Default port 22 and 80 let’s enumerate with gobuster you will find /test/password and we got the user and password for the website, enumerate more with gobuster and you will find /joomla/administrator
Insert the credentials
Navigate on “templates”
And type on “Protonstar”
Go in index.php
And now we can upload our reverse shell. In you terminal type: locate php-reverse-shell.php and copy it in you folder
Now put in, and instert your ip and your port and listen with netcat! Click on save.
Now click on Template review and we are in!!!
Now enumerate more in www-data! Navigate in /var/www/html/joomla and there is a file called “configuration.php” , this file contain Mysql credential, but if you try to enter in Mysql there is a Rabbit hole!
This are the simple credential for user jenny, so enter in jenny!
HORIZONTAL PRIVILEGE ESCALATION:
Now we are in jenny and we notice that sudo -l , shenron have privilege
Now create our RSA key
Copy out key and put in /tmp of jenny’s shell.
Now we can cp our RSA in shenron .ssh folder, let’s try!
Nice , now we can login with shenron, so in our shell type:
Now type: find / -type -iname “password.txt” 2>/dev/null and you will find the password for shenron and type sudo -l , you will find /usr/bin/apt
VERTICAL PRIVILEGE ESCALATION:
And! we are ROOT!
I hope this is usefull!