Daily Bugle
Difficulty: High
Score: 7/10
Target
- 2 flags
- system privilege
Process
Enumeration
Runing Nmap scaning
Common Scan with Nmap
nmap -Pn 10.10.136.191
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 07:43 EST
Nmap scan report for 10.10.136.191
Host is up (0.23s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysqlWe can use the new too threader3000 (Python Tool)
Threader3000
------------------------------------------------------------
Threader 3000 - Multi-threaded Port Scanner
Version 1.0.7
A project by The Mayor
------------------------------------------------------------
Enter your target IP address or URL here: 10.10.136.191
------------------------------------------------------------
Scanning target 10.10.136.191
Time started: 2022-01-26 07:44:06.920766
------------------------------------------------------------
Port 22 is open
Port 80 is open
Port 3306 is open
Port scan completed in 0:01:16.971744
------------------------------------------------------------
Threader3000 recommends the following Nmap scan:
************************************************************
nmap -p22,80,3306 -sV -sC -T4 -Pn -oA 10.10.136.191 10.10.136.191
************************************************************
Would you like to run Nmap or quit to terminal?
------------------------------------------------------------
1 = Run suggested Nmap scan
2 = Run another Threader3000 scan
3 = Exit to terminal
------------------------------------------------------------
Option Selection: 1
nmap -p22,80,3306 -sV -sC -T4 -Pn -oA 10.10.136.191 10.10.136.191
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 07:45 EST
Nmap scan report for 10.10.136.191
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-title: Home
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
3306/tcp open mysql MariaDB (unauthorized)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.81 seconds
------------------------------------------------------------
Combined scan completed in 0:02:18.247742
Press enter to quit...We found that the web-application is Joomla, it has the exp on the web.
https://github.com/stefanlucas/Exploit-Joomla/blob/master/joomblah.py
python2 poc.py url
Oh we found the jonah and her password, after we decode the hash, we can use it to login in the background
Web-content discovery
dirsearch -u http://10.10.136.191
Delivery
We can add mailcious code in the index.php
We can add reverse shell code to connet local machine
Privilege Escalation
We can use linpeas.sh to enumerate the information
We use it to login with ssh as password
We can use yum to get the root privilege
