With the help of the “ Cyberchef” website and the “ rot13” module. We read it and we will have the clue to get the credentials of the next user. Inside the “home” of the user “ rob” we find the file “ Abnerineedyourhelp“. We test the credentials from the SSH service and log in with the user “ rob” And we can read the first flag:
#Glasgow smile password
We decode the password from our kali and get the credentials in plain text. We make a query and see that there are several users with their passwords encoded in base64, we will only keep the user “ rob“. We logged on to the database, from the “ batjoke” database and we will query the “ taskforce” table. (There are always interesting things in the databases :D) Once inside, we read the “Joomla” configuration file and get the credentials from the database. We execute the following commands to get an interactive shell. If everything went well, we will have a reverse shell with the user “www-data”. Great! Now, we’ll put a listening netcat on port 5555 and run the command to create a reverse shell.
#Glasgow smile code
To do this, I didn’t get complicated, I directly modified the file “ index.php” and put the code of the webshell of “ pentestmonkey“. Our site step will be to get up a reverse shell or webshell in order to have visibility inside the server. We check our credentials in the Joomla administration panel, we see that we are in as “ Super Admin (Joker)“. We start the attack, filter through “ Lenght” and find a single line where its value is different. We capture with Burp a request of the authentication request and take it to the “ intruder” and introduce the dictionary we just created.” (You have a good tutorial about Bruteforce login with Burp here) We run CeWL to create a custom dictionary using the words from the Joker/Arthur dialogue posted in Joomla. (Although this step is not necessary on this machine)
In many cases, this host will be shown to you in the site’s own source code. To work more comfortably, I always recommend that you modify the /etc/hosts/ with the name of the machine. It’s time to use “ joomscan” and list version, interesting directories, backup files or something that can help us identify some vulnerability. We access the site and show the Joomla site with only one post on it, where there is a dialogue of two scenes from the film of the “ Joker“ With the help of Gobuster and the “ big” dictionary (default in kali), we found the Joomla CMS deployed on the server: We start by visiting the web service (port 80), we find the image of the “Joker”, we check the source code and the robot.txt file, it seems that there is nothing useful. So, let’s start by listing all the TCP ports with nmap.
Penetration Testing MethodologyĪs always we identify the host’s IP with the “Netdiscover” tool: Since these labs are available on the Vulnhub website.
#Glasgow smile how to
Let’s get started and learn how to break it down successfully. The credit for making this lab goes to mindsflee. It’s available at Vulnhub for penetration testing. Today we are going to solve another boot2root challenge called “Glasgow Smile”.
0 kommentar(er)
