Post cover image

June 16, 2026

THM: Daily Bugle

I know, I know… it has been quite a while since my last walkthrough! Apologies for the long break, but I’m excited to be back and share…

Abhay Ingale

7 min read

I know, I know… it has been quite a while since my last walkthrough! Apologies for the long break, but I'm excited to be back and share more machines with you.

Hello everyone!! 👋 Back again with another walkthrough 🎉😄

In this writeup, we'll be tackling a Linux-based machine focused on web exploitation. We'll start with enumeration, discover vulnerabilities, gain access, and work our way to privilege escalation.

1. Initial Enumeration:

First we add the IP address of target machine in /etc/hosts file which will save my time further.

sudo vi /etc/hosts

None

Just remember it after hearing "enumeration": In pentesting, the more you enumerate, the closer you get to the target without being noticed.

So like a ritual we do an nmap scan on our target.

nmap -sC -sV dailybugle.thm
None

After the nmap scan, I discovered several interesting results: ports 22, 80, and 3306 are open. The server appears to be running MariaDB, and the web server is potentially hosting Joomla, including an /administrator/ login page.

2. Web Enumeration:

To identify possible vulnerabilities, I examined the attack surface by accessing the HTTP service on port 80.

None

When we visited the web server on port 80 by going to http://IP, this was the homepage we saw.

At this point, I started checking the different buttons and sections on the page. There was a login form and a settings button with options to print the post or send it by email. I also tried testing the login form for SQL injection vulnerabilities to see if I could gain unauthorized access, but nothing worked. It seemed like those forms and buttons were just rabbit holes meant to distract us.

From the earlier Nmap scan, we already knew there was an /administrator/ page, which hinted that Joomla might be running on the server. So instead of wasting more time on the homepage, I decided to visit that directory next.

Also, if you are still stuck on the first TryHackMe question, the answer is actually shown right on the homepage. The post literally says, "Spider-Man robbed the bank," so the answer is simply :

Spiderman

None

The /administrator/ directory revealed the Joomla admin login page. I tested the login form for SQL injection but could not gain access.

Next, I attempted to identify the Joomla version to check for known vulnerabilities. I inspected the page source, analyzed JavaScript files through intercepted network traffic, and performed directory enumeration with dirsearch. The goal was to discover hidden files or directories that could expand the attack surface, as previous checks with whatweb and /robots.txt had not revealed any useful information.

None

Now that we know which version of Joomla the web server is running, we can investigate potential vulnerabilities and available exploits associated with it.

3. Exploiting Joomla SQL Injection:

A quick search reveals a known vulnerability called "Joomla! 3.7.0 — 'com_fields' SQL Injection" with the CVE identifier "CVE-2017–8917." To simplify and speed up the process, I looked for publicly available exploits on GitHub and found Stefan Lucas's Exploit-Joomla repository, which contains a Python script for exploiting this vulnerability. After downloading the script, I executed it with the appropriate parameters and was able to retrieve critical database information from the server.

GitHub - stefanlucas/Exploit-Joomla: CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla… CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla 3.7.0 - GitHub - stefanlucas/Exploit-Joomla…

None None

We found the fb9j5_users table and were able to dump a user record from it.

The extracted data contained some useful information, including a username, email address, and a hashed password.

To crack the password, I copied the hash value into a file called hash and used website hashes.com

None

4. Gaining Initial Access:

I first tested the recovered password for SSH access, but it failed. I then used the same credentials on the website and Joomla admin panel, successfully gaining access to the Joomla Control Panel. With admin access, we can now explore options to upload or execute a payload and obtain a reverse shell.

None

After successfully logging into the Joomla Control Panel via the /administrator/ directory, I attempted to add PHP code through articles, but Joomla rendered it as plain text rather than executing it.

To execute PHP code, I needed to edit an actual PHP file like index.php. Exploring the admin panel, I found the Templates section under Configuration, which contained two templates: Beez3 and Protostar. Since Protostar was the default template used across the website, any necessary modifications had to be made through it.

None

After checking further, I found that you can see the web application's listed directories by going to Extensions > Templates > Templates in the top menu. You can also get there by clicking Templates in the left sidebar (we were previously in the Styles section).

None

Here, we choose "Protostar Details and Files" to proceed because it is the one that is running on the server as we learned.

None

After we click on the button, we head to a page where we can see directories on left side bar which is what we just wanted!

None

The index.php file originally contained normal PHP code, which I replaced with PentestMonkey's PHP Reverse Shell after modifying the necessary parameters, including the IP address and port (1234). After saving the changes, the modified index.php was ready to execute when accessed.

I then started a Netcat listener on port 1234 and sent a GET request to the web server by visiting the page in a browser (or using curl). The request triggered the PHP code, resulting in a successful reverse shell connection.

None

5. User Enumeration and Lateral Movement:

We now have access as the apache user. Let's identify the users present on the system by examining the /etc/passwd file.

None

We identified two users on the system: root and jjameson. Our objective was to access the jjameson account and use SSH for further privilege escalation.

The find command was unavailable, so I recalled that earlier dirsearch enumeration had revealed a Configuration.php file. Since we had shell access as the apache user, we inspected the web root at /var/www/html, where configuration and PHP files often contain sensitive information such as credentials.

After navigating to /var/www/html, we used ls -la to list all files, including hidden files, and check their permissions.

None

We can see that Configuration.php exists in the /var/www/html directory. We examine its contents using the cat command and look closely for any credentials or sensitive information.

None

And there we go, we got a password! let's try this for jjameson user with SSH.

None

It worked! We successfully gained access as the jjameson user. At this point, we can retrieve the user flag.

None

6. Privilege Escalation:

Now, our next objective is to escalate our privileges to the root user. During privilege escalation, common enumeration steps include checking listening services, sudo permissions, scheduled tasks, and using tools such as linpeas. However, in this case, the solution is much simpler.

First, run sudo -l to check whether there are any commands that the current user can execute with sudo privileges, which may provide a path to gaining root access.

None

We can see that the jjameson user is allowed to run /usr/bin/yum with sudo privileges on the system. The next step is to research yum on GTFOBins to look for possible privilege escalation methods.

In the Sudo section of the GTFOBins page, we find a technique that allows us to spawn an interactive root shell by loading a custom plugin.

None

Let's copy the entire code, paste it into the shell we have, and press Enter until all the code has been submitted to complete the Privilege Escalation process.

None

7. Capture the Root Flag:

Run the exploit and you've got your root shell. Now all you need to do is grab the flag:

None

Conclusion:

  • First, we performed thorough enumeration using Nmap and identified open services, including a Joomla web application running on the target.
  • Through web enumeration and version identification, we discovered that the server was vulnerable to the Joomla 3.7.0 com_fields SQL Injection vulnerability (CVE-2017-8917).
  • By exploiting the SQL injection vulnerability, we extracted user information from the database and cracked the obtained password hash.
  • The recovered credentials provided access to the Joomla administrator panel, where we modified the active template's index.php file to upload a PHP reverse shell and gain initial access as the apache user.
  • During post-exploitation enumeration, we discovered sensitive credentials stored inside the configuration.php file, which allowed us to move laterally to the jjameson user via SSH.
  • Finally, by checking sudo permissions, we found that jjameson could execute yum with elevated privileges. Using a GTFOBins technique, we exploited this misconfiguration to obtain a root shell and gain complete control over the machine.
None

That's it for this walkthrough, see you in the next one!