SecTalks: BNE0x02 - Fuku
- Joomla 1.5.x - (Token) Remote Admin Change Password
- Chkrootkit - Local Privilege Escalation
- Joomla HD FLV Player SQL Injection Vulnerability
Use Joomla! Remote Admin Chnage Password Exploit
Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.56.0/24
192.168.56.134 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.56.134 -p-
as we can see, almost every port is opening. I guess the target machine doesn’t want hacker know which services are exactly running.
I use nc to read some ports such as 80 22 23. Port 22 gets result like:
while the rest of ports get the results:
looks like I need to filter ports like these. I wrote a script to make life easier filter.py
After running the script, I find only port 22 and port 13370 are opening.
check the http://192.168.56.134:13370. I got this
review the code:
Looks like Joomla!
use wfuzz to scan
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.56.134:13370/FUZZ 2>/dev/null
get some interesting path names
use Nikto to scan
nikto -h http://192.168.56.134:13370
check http://192.168.56.134:13370/administrator/ get the login page:
Now I can confirm it is Joomla!
use joomscan to scan:
joomscan -u http://192.168.56.134:13370
get the result:
follow the steps:
- go to http://192.168.56.134/index.php?option=com_user&view=reset&layout=confirm
- Write into field “token” char ‘ and Click OK.
- input new password for admin
- go to http://192.168.56.134/administrator/ to login with new password
Since it is Japanese version, I followed my post sickos1.2 to upload php reverse shell (usr/share/webshells/php/php-reverse-shell.php).
I will edit beez file, copy the php reverse shell code to it and replace the IP address and port
set up netcat and get the shell
However, I cannot execute most commands even
python2.7 -c 'import pty; pty.spawn("/bin/bash")'
Now try to enumerate the os.
ps aux |grep root
looks like the
chkrootkit 0.49 is available.
I followed my previous post sickos1.2 to upload php reverse shell (usr/share/webshells/php/php-reverse-shell.php) to get the root:
chmod 777 /tmp/update
ls -al /etc/sudoers
finally get the root:
Exploit Joomla HD FLV Player SQL Injection
in http://192.168.56.134/, I found the target uses HD FLV Player
check the source code:
searchsploit HD FLV
follow the instructions:
now get the columns of the table
now I am interested in column username and password
crack admin’s password now
Then login as admin, upload php reverse shell, same as I worked in the first part of this post.
Aslo, since the hash format is like hash:salt. I found the hashcat example hashes, the MD5 format should be
md5($pass.$salt), so that in hashcat for option
-m the value should be 10 (hashcat –help, check the * Hash types)
use hashcat crack:
hashcat -m 10 -a 0 -o joompass.txt --remove 61.hash /usr/share/wordlists/rockyou.txt