Difficulty level: Hard
Info : Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.
Task 1 : Deploy
Access the web server, who robbed the bank?
We can visit web server.
We can see answer the question this page.
Task 2 : Obtain user and root
What is the Joomla version?
We can see robots.txt file after nmap all port scan.
We can see joomla! let’s try to find out which version is.
We can use joomscan when finding the version.
joomscan -u <target ip>
We find it.
*Instead of using SQLMap, why not use a python script!*
What is Jonah’s cracked password?
for this script, we can use GitHub.
CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla 3.7.0 GitHub is home to over 50 million developers…
We can see username and hash password.
Craking password :
We can use hashcat.
We can find out the type of hash with hashid.
That’s how we can find out hash’s type.
john — format=bcrypt hash — wordlist=/usr/share/wordlist/rockyou.txt
I used John to find the hash code.
we logged in as admin.
What is the user flag?
Here, we need to use php reverse.
We have to change this part.
After saving the php codes that we add, we try to enter the site.
We are inside the machine.
We are not allowed access.
I found the configuration file in the var/www/html file.
There’s root and password.
I wanted to connect remotely to ssh, but the root password didn’t work, so I’ll try it on jjameson.
We were able to log in with jjameson user.
We found it.
What is the root flag?
We see the yum detail.
We’re trying plugin.
We found root txt.
So I completed it all.
This box was really fun! I love the ones that have a story/theme that goes along with them.
Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!