Information Collection#
─# nmap -sV 10.129.215.122
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-09 21:59 EST
Nmap scan report for 10.129.215.122
Host is up (0.46s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds
Identified as the joomla system based on the ico.
Directory scan
┌──(root㉿kali)-[~/Downloads/dirsearch-master]
└─# python3 dirsearch.py -u http://10.129.215.122
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11592
Output: /root/Downloads/dirsearch-master/reports/http_10.129.215.122/_23-01-09_22-06-39.txt
Target: http://10.129.215.122/
[22:06:39] Starting:
[22:06:55] 403 - 279B - /.ht_wsr.txt
[22:06:55] 403 - 279B - /.htaccess.bak1
[22:06:56] 403 - 279B - /.htaccess.orig
[22:06:56] 403 - 279B - /.htaccess.sample
[22:06:56] 403 - 279B - /.htaccess.save
[22:06:56] 403 - 279B - /.htaccess_sc
[22:06:56] 403 - 279B - /.htaccess_extra
[22:06:56] 403 - 279B - /.htaccess_orig
[22:06:56] 403 - 279B - /.htaccessBAK
[22:06:56] 403 - 279B - /.htaccessOLD2
[22:06:56] 403 - 279B - /.html
[22:06:56] 403 - 279B - /.htpasswd_test
[22:06:56] 403 - 279B - /.htm
[22:06:56] 403 - 279B - /.htaccessOLD
[22:06:56] 403 - 279B - /.httr-oauth
[22:06:56] 403 - 279B - /.htpasswds
[22:07:00] 403 - 279B - /.php
[22:07:40] 301 - 324B - /administrator -> http://10.129.215.122/administrator/
[22:07:41] 200 - 2KB - /administrator/
[22:07:41] 200 - 533B - /administrator/includes/
[22:07:41] 200 - 31B - /administrator/cache/
[22:07:41] 200 - 2KB - /administrator/index.php
[22:07:41] 301 - 329B - /administrator/logs -> http://10.129.215.122/administrator/logs/
[22:07:41] 200 - 31B - /administrator/logs/
[22:07:55] 200 - 31B - /bin/
[22:07:55] 301 - 314B - /bin -> http://10.129.215.122/bin/
[22:07:58] 200 - 31B - /cache/
[22:07:58] 301 - 316B - /cache -> http://10.129.215.122/cache/
[22:08:02] 200 - 31B - /cli/
[22:08:04] 200 - 31B - /components/
[22:08:04] 301 - 321B - /components -> http://10.129.215.122/components/
[22:08:06] 200 - 0B - /configuration.php
[22:08:31] 200 - 1KB - /htaccess.txt
[22:08:33] 301 - 317B - /images -> http://10.129.215.122/images/
[22:08:33] 200 - 31B - /images/
[22:08:34] 200 - 31B - /includes/
[22:08:34] 301 - 319B - /includes -> http://10.129.215.122/includes/
[22:08:34] 200 - 4KB - /index.php
[22:08:34] 404 - 3KB - /index.php/login/
[22:08:40] 200 - 31B - /layouts/
[22:08:40] 301 - 319B - /language -> http://10.129.215.122/language/
[22:08:42] 200 - 31B - /libraries/
[22:08:42] 301 - 320B - /libraries -> http://10.129.215.122/libraries/
[22:08:42] 200 - 7KB - /LICENSE.txt
[22:08:49] 301 - 316B - /media -> http://10.129.215.122/media/
[22:08:49] 200 - 31B - /media/
[22:08:53] 301 - 318B - /modules -> http://10.129.215.122/modules/
[22:08:53] 200 - 31B - /modules/
[22:09:10] 301 - 318B - /plugins -> http://10.129.215.122/plugins/
[22:09:10] 200 - 31B - /plugins/
[22:09:17] 200 - 2KB - /README.txt
[22:09:20] 200 - 395B - /robots.txt.dist
[22:09:24] 403 - 279B - /server-status
[22:09:24] 403 - 279B - /server-status/
[22:09:41] 200 - 31B - /templates/index.html
[22:09:41] 301 - 320B - /templates -> http://10.129.215.122/templates/
[22:09:41] 200 - 0B - /templates/system/
[22:09:41] 200 - 31B - /templates/
[22:09:41] 200 - 0B - /templates/beez3/
[22:09:41] 200 - 0B - /templates/protostar/
[22:09:44] 301 - 314B - /tmp -> http://10.129.215.122/tmp/
[22:09:44] 200 - 31B - /tmp/
[22:09:57] 200 - 567B - /web.config.txt
Obtained the administrator backend path, reviewed other files but did not find anything useful for now. 
