Daily Bugle -THM
Hey guys!!, so this is a walk-through on Daily Bugle a sqli based vulnerability machine.Let’s perform basic enumeration using nmap and gobuster.
sudo nmap -A <ip>
The scan results shows there are three ports open and we can see about joomla in port 80, visiting the website shows there is a login option and about spiderman.
sudo gobuster dir -u http://ip/ -w /usr/share/wordlists/dirb/common.txt
From the results we can head onto robots.txt and there are many directories that aren’t accessible.
In task2, let’s find out about joomla version, there are many ways to find and here is the simple one. There’s an exploit based on the version of the joomla, present in exploit-db.
Hint says instead of sqlmap use python-script, here we can use this. By this we came to know about user Jonah and the password,it’s in hash.Let’s decrypt it using john-the-ripper.
Login using the credentials to http://ip/administrator/. Now we need to find a way to get reverse-shell. In the templates directory we have the edit option for index.php, edit and place the reverse-shell, can use this pentest-monkey .
Remember to change ip and port to the one on your machine,start netcat listener in your terminal.
sudo nc -lvnp 4444
Refresh the home page, you will get the reverse-shell. We can see user named jjameson and we can’t access,there’s no privilege to run sudo -l,crontab was also a no go,then configuration.php file seem to be interesting, it had password, let’s login with it.
We got into user jjameson account and we were able to get user flag.
Now we need to find a way to escalate our privilege to almighty Root. sudo -l gave us yum,yum is a suid that can be executed from all users.We can find it in gtfobins, spawn the shell by using the method ‘b’ mentioned in gtfobins.
Finally we were into root!!, and got the root flag.
Thank You!!
H@ppy H@cking!!🦇
