Hey everyone I hope you are doing good,this is a write up for DC-3 machine. It is a easy boot2root machine. So let’s jump in by doing a port scan on the machine


PORT   STATE SERVICE REASON         VERSION                               
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
|_http-generator: Joomla! - Open Source Content Management
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
MAC Address: 08:00:27:99:17:ED (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4


This is a joomla CMS , which can be identified if you have wappalyzer extension installed

So I ran dirsearch but found nothing interesting

I went to google for any exploits available for joomla and found one metasploit module

But this exploit didn’t work

So searched again to find any exploits and came across sql injection for joomla

After sometime it came back with databases

Now let’s select joomladb database and see it's tables

It will start to retrieve the tables from the database

Now we are interested in users table

I tried to enumerate for columns in table but couldn’t

Then went with guessing the column name to be name and it returned an entry in the table so the next column could be password

The hash looks like bcrypt so let’s try cracking it with john

We can now login to joomla with admin:snoopy

To get a reverse shell , go to Extensions -> Templates

And edit the error.php file

Now you just need to to navigate to that file , /templates/beez3/error.php

But this didn’t work let’s try to add a simple command injection paramter

Now we have a rce ,just need to get a reverse shell

We have a shell great ! , so now let’s run linpeas

Right off the bat it shows that it’s using an old linux kernel so there is an exploit available

Download and transfer the exploit to traget machine make sure to covert it to unix format using dos2unix

After compiling and running ,it didn’t worked

I searched again for an exploit and found one

After running it crashed : |

Then found another exploit

We need to just run compile.sh after that run the binary doubleput

BS CS undergraduate | CTF Player