Introduction

This is another windows machine. The difficulty rating for this Hard. Let’s get started.

Scanning & Enumeration

> ------------------------Nmap Results-----------------------------<
--------------------------------------------------------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-21 14:43 IST
Nmap scan report for 10.10.51.228
Host is up (0.40s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
3306/tcp open  mysql   MariaDB (unauthorized)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/21%OT=22%CT=1%CU=40508%PV=Y%DS=4%DC=T%G=Y%TM=5F3F909
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%II=I%TS=A)SEQ(SP=1
OS:07%GCD=1%ISR=10C%TI=Z%TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT1
OS:1NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68
OS:DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW6%CC=Y%Q=
OS:)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 4 hops
TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   152.38 ms 10.4.0.1
2   ... 3
4   412.01 ms 10.10.51.228
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 121.79 seconds
--------------------------------------------------------------------

From the results above, let us populate our Service Version Enumeration Table.

Service Version Enumeration Table

MariaDB Enum

MariaDB is an opensource version of MySql and even though they offer some differences, the syntax that we will be using is almost the same every time.
We saw that the service was prompted with (unauthorized). Let’s try to connect.

Connection to db failed

Maybe we can use this once we have local access. Let’s look at the WebPage.

HTTP Enum

Landing Page

In our Nmap scan we saw that we had 15 disallowed entries in the ‘/robots.txt’.

Contents of robots.txt

We have ‘/administrator’, from where we can see a login panel, I tried to SQL inject past it. Didn’t work.

I noticed we have Joomla, let’s try to enumerate that. But we don’t really have anything up our sleeve for Joomla yet. A quick google search reveals: https://github.com/rezasp/joomscan

Let’s use joomscan!

Joomla Scan Output

We see that the target is using Joomla 3.7.0

Vulnerability Analysis

Let’s see if this has any public exploits.

Searchsploit Results

We see that there is SQL Injection vulnerability.

Reading the details of the exploit

We can use sqlmap here and get this done. But then again, this is OSCP Prep, let’s see if we can find anything else online, preferably something on Github.

Found an exploit on Github

Let’s set this up and execute it!

Found password hash

We get a hash. We can now maybe try this with hashcat. We can set the mode as 3200 and start a dictionary attack.

hashcat -m 3200 -a 0 hash /usr/share/wordlists/rockyou.txt

This might take a while, let’s grab some coffee :P

We finally get the password.

Password Cracked!

Upon logging in with the cracked password and username ‘Jonah’, we see the joomla control panel.

Joomla Dashboard

Since this is a control panel for a CMS, we should have an option to add pages.

Exploitation

Now that we have found a way to upload and edit files, let’s try to get a reverse shell.

We copy the php-reverse-shell from pentest monkey. Link : http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Create a shell.php

Uploaded Reverse Shell on the server

http://10.10.162.147/templates/protostar/shell.php

We can access our shell.php on the following path. Note: IP might be different in your case :)

Shell with User Privileges

Privesc

Once we have our initial foothold, let’s start enumerating the machine.

Contents of ‘/etc/passwd’ reveals a user jjameson on the machine. Let’s try to see if we can get the user flag :P

Couldn't get the user flag

No luck!

Now we can try to see in the root Joomla folder if we have something. Well, we don’t know that! Let’s see an installation guide to figure out where it is.

Joomla Installation Guide

Notice the path ‘/var/www/html/joomla’.

Found these files in /var/www/html

Inside configuration.php we see a password field and a secret. These can be potential passwords.

Contents of configuration.php

We use these to try and login to the server

Successfully logged in

And we successfully logged in.

Running sudo -l suggests that we can run yum as sudo without password.

Checking it on GTFOBins gives us a way to get root shell.

GTFO exploits for yum

Running it on the target machine …

Shell with Root Privileges

Summary | TL;DR

1. Scan ports using nmap
2. Enumerate HTTP, find Joomla dashboard and version
3. Exploit SQLi vulnerability — Joomla3.7-SQLi-CVE-2017–8917
4. Crack the hashed password
5. Get authentication from config file on the system
6. Priv Esc using GTFO Bins for yum.

Parting Thoughts

In this machine, the new things we learned are the following:

1. Version Enumeration for Joomla
2. Privesc using yum

Thank you for reading, please provide your feedback and share with people who are in need. :)