Foothold
1. fuzz vhost to find the dev page
2. fuzz page to find joomla login page
3. find joomla version and it’s CVE
4. login to joomla as admin
5. modify php template to get webshell
6. on the server, login to mysql to get hash of other user
7. hashcat to crack the hash and get user flag
2. fuzz page to find joomla login page
3. find joomla version and it’s CVE
4. login to joomla as admin
5. modify php template to get webshell
6. on the server, login to mysql to get hash of other user
7. hashcat to crack the hash and get user flag
PrivEsc
1.
1.
sudo -l to view sudo commands
2. kill -BUS <pid> to generate a crash file in /var/crash/
3. sudo apport-cli -c <crash file>
4. view report
5. in the viewer, start a bash shell with !/bin/bash
2. kill -BUS <pid> to generate a crash file in /var/crash/
3. sudo apport-cli -c <crash file>
4. view report
5. in the viewer, start a bash shell with !/bin/bash