https://tryhackme.com/room/dailybugle

Enumeration

┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ nmap -sC -sV 10.10.220.11 -p 22,80

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/

Going to the homepage and we can see Spider-Man robs the bank!

Untitled

There is also robot.txt

# If the Joomla site is installed within a folder 
# eg www.example.com/joomla/ then the robots.txt file 
# MUST be moved to the site root 
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths. 
# eg the Disallow rule for the /administrator/ folder MUST 
# be changed to read 
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# <http://www.robotstxt.org/orig.html>
#
# For syntax checking, see:
# <http://tool.motoricerca.info/robots-checker.phtml>

User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

Only http://10.10.220.11/administrator/ will return us this login page

Untitled

Going to source code we found the folders inside /administrator, lets check out

Untitled

Now we got this directory listing

Untitled

Now we do another round of fuzzing to get what is interesting

┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ gobuster dir -u 10.10.220.11/administrator -w /usr/share/wordlists/dirb/common.txt -q -t 200
/cache                (Status: 301) [Size: 248] [--> <http://10.10.220.11/administrator/cache/>]
/.htaccess            (Status: 403) [Size: 225]                                               
/.hta                 (Status: 403) [Size: 220]                                               
/.htpasswd            (Status: 403) [Size: 225]                                               
/components           (Status: 301) [Size: 253] [--> <http://10.10.220.11/administrator/components/>]
/help                 (Status: 301) [Size: 247] [--> <http://10.10.220.11/administrator/help/>]      
/includes             (Status: 301) [Size: 251] [--> <http://10.10.220.11/administrator/includes/>]  
/index.php            (Status: 200) [Size: 4843]                                                   
/language             (Status: 301) [Size: 251] [--> <http://10.10.220.11/administrator/language/>]  
/logs                 (Status: 301) [Size: 247] [--> <http://10.10.220.11/administrator/logs/>]      
/modules              (Status: 301) [Size: 250] [--> <http://10.10.220.11/administrator/modules/>]   
/templates            (Status: 301) [Size: 252] [--> <http://10.10.220.11/administrator/templates/>]

As we see the login page is Joomla, let’s go into components and see if there is any thing there

http://10.10.220.11/administrator/language/en-GB/en-GB.xml

Untitled

We found out the Joomla version is 3.7.0

Exploitation