MACHINE IP: 10.1.1.42
START TIME: 12:51 PM
So there are 3 ports open. We’ll start our enumeration with HTTP service on port 80.
I didn’t find anything in the source or any links. So I ran
dirsearch on it.
But nothing here seems interesting here since all of these directorys looks like some default dirs.
So I started
dirsearch on port
I searched the
/administrator and found 2 URLs
/logs I found
/error.php I got nothing.
So I tried to search
/blog and noticed that it was running
joomla so I used
joomscan to see if I can find anything.
This also didn’t find anything. So again I had to message @4ndreq and he said that I should do
OSINT of an email. But obviously first I need to find that email. I realized there was an email on the website running on port 80 in
contact us section. I googled that and found pastebin post with password in it.
cebu:cabergas08 I was able to log in admin in joomla.
To get reverse shell we can go to
Extension > template > templates > beez3 > error.php and in that just copy paste the code to get reverse shell.
Then you can setup your listner
nc -nlvp 4444 and trigger the shell by running visiting
Since I already know the password for
cebu I did
su cebu and entered
cabergas08 to become
Also to get a proper shell I added my public key to
$ echo "your public key" > authorized_keys
I ran my enumeration script and found a SUID.
To see what that SUID was I executed
sudo.old --help and got the options for
bash. Meaning the suid is
bash but renamed to something else.
So to get root shell from this we can do
Then we can get the root flag.
This was machine was fun todo. Thanks to @H4d3s for making this machine.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.