Persecure : my learning archive

DC: 3.2

Download the machine:

https://www.vulnhub.com/entry/dc-32,312/

Overview

  • Enumeration will lead to a joomla! CMS system
  • Use joomscan for enumeration
  • The joomla version will lead to a SQL exploit on searchsploit
  • Read the searchspoilt file and use the SQLmap scipt to get a hash
  • Use john to crack the hash
  • Enter the administrator section of the joomla system and add a PHP reverse shell
  • Use google to find an exploit for the outdated kernel

Enumeration

Run nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

Port 80

After enumerating the other pages I couldn’t find anything useful. From the Nmap scan we know the machine has a joomla! cms system. I use the JoomScan tool to find the exact version of the system.

It uses 3.7.0 version.

I searched searchsploit for this version and found a potential exploit.

Reading the exploit the author gave us a Sqlmap script to use. 

sqlmap -u "http://192.168.18.9/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Found some MySQL databases.

I redid the scan again but this time I dumped out the entire database.

sqlmap -u "http://192.168.18.9/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dump

It was taking too long and I edited the scritp to get user info.

sqlmap -u "http://192.168.18.9/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=update.xml"-p list[fullordering] -D joomladb -T '#__users' -C id,username,password --dump

Found a hash for the admin user.

Use john to crack the hash.

Let’s use this password to login to the admin account in the administrator page.

Head to the templates customize section and edit the component.php file to a php reverse shell.

Navigate to the page /template/protostar/component.php

Foothold

A reverse shell will be gained.

After some time enumerating, I use linpeas to find for more clues.

The kernel looks exploitable.

After exploring exploits in google I came across a potential exploit.

https://www.exploit-db.com/exploits/39772

The exploit requires us to download a zipfile.

I downloaded to my local machine and hand it over to the box using a python server.

Unzip the file and run the compile bash script in one of the folders. The exploited will be generated.

Privilege escalation

When you run the exploit. Root shell will be gained.

Found the flag.

Create a website or blog at WordPress.com