Daily Bugle
This is my first write-up for the box Daily-Bugle on tryhackme.com/room/dailybugle
NMAP
Running an nmap scan on the machine reveals the following:
Gobuster
Upon running gobuster we find that there is a couple of interesting directories.
Joomla
Taking a closer look at /administrator we see a login panel for joomla. Now we know that the server is running joomla on the box. Taking a look at README.txt we can see that it indicates that the joomla version might be 3.7.0. Looking around on the interwebs I stumbled upon this very interesting script on github called joomblah.py. https://github.com/XiphosResearch/exploits/tree/master/Joomblah Running this script immediately returns the hashed password for jonah.
Using john to crack the password can take a while. Took me around 20 mins, so be patient while johntheripper does its magic. Eventually we get the password.
Using the username and the password we can then log into the joomlah cms. After doing some more research I stumbled upon this article https://www.hackingarticles.in/joomla-reverse-shell/ that explains how we can gain a reverse shell, on the machine. Following the article we gain an initial shell on the box by heading to the following link.
Privilege Escalation
After looking around for a bit we can see that there is a configuration.php file in the /var/www/html directory. After taking a look at the contents we see mysql db credentials.
Using these credentials we can log into the database, but also these credentials are used by the user in the home directory so by using su jjameson we get a shell as jjameson. We can now go ahead and grab the user flag. From there after using sudo -l we can see that jjameson has the following sudo permissions.
Using gtfo bins and basically just copy pasting the commands we get a shell as root and can grab the root flag.
Thank you for reading my write-up.