CTF Walkthroughs, TryHackMe

TryHackMe – Daily Bugle Walkthrough

May 14, 2021 | by Stefano Lanaro | 2 Comments

Introduction

This was an easy Linux machine that involved exploiting a blind SQL injection vulnerability in Joomla to gain initial access, exposed database credentials to gain user access, and the Yum package manager with Sudo permissions allowed to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

Based on the results of the scan, the next step would be to start enumerating HTTP.

Enumerating HTTP

The following page is displayed when accessing the web server through a browser:

Judging by the login form and the layout of the page, the site appears to be running Joomla. This can also be viewed by inspecting the source code.

After a bit of research, stumbled across this article which mentions how to identify the Joomla version the site is running:

By accessing the joomla.xml file, it reveals the version is 3.7.0:

Using the SearchSploit tool to identify known vulnerabilities in this version of Joomla:

Mirroring the exploit:

It appears that this version of Joomla is affected by a blind SQL injection in the “list[fullordering]” parameter:

URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27


Using Sqlmap: 
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Parameter: list[fullordering] (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (DUAL)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

Running the payloaod provided by SQLMap to ensure the endpoint is vulnerable:

http://10.10.191.219/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

The site waited for 5 minutes before the page was loaded, meaning the sleep query was successfully executed.

Exploiting SQL Injection

Running SQLMap using the arguments specified in the exploit:

sqlmap -u "http://10.10.191.219/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

The SQL injectioon was successful, and SQLMap has started retrieving the database tables:

The users table may contain credentials to access the Joomla administration section:

Looking up the table structure in the Joomla documentation, to find out the columns to extract without having to wait for SQLMap to enumerate them:

Issuing the following SQLMap command too dump the username and password columns in the users table:

sqlmap -u "http://10.10.191.219/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T "#__users" -C username,password -p list[fullordering] --dump

It looks like a “jonah” user is present, and a password hash is stored in the database. Adding the hash to a text file:

Using John the Ripper with the following flags to crack the previously found hash:

  • –wordlist to specify the wordlist to be used, in this case, rockyou
  • the text file containing the hashes, one per line

The hash was cracked successfully and the password was “spiderman123”. Authenticating into Joomla as Jonah:

Gaining a Foothold

One way to gain remote code execution on Joomla is to use it’s template editor and modify one of the PHP files to execute malicious code when navigated to.

Navigating to Extensions–>Templates–>Templates:

Selecting the Protostar theme, which is the one currently in use:

Selecting the index.php page:

In the meantime, copying the Laudanum PHP reverse shell to the current working directory and changing the IP and port:

Pasting the content of the PHP reverse shell to the beginning of the index.php file:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Navigating to the index.php page:

A callback has been received on the listener, granting a shell as the “apache” user:

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to the local host
  • Running “stty raw -echo” on the local host
  • Hitting “fg + ENTER” to go back to the reverse shell
  • export TERM=XTERM

Privilege Escalation

When viewing the contents of the configuration.php file, which normally contains database credentials for Joomla, a password is revealed:

The password found earlier was also being used as the credential for the “jjameson” user:

When running the sudo -l command as jjameson, it appears the user is allowed to run Yum as root.

Yum is a free and open-source command-line package-management utility for Linux-based operating system which uses the RPM Package Manager.

After consulting GTFOBins, it appears that Yum can be used to escalate privileges, by crafting a malicious RPM package and installing it on the victim machine:

Following the steps mentioned in GTFOBins to create a RPM package which will execute the id command when installed, in order the root-level command execution:

Using the Python Simple HTTP Server and Wget to transfer the RPM package to the victim machine:

Installing the RPM package, as shown below, the id command was executed as root:

Creating another RPM package, that this time will create a SUID copy of the /bin/bash binary:

Using the Python Simple HTTP Server and Wget to transfer the RPM package to the victim machine:

Installing the RPM package, the SUID Bash binary has been created successfully:

After executing the new SUID bash binary with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host:

Conclusion

This box was pretty fun and I definitely learned something new, as Joomla isn’t that common nowadays, especially in capture the flag challenges. The Yum privilege escalation vector wasn’t new too me but still a very interesting way to escalate to root.