Hi all, let’s pwn this.
Box rate is hard but i dont think it’s a hard box, more like medium.
You can find the machine there > Daily Bugle
Let’s start as always with a nmap scan.
Let’s start the enumeration with port 80, we can see there a joomla site running :
Let’s run joomscan on it.
Let’s search for exploits on this version.
sqlmap way takes lot of time, so i found an alternative exploit
Let’s run it.
Perfect, we have
Let’s crack his hash.
Let’s login in, joomla’s administrator panel by default is there
Now for reverse shell, we can edit a template & add our shell in.
Add your shell in and press
And we have shell!
Now we can see another user there :
We can pretty easy find his password under
public $password = 'nv5uz9r3ZEDzVjNu';
Perfect, now privesc to root is really simple, we just need to check
Let’s check GTFOBins, let’s follow what it says.
Perfect, let’s read the flags now.
Not really hard haha, See you!