Daily Bugle - HackMD

###### tags: `TryHackMe OffensiveSecurity AdvancedExploitation` # Daily Bugle :::info In this room we will compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate our privileges by taking advantage of yum ::: ## Obtain user and root Via the reconnaissance we see that there is a server web running. ![](https://i.imgur.com/wzkCp91.png) Let's enumerate the directories using **GoBuster** ![](https://i.imgur.com/UeZU22p.png) We can see the presence of a `Readme.txt` file. Interesting let's look at it. ![](https://i.imgur.com/kW42JDe.png) Inside the file we can see that there is a **Joomla CMS** running in it's version **3.7.0.**. Let's check there is any vulnerability associated to this version of Joomla. ![](https://i.imgur.com/ejLtc8C.png) :::success This version of Joomla is vulnerable ! ::: Let's analyse the exploit we download. The exploit shows us that there is an URL vulnerable and that we can use the **SQLI** tool to inject **SQL** by using the following command : - `sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]` The result of the command shows us the presence of 5 databases and one of them very interesting is the **joomla database** which can store the admin credentials. ![](https://i.imgur.com/M8H5m4N.png) ![](https://i.imgur.com/0hsMEaP.png) Now we have the username and the password hashed we can decrypt the password with JTR. ![](https://i.imgur.com/TOabeVn.png) :::success Password = spiderman123 ::: ## Gaining first access ![](https://i.imgur.com/VsUfEqi.png) After enter the administrator page, i inspect the site and found somewhere i could insert php malicioous code. ![](https://i.imgur.com/hp0mR7d.png) ![](https://i.imgur.com/HSgHFwh.png) ![](https://i.imgur.com/JjsyeNd.png) ![](https://i.imgur.com/d0VfbFQ.png) I download a reverse shell from [pentestmonkey](https://github.com/pentestmonkey/php-reverse-shell) and past it to the `index.php` file. I then open a handler with netact and trigger the reverse shell by typing this URL `http://10.10.242.174/templates/beez3/index.php` ![](https://i.imgur.com/9m8262Q.png) I wanted to go the user directory but i have not the permissions ![](https://i.imgur.com/VYNdpEw.png) ## Privilege escalations I inspect the different directories and go to the /var/www/html. There i found a file called configuartion.php ![](https://i.imgur.com/may7dIp.png) We can see in clear a password. From here i remember saw that ssh was enabled when i did the scan with nmap ![](https://i.imgur.com/O5TKAuc.png) I use the password to be `jjameson` user ![](https://i.imgur.com/kCw7Sul.png) We notice that the user jjameson can run the command /usr/bin/yum ![](https://i.imgur.com/e3Lv1Zx.png) After searching the yum binary on [GTFOBINS]https://gtfobins.github.io/gtfobins/yum/) we found a way to escalate our privileges. ![](https://i.imgur.com/NnOrRp9.png) :::success I AM THE ROOT USER :::