# Daily Bugle {% embed url="" %} 1. Ran a TCP Scan on the target via Nmap. ```bash nmap -p 22,80,3306 -sC -sV 10.201.122.79 ``` ``` Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-13 16:19 IST Nmap scan report for 10.201.122.79 Host is up (0.23s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA) | 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA) |_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40) |_http-title: Home |_http-generator: Joomla! - Open Source Content Management |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40 | http-robots.txt: 15 disallowed entries | /joomla/administrator/ /administrator/ /bin/ /cache/ | /cli/ /components/ /includes/ /installation/ /language/ |_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/ 3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.86 seconds ``` 2. There was a `robots.txt` file here which had a lot of delisted subdirectories. Only `/administrator` was the one that opened up.

I looked around to get the Joomla! version running on the target but couldn't find anything. 2. Next I ran a directory scan on the target using Gobuster. ```bash gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://10.201.67.34 -x php,txt,js ``` 3. I got several subdirectories and files including `README.txt` which seemed useful. 4. I opened `README.txt` and saw the following.

5. In the first few lines of the README.txt I could see the Joomla version stated as 3.7. 6. Next, I looked up online for relevant exploits for Joomla 3.7 and found a SQL Injection vulnerability. {% embed url="" %} 7. I even found a Github script that automated the whole exploitation process. {% embed url="" %} 8. I downloaded the script and ran it by supplying in the target URL as a parameter.

9. Here I obtained all the credentials including the hashed password. 10. I used John The Ripper to crack the hash as follows. ``` john -w=/usr/share/wordlists/rockyou.txt --rules hash.txt ```

11. `spiderman123` was the password of the user `jonah` . I visited the administrator login panel of joomla on the target and logged in using the credentials.

12. Next step was to obtain an initial foothold on the target for which I needed a reverse shell. I looked everyone on the admin panel and tried injecting PHP reverse shell code but nothing worked. After a while I checked the Templates section inside Extensions.

13. There were two templates listed as follows

14. Previously while checking the admin portal I had come across the templates section under configuration where Protostar was listed as the default template for the target website.

15. Hence I clicked on Protostar Details and Files. 16. There were a lot of files in the template hence I visited the `index.php` file.

17. Jackpot, here it was possible to execute malicious PHP code. Hence I picked up the pentestmonkey reverse shell and copied it here.

18. Next, I visited the `index.php` page which was the home page on the target and simaltaneously initiated a Netcat reverse shell on my attacker machine.

19. Here, as you can see I had obtained the initial foothold on the target. 20. Next I enumerated the system and came across a `configuration.php` file inside `/var/www/html` . 21. I listed out it's contents and found the following

22. There was a password given here along with `root` as the username. My initial approach was to try the credentials on `mysql` as there was a MariaDB server running on the target but it didn't work. 23. Previously while enumerated the system I had came across another user on the target by the name of `jjameson` . I tried using the given password to connect to the target via SSH as `jjameson` user.

24. I then obtained the user flag from the `home/jjameson` directory inside `user.txt`. 25. The next objective was to gain root access to the target. The first thing I did was to run `sudo -l` .

25. Seems like I could run `yum` on the target. My next step was to check GTFObins for a relevant exploit for `yum`. {% embed url="" %} 26. I found the following two methods to get root shell.

27. I initially tried the first approach but it didnt work hence I used the second exploit. 28. I straightaway copied the whole codeblock into the SSH terminal and elevated to root.

29. The next obvious step was to get the root flag from `/root/root.txt`.

30. And that was it! Stay tuned for more writeups in the future. Happy Hacking!