Daily Bugle (TryHackMe) write up

The first step in checking the open ports on an IP address is crucial for network system analysis.

We will see the open ports, one of which is the HTTP port. Therefore, access the IP address through a browser.

When accessing the web server, you will find the answer to the question ‘Who robbed the bank?’

The next step is to use gobuster to brute-force and find any hidden paths.

Here are some interesting paths you might come across, like /robots.txt and /administrator.

the /robots.txt file helps manage who can access different parts of the site, while /administrator leads to the admin panel, where backend management happens.

When you access the /robots.txt path, you can see which parts of the website have been restricted or disallowed for access. These sections are specified in the file using the Disallow directive

After that, accessing the /administrator path will reveal that the web server is running Joomla

The next step is to use the joomscan command, which is a tool for scanning security vulnerabilities on websites that use the Joomla content management system.

You will find that the web server is running Joomla version 3.7.0. Upon searching the exploit database, it will be revealed that there exists an SQL injection vulnerability that permits the insertion of malicious commands.

The following step involves using the joomblah command to scan for and evaluate vulnerabilities in Joomla-based websites.

The user is a superuser. Both the username and an encrypted password are visible, requiring decryption with John the Ripper.

Return to the /administrator page and input the retrieved username and password.

Next, go to Extensions > Templates > Templates and select Beez3

Select on index.php page to modify the content and replace it with a PHP reverse shell.

Afterward, initiate nc (Netcat), save the index.php page, and then select “Template view.”

Once the reverse shell is established, use the whoami command to identify the current user.

Use the command ls -l to display a list of files and directories in the current directory along with additional details such as access permissions, file size, last modification date and time, and file owner.

Go to the directory /var/www/html. This is where website data and files necessary for serving the website are stored.

You will see a file named configuration.php. Use the command cat configuration.php to view the file’s content, and you will find the password for the user jjameson.

Log in using the retrieved password for the user jjameson.

By using the command ‘ls -l’, you can view the file user.txt. And to reveal the flag, use the command cat user.txt.

The command sudo -l lists all commands that a user can execute with sudo privileges, including the actions the user is permitted to perform and which commands can be run without requiring a password.

If you want to gain more access or control, you might be able to exploit the yum command by following the techniques described on the GTFOBins website

Next, use the command whoami to check the current user’s permissions.”

Change the directory to /root and use the command cat root.txt to reveal the flag.