Hey everyone I hope you are doing good,this is a write up for DC-3 machine. It is a easy boot2root machine. So let’s jump in by doing a port scan on the machine

Rustscan

PORT 80 (HTTP)

This is a joomla CMS , which can be identified if you have wappalyzer extension installed

So I ran dirsearch but found nothing interesting

I went to google for any exploits available for joomla and found one metasploit module

But this exploit didn’t work

So searched again to find any exploits and came across sql injection for joomla

After sometime it came back with databases

Now let’s select joomladb database and see it's tables

It will start to retrieve the tables from the database

Now we are interested in users table

I tried to enumerate for columns in table but couldn’t

Then went with guessing the column name to be name and it returned an entry in the table so the next column could be password

The hash looks like bcrypt so let’s try cracking it with john

We can now login to joomla with admin:snoopy

To get a reverse shell , go to Extensions -> Templates

And edit the error.php file

Now you just need to to navigate to that file , /templates/beez3/error.php

But this didn’t work let’s try to add a simple command injection paramter

Now we have a rce ,just need to get a reverse shell

We have a shell great ! , so now let’s run linpeas

Right off the bat it shows that it’s using an old linux kernel so there is an exploit available

Download and transfer the exploit to traget machine make sure to covert it to unix format using dos2unix

After compiling and running ,it didn’t worked

I searched again for an exploit and found one

After running it crashed : |

Then found another exploit

We need to just run compile.sh after that run the binary doubleput

BS CS undergraduate | CTF Player