Hi all, this was a really CTFy box :D
You can find the machine there > Glasgow Smile
Let’s start as always with a nmap scan.
1 |
|
Let’s enumerate port 80 first with gobuster
.
1 |
|
/joomla
is the key for shell, i enumerated a lot but no results. Then i tried to brute force with username joomla
i really don’t know what’s going on with makers logic haha, how can we find out this username? pure guess, since default joomla’s username is admin
.
Let’s make a wordlist now with cewl
based on site contents.
1 |
|
Follow my steps now, we will use burp intruder to brute force the admin panel (/administrator).
Now we can see string Gotham
has different length :
And we’re in! Creds : joomla:Gotham
follow my steps for reverse shell now :
And we have shell!
1 |
|
Now privesc it’s a bit silly haha. Let’s take a look at joomla’s configuration file :
1 |
|
Let’s connect to mysql.
1 |
|
Let’s check the tables :
1 |
|
Since user rob
exists on system, let’s decode his pswd
.
1 |
|
Let’s login in now.
1 |
|
We can see this file now in his directory :
1 |
|
It’s rot13 with rotate 1 let’s decode it :
Now let’s decode the base64.
1 |
|
Let’s login now as abner.
1 |
|
Here i got stuck for a few minutes, then i searched for files that owned by me.
1 |
|
Let’s copy it and we can use the same password to open it.
1 |
|
Now for final privesc we have to wget pspy
to detect a cronjob.
1 |
|
We can see this file running as root :
CMD: UID=0 PID=1375 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old
We just have to add our payload in and remove 0.
1 |
|
And we have root shell :
1 |
|
Let’s read the flag.
1 |
|
Meme box haha, see you!