https://tryhackme.com/room/dailybugle

Daily Bugle is a machine that has a web application running on Joomla which in actual is vulnerable to SQL-Injection. The challenge requires us to obtain the Joomla CMS' username and the hashed password, and then crack the hash.

After we have valid Joomla credentials, we need to initial access to the machine and then escalate our privileges to root!


Connect via VPN

You can connect to the TryHackMe network via your VPN by utilising the following command. Your VPN config file can be found once you are logged into your account: under the access panel on the left-menu bar:

openvpn YourFile.ovpn

Deploying Daily Bugle VM

Once we are connected via our VPN file. We need to deploy the VM. It can be done by clicking the "Deploy" button.

It might take up to 3-5 minuted for the VM to be deployed. Once done you will be able to see the IP address.

Note down this IP address. As it will be utilised throughout the phases.


Enumeration - Nmap Scan

Once we have the IP address, we need to perform an Nmap scan so that we can find the ports which are open. This can be done by issuing the following command.

nmap -sC -sV -T4 -A 10.10.40.252

We can see that there are two ports open. HTTP and SSH and also Nmap has found some Joomla directories. Note down /joomla/administrator/, and /administrator/ directories.


Enumeration - Joomscan

Once we have enough information via Nmap scan. The next step is to scan the web application with joomscan as the web application is based on Joomla. It can be done by utilising the following command.

joomscan -u "http://10.10.40.252:80"

By doing so, we can find the Joomla version of the current instance.


Port 80 - HTTP

On opening the IP (10.10.40.252) in the browser, we can see that a web application is up and running and here we can find the answer to our first question.


SQL Injection

As we already knew that this web application is vulnerable to SQL Injection. Doing a quick Google Search revealed links to multiple exploits. One of which was at Exploit-DB.

https://www.exploit-db.com/exploits/42033

We can find the vulnerable path, all we need to do is to replace the localhost with the IP address of the application. It looks like as above.

http://10.10.40.252/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

On opening this URL in the browser, we can see that it is indeed vulnerable to SQL Injection.


SQLMap

Once we have the vulnerable URL and the parameter. We need to exploit it via SQLMap. It can be done by issuing the following command.

sqlmap -u "http://10.10.40.252:80/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml*" --dbs

SQLMap can take a while to find the databases, so we might need to wait patiently.

Once done, we can see the retrieved database names.

From here we know that we are looking for Joomla credentials, so we need to find all the tables from the joomla schema.

We can see that there are number of tables, but the more prominent one is the "user" table. So, now we can move forward and start to look for all the columns in it.

We can see that indeed this table has those columns which we are looking for.

So, we simply move onward and dump everything in this table.

Finally, we have found the username and the credentials.


Cracking The Hash

Once we have the hash, we need to crack it. It can be done by utilising JohnTheRipper.

Now we have the plain text password.


Exploitation

Now we have the username and the password for the Joomla login portal. Log into the Joomla Administrator Panel using the credentials.

http://10.10.40.252/administrator/

Once logged in, click on Templates

Once opened, edit any of the templates as we will be replacing the contents of index.php.

From here we need to create a PHP Reverse Shell. Copy the PHP Reverse Shell to your current location.

cp /usr/share/webshells/php/php-reverse-shell.php .

Note down your IP address. In this case it will be of tun0 and can be checked via the ip addr command. Once noted down we need to replace the IP address in PHP Reverse Shell with our machine IP address and change port to 4444.

Now, we need to replace the contents of index.php with the contents of this reverse shell.

Once done save the template.

As it is a PHP Reverse Shell. We need to listen on port 4444 via netcat. It can be done by utilising the following command.

Once the netcat is in listening mode. Click on Template View. As soon as this is clicked,  you will get the reverse connection.

From here we need to enumerate. We can find the SSH user in /home directory.

Since we are an "Apache" user. We need to list the contents of /var/www/html. On doing so we can find different configuration files.

We know that these files contains the usernames and the passwords. From here, we need to list down the contents of config file and have to note down the password for SSH.

We can find two passwords. Now we have the username as well as the passwords for the SSH.


SSH

Using these credentials we need to get the secure shell.

Once we are into the system. We can find the user flag.


Privilege Escalation

It has already been mentioned which privesc technique is required to be utilised, in this case: yum.

GTFOBins have it all which can be found on the above link.

https://gtfobins.github.io/gtfobins/yum/

Utilise the second technique for escalation of privileges.

We can now see that we are root and we can also read the root flag.


The Other Way Out

SQLMap takes a lot of time during the exploitation. So in order to speed up the process there is another method to grab the user credentials.

It can be done by utilising the automated scripts. There are multiple scripts available online out of which i used the following.

https://github.com/XiphosResearch/exploits/blob/master/Joomblah/joomblah.py

On simply running it against the URL. It grabs the username and the password which is hashed.

Once we have the hashed password. We need to follow the same technique starting from cracking the password.


I hope that you followed along and firstly tried on your own. Meanwhile I hope that you have learned some new techniques by completing this room.

TryHackMe