Make a new directory —> mkdir Curling
Next do a Nmap scan to look for open ports —> nmap -sVC 10.10.10.150
Seems like there are only 2 ports open, port 80 and port 22. The web service is running a content management system called Joomla!
Let's take a look at the website and see what we can find
There is not much to do on the website, however, when we take a look at the source code, at the bottom we can see that there is a secret.txt file hiding in an HTML comment
Look for the file adding its name on the URL
And we get our hands on what seems to be a base64 hash, let's go to CyberChef and crack it
And seems like we have something! We do not know what yet, but it could be a potential password, let's keep having a look maybe we can find a username somewhere around
The posts have been signed with the name of Floris, let's see if we can put together the pieces
And we are the Super User! I couldn't do much with this, so I decided to do proper enumeration, like I should have done before, running a Gobuster scan to look for directories
As you can see at the bottom, there is a directory called /administrator. Heading there we can use the Super User credential to access the control panel of the server
Clicking around we can have access to the config file of the server
Looking at the templates tap seems like we have the option to upload files, This could be a really good chance to try to obtain a webshell injecting php code
Once is created, use a PHP shell from Revshells and set a listener
Now we can honour the name of the machine and use the curl command to call our PHP file to trigger the shell
And we should have our shell ready on the listener
Now we need to escalate our privileges so we can get the user flag
There is a file called password_backup in the home folder
It seems to be a hex dump, Let's head again to CyberChef
By using the "Detect File Type" recipe we were able to retrieve a password.txt file. You just need to add the recipes before "Detect File Type" until is unrecognizable for the recipe. Now we can try to ssh these credentials for Floris
And we are in! Let's look at that admin-area folder we couldn't access before
And we can see a URL saved as a variable for the localhost. Let's take a look at PSPY to see if we can enumerate processes and find something useful
And seems like we have a cron task running the curl command with the -K option from the input file and sending the output to the report. Let's take a look at what the -K option does
The -K option reads the content of a file as arguments and will use them as they were provided on the command line. Knowing this we could set a listener on port 80 and change the local address for our IP, then call root.txt as the data value of a POST request that should be caught by our listener. Credit to 0xdf for this trick!
Note that we are using "@" to call root.txt. And just wait for the cron task to trigger curl
And there you go!