Discovered an account name Floris on the homepage.
Found a commented-out txt file in the homepage source code, accessed it and got a string of encoding.
Q3VybGluZzIwMTgh
Curling2018!
Logging into the backend
Backend#
The Joomla backend getshell is somewhat similar to WP
First method
Download the Chinese package com_zmaxappstore.zip from the official Joomla website, unzip it, modify install.xml to add <filename>>test.php</filename>, place test.php in the admin folder, repackage it as zip, and perform backend operations Extensions–> install–>upload package file
shell_url:/administrator/components/{zip file name}/da.php
Second method
In the backend, go to Global Configuration- ->media–>Legal Extensions (File Types) and add the php suffix, then media upload is possible.
Third method
In the backend, go to Extensions–>Templates–>Templates–>xxx Details and Files, modify the error.php file to add shell code, save it,
shell_url:/administrator/templates/xxx/error.php
Create a new file, write a one-liner in PHP, and connect to it.
Post-Exploitation#
Accessing the home directory found this file, but the user.txt file is empty. 
When accessing the password_backup file, it provided the file stream content, which is a hex dump file, with the beginning Bzh indicating the origin of the file.
https://en.wikipedia.org/wiki/List_of_file_signatures
Since it is known to be a compressed file, reverse it back to a binary file.
The current machine has no permissions, so download it back to local and decompress it.
xxd I will use -r to reverse it back to binary:
root@kali# cat password_backup_orig | xxd -r > password_backup.bz2
root@kali# file password_backup.bz2
password_backup.bz2: bzip2 compressed data, block size = 900k
And decompress:
root@kali# bunzip2 -k password_backup.bz2
I will check the file type of the resulting file and see if it has been gzip compressed:
root@kali# file password_backup
password_backup: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size 141
root@kali# mv password_backup password_backup.gz
I will decompress it and then check. Another bz2:
root@kali# gunzip -k password_backup.gz
root@kali# ls
password_backup password_backup.bz2 password_backup.gz password_backup_orig
root@kali# file password_backup
password_backup: bzip2 compressed data, block size = 900k
root@kali# mv password_backup password_backup2.bz2
Decompress again to get a tar package:
root@kali# bunzip2 -k password_backup2.bz2
root@kali# ls -l
total 48
-rwxrwx--- 1 root vboxsf 10240 Oct 29 16:25 password_backup2
-rwxrwx--- 1 root vboxsf 141 Oct 29 16:25 password_backup2.bz2
-rwxrwx--- 1 root vboxsf 244 Oct 29 16:25 password_backup.bz2
-rwxrwx--- 1 root vboxsf 173 Oct 29 16:25 password_backup.gz
-rwxrwx--- 1 root vboxsf 1076 Oct 29 16:22 password_backup_orig
root@kali# file password_backup2
password_backup2: POSIX tar archive (GNU)
Decompress to get a password-protected text file:
root@kali# mv password_backup2 password_backup.tar
root@kali# tar xvf password_backup.tar
password.txt
root@kali# ls -l
total 56
-rwxrwx--- 1 root vboxsf 141 Oct 29 16:25 password_backup2.bz2
-rwxrwx--- 1 root vboxsf 244 Oct 29 16:25 password_backup.bz2
-rwxrwx--- 1 root vboxsf 173 Oct 29 16:25 password_backup.gz
-rwxrwx--- 1 root vboxsf 1076 Oct 29 16:22 password_backup_orig
-rwxrwx--- 1 root vboxsf 10240 Oct 29 16:25 password_backup.tar
-rwxrwx--- 1 root vboxsf 19 May 22 15:15 password.txt
root@kali# cat password.txt
5d<wdCbdZu)|hChXll
Online website: https://gchq.github.io/CyberChef
Select the bzip algorithm.
User#
After obtaining the password, directly SSH login and check the user file
Root#
Could not find a way for root, used a vulnerability privilege script
First, use SCP to transfer it
┌──(root㉿kali)-[~/Desktop]
└─# scp /root/Downloads/linpeas.sh [email protected]:/home/floris
[email protected]'s password:
linpeas.sh
Then execute bash linpeas.sh, obtained the vulnerability scan results
Also uploaded the script for the 4034 vulnerability. 
End.