Curling-3

Paajc2Dupms/default.jpg

01:12 - Begin of Recon
01:55 - Running Cewl to generate a wordlist
02:50 - Finding secret.txt in the HTML Source, which happens to be the password
03:28 - Runninh JoomScan so we have something running in the background
04:20 - Checking the manifest to get the Joomla Version
06:20 - Explaining what equals mean in base64
07:50 - Begin of hunting for Joomla Username
08:30 - BruteForcing Joomla Login with WFUZZ
10:35 - Troubleshooting by sending wfuzz through burp
12:25 - Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command
17:10 - Success! Logged into Joomla
17:58 - Gaining code execution by modifying a template
20:20 - Getting a reverse shell
23:20 - Finding the file: password_backup which is encoded
23:55 - Extracting password_backup manually with xxd, zcat, bzcat, tar
25:43 - Extracting Password_Backup with CyberChef
27:35 - Logging in with Floris
28:17 - Looking at /home/floris/AdminArea
28:50 - Testing the input file by changing the url to us
29:30 - Getting LFI by using file:// within curl
30:38 - Pulling the cron, to see what is going on
31:25 - Cron shows curl -K to use curl with a config file, checking man page.
32:05 - Changing where curl saves to, in order to gain a root shell
33:45 - Showing another good file to read with the LFI (logs)
34:18 - Using pspy to show when processes start/end, which shows the curl command with no exploits

Paajc2Dupms/default.jpg
Curling-3 Curling-3 Reviewed by Unknown on March 30, 2019 Rating: 5