Joomla Version Detection For Version Detection, I search on Google and there are some results that show us how to detect the Joomla version. But I don't get any useful results with some of that. Then I got the following conversation that show me what type of version Joomla is using and they also mentioned the tool that can detect automatically.
The above joomla.xml file has the following content that mentioned a version number.
files_joomla Joomla!
Project admin@joomla.org www.joomla.org (C) 2005 - 2017 Open Source Matters.
All rights reserved GNU General Public License version 2 or later; see LICENSE.txt 3.7.0 April 2017
FILES_JOOMLA_XML_DESCRIPTION
administrator/components/com_admin/script.php
administrator/components/com_admin/sql/updates/mysql
administrator/components/com_admin/sql/updates/sqlazure
administrator/components/com_admin/sql/updates/sqlazure
administrator/components/com_admin/sql/updates/postgresql
administrator
bin
cache
cli
components
images
includes
language
layouts
libraries
media
modules
plugins
templates
tmp
htaccess.txt
web.config.txt
LICENSE.txt
README.txt
index.php
https://update.joomla.org/core/list.xml
This file shows us the version 3.7.0 in April 2017 and also disclosed some useful file names/web directories.
Using the above information and searching for vulnerabilities in that version guess what I found. [+] Found Public Documented SQLi Vulnerability
https://www.exploit-db.com/exploits/42033
In the above exploit, they show the sqlmap command to exploit the vulnerability.
The above command shows us all the tables of the joomla database but they show some tables like this #__table-name. There # symbol shows there are some random alpha-numeric characters. We got a table name #__user now we can dump its columns with the following command.
Note: I write #__user in quotes so you should use it like that otherwise you don't get anything The above command starts brute-forcing the columns. We can guess that and start dumping data from it.
Password Cracking When I use hash-identifier on the above hash they tell me it's a blowfish(bcrypt) hash now let's start cracking it.
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
It takes too much time but we can get the password spiderman123
Initial Access
I try to login to ssh with that credentials but it doesn't work. So I Try to login to joomla and that works there.
jonah:spiderman123
After Login to the /administrator endpoint, we can go Extension the drop-down menu on Web Site Header, There we can go to Templates we can select any template, and change their php code. So knowing that we can change that php code and add a reverse shell code there after visiting that payload injected page we can get the reverse shell back to our attacking machines. Note: I use a simple php command execution payload because PentestMonkey PHP Code gives some error. So when I get Command Execution I use a simple mkfifo reverse shell payload to get a shell
After I got the reverse shell I read configuration.php and there are Mysql credentials.
My SQL Credentials
root:nv5uz9r3ZEDzVjNu
we can use these credentials to login with a local user jjameson with the following command
su jjameson
Privilege Escalation
User jjameson can run the yum command using sudo with No PASSWD. With the help of GTFObins show us the full payload we can run and get the root shell.
Using the above command we eventually get the elevated /bin/sh shell that has a root user's permission. Now we are root we can read the user.txt and root.txt the file that has our flags that we can submit to TryHackMe.
