Daily Bugle: A Spiderman Themed Try Hack Me CTF 🕸️

christine - Jun 12 '22 - - Dev Community

If you had to choose between Marvel and DC, who would you choose? I think we all have a favorite, but we cannot deny the fact that we all like Spiderman. This is not a fact, but an opinion so don't hold me to this bold statement! 😅

Today we are going to hack the Daily Bugle, are you ready? 🕵️‍♀️

Daily Bugle CTF


Access the web server, who robbed the bank?

Once your machine is loaded, let's open up the IP address in our browser. We won't have to scroll far before we see who robbed the bank: Spiderman!
Daily Bugle CTF
Daily Bugle CTF


What is the Joomla version?

Okay, now that we've launched our machine and had a look around our main page, we can start enumerating. Open up your terminal and start up a nmap scan to see which services are running.
nmap -sV -Pn <your machine IP>
Daily Bugle CTF

We can see that ssh, http and mysql are running. Let's continue with running a gobuster scan to see which hidden directories we can find.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://<your machine IP> -t 50
Daily Bugle CTF

When we head over to <ip>/administrator, we see that it opens up a Joomla! login page. Okay, now we need to find the version that is running. We can do this with joomscan.
joomscan -u http://<your machine IP>/administrator/
Daily Bugle CTF
Daily Bugle CTF

Tada! We've found our Joomla version.
Daily Bugle CTF


What is Jonah's cracked password?

Okay so we can do this via finding a python exploit, or by running SQLMap (which takes forever). I'll show you the python script way since the lab instructions encourage us to try it.

Let's see if there is a valid exploit with searchsploit.
searchsploit joomla 3.7.0
Daily Bugle CTF

We can see that there is a valid SQL Injection exploit available for us to use. Now you can go over to Exploit-DB and download this exploit if you are doing the SMLmap method, but we won't be able to use this. Instead we need a python conversion of this exploit. Luckily, I got you!

Download the python exploit from here.
Daily Bugle CTF

I renamed this file as exploit.py and saved it in my /Downloads directory. Now, go back into your terminal and cd into the directory of the downloaded exploit. If you read the instructions from the GitHub page above, you will see that we need to install two packages, so let's do that. While we're at it, let's also turn our exploit.py into an executable.

  1. pip install art
  2. pip install beautifulsoup4
  3. chmod +x exploit.py

Daily Bugle CTF

Once you've done all of the above, we can run our exploit.
python3 exploit.py
Daily Bugle CTF

After a bit, you will se the user's password. Let's copy it and create a new file called pass.txt (I just did it in my /Downloads directory). Paste this value into this new file.
Daily Bugle CTF
Daily Bugle CTF

Now, to crack this password. We can use John The Ripper for this. Run the following command in your terminal:
john pass.txt --wordlist="/usr/share/wordlists/rockyou.txt"
Daily Bugle CTF

Thus we now know that Jonah's password is spiderman123.
Daily Bugle CTF


What is the user flag?

Okay, now that we have our username and password (Jonah:spiderman123), we can attempt to log into our Joomla site.
Daily Bugle CTF

Once in, you will be met with a control panel for Jonah. Since our site is built with PHP, we can create a reverse shell to gain access to the ssh service found above.
Daily Bugle CTF

You can download the reverse shell from Pentestmonkey's website or via the following command:
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Daily Bugle CTF

Let's get that netcat listener out of the way. We can keep our port as 1234, it doesn't really matter unless you feel finicky about it.
sudo nc -nlvp 1234
Daily Bugle CTF

Head over to your Joomla dashboard and navigate to the Template Customizer. Now, grab that reverse shell file that you just downloaded (it will be in your Downloads directory, and you'll have to extract it), and paste it into your /index.php (or error.php) file. Remember to change the IP address of your reverse shell to the IP of your attacking machine (OPENVPN) and save.
Daily Bugle CTF

Click on "Preview Template" and check on your netcat listener, we now have a shell! If the preview template shell doesn't work, just navigate back to index.php in your browser and that should work.
Daily Bugle CTF
Daily Bugle CTF
Daily Bugle CTF

Let's run the cat /etc/passwd command so that we can view the list of the system's accounts. We can identify a user named jjameson (we will use this for our ssh login later).
Daily Bugle CTF

Next, let's cd into our /var/www/html directory, which is the base directory for our site and it will list all the root files. One file of interest is the configuration.php file (you can read each file as this is all trial and error to find a file that has valuable information).
Daily Bugle CTF

Reading the contents of this configuration.php file, we see a password for our jjameson user.
Daily Bugle CTF

Let's log into ssh using these credentials (jjameson: nv5uz9r3ZEDzVjNu). We can see our user.txt file listed immediately.
ssh jjameson@<your machine IP>
Daily Bugle CTF

Read the contents of user.txt, and voila, you have your flag!
Daily Bugle CTF
Daily Bugle CTF


What is the root flag?

Okay, so we are in the final stretch of completing this CTF. Let's see what sudo privileges we have via the sudo -l command. I apologize for the poor screenshot I took. What is important is that we can run the yum command.
Daily Bugle CTF

Let's head over to GTFObins and see how we can use yum. If the yum binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
Daily Bugle CTF

Follow this section of our yum page to get to root:
Daily Bugle CTF
Daily Bugle CTF

Now we can view our root.txt file that is found in /cat/root.txt. We have our flag!

Daily Bugle CTF
Daily Bugle CTF


Conclusion

You just hacked the Daily Bugle, congratulations! I hope that this was easy enough for you to follow, and until next time, happy hacking! 😁

See more on my GitHub.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .