.7.0 is running in this machine.

Finding The Exploit For Joomla 3.7.0

As per the tasks in TryHackMe, we could use SQL injection to find user and the password however, they recommended using a Python script. I know a script which I recently used in one of the alignment which is called “JoomBLAH”.

Finding The User

I copied the python script to my Dailybugle working directory and have the user “Jonah” and her hashed password. The interesting part is user Jonah seem to be a Super User, which is going to be more fun.

Cracking The Hash

The hashed password can’t be used to log in the CMS, I’m going to use John and HashCat both using all-time favorite RockYou, so lets see which one cracks faster.

John, took around 0:29:54 minutes to crack the password.

Where Hashcat took just 0:07:00 minutes.

As I have a valid credential let us log in to the CMS.

Joomla Administrator Portal

Reverse Shelling The Box

I tried to use the credential to SSH the box it didn’t work, so plan B was to have a reverse shell to the machine. There are a couple of reverse-shell that I could use, I chose to be with PenTestMonkey’s PHP reverse shell which always works. I’ve used it extensively on different machines of HackTheBox.

The usage is always the same, find a template and edit the source and amend it with our reverse shell script, run a listener in local machine, run the script and boom, there you have the reverse shell and it is as simple as it sounds.

I open the default template and proceed to customize it. I used the index.php page of the default template, In the other hand I started my listener running on the port 9999.

And Update to this:

Once the amendment is done, I open the page by running it and my listener is activated and I have reverse shell as Apache.

Upon enumerating further I found the user JJameson, however I wasn’t able to go to his home as the Apache user doesn’t have permission.

As I’m not able to do anything unless I have a right password or right user, I started to enumerate further. I know as an Apache user I will be able to read files within www I proceed to do so. While reading contents of www folder I noticed /var/www/html/configuration.php some credentials.

ATM, I knew that it is the password of user JJameson and I will be able to SSH the box using it. I did the same and I’m logged in to the box as user JJameson.

Privilege Escalation

As usual, post exploitation I run sudo -l to see if the user is able to run anything as root. Luckily, yes he’s able to run /usr/bin/yum as root. So the user have root privileges to yum which as well lets the root setUID executable. This privesc is the route for escalating user JJameson to root.

I used the exploit as mentioned in the article.

And ran my custom plugin exploit got the root shell and I found the root.txt in /root/ home folder.

Yesterday I was working on a machine called "DailyBugle"  by TryHackMe. Here is my writeup and my way of exploiting the machine. a Joomla CMS based machine with Joomla version 3.7.0 related exploit. Here is my writeup and my way of exploiting the machine.

That’s all, thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
2 months ago

[…] Previous Post Previous post: TryHackMe DailyBugle Writeup – Exploiting Joomla Version 3.7.0 […]

Sorry, that action is blocked.
%d bloggers like this: