PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 67:34:48:1f:25:0e:d7:b3:ea:bb:36:11:22:60:8f:a1 (RSA)
| 256 4c:8c:45:65:a4:84:e8:b1:50:77:77:a9:3a:96:06:31 (ECDSA)
|_ 256 09:e9:94:23:60:97:f7:20:cc:ee:d6:c1:9b:da:18:8e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.164.79 -w /usr/share/wordlists/dirb/common.txt -q -t 200 -x php,html
/index.html (Status: 200) [Size: 125]
/joomla (Status: 301) [Size: 317] [--> <http://192.168.164.79/joomla/>]
/index.html (Status: 200) [Size: 125]
/server-status (Status: 403) [Size: 279]
There is this /joomla directory
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.164.79/joomla -w /usr/share/wordlists/dirb/common.txt -q -t 200 -x php,html
/.htpasswd (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/administrator (Status: 301) [Size: 331] [--> <http://192.168.164.79/joomla/administrator/>]
/.htaccess.php (Status: 403) [Size: 279]
/.hta.php (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.hta.html (Status: 403) [Size: 279]
/bin (Status: 301) [Size: 321] [--> <http://192.168.164.79/joomla/bin/>]
/cache (Status: 301) [Size: 323] [--> <http://192.168.164.79/joomla/cache/>]
/components (Status: 301) [Size: 328] [--> <http://192.168.164.79/joomla/components/>]
/configuration.php (Status: 200) [Size: 0]
/images (Status: 301) [Size: 324] [--> <http://192.168.164.79/joomla/images/>]
/includes (Status: 301) [Size: 326] [--> <http://192.168.164.79/joomla/includes/>]
/index.php (Status: 200) [Size: 10013]
/index.php (Status: 200) [Size: 10013]
/libraries (Status: 301) [Size: 327] [--> <http://192.168.164.79/joomla/libraries/>]
/language (Status: 301) [Size: 326] [--> <http://192.168.164.79/joomla/language/>]
/layouts (Status: 301) [Size: 325] [--> <http://192.168.164.79/joomla/layouts/>]
/media (Status: 301) [Size: 323] [--> <http://192.168.164.79/joomla/media/>]
/modules (Status: 301) [Size: 325] [--> <http://192.168.164.79/joomla/modules/>]
/plugins (Status: 301) [Size: 325] [--> <http://192.168.164.79/joomla/plugins/>]
/robots.txt (Status: 200) [Size: 836]
/templates (Status: 301) [Size: 327] [--> <http://192.168.164.79/joomla/templates/>]
/tmp (Status: 301) [Size: 321] [--> <http://192.168.164.79/joomla/tmp/>]
Moving to /robots.txt and we can see these secret directories
User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/
This is a Joomla CMS, hence we will need a scanner tool that specific for Joomla
sudo apt install joomscan
We can use joomscan similar to wpscan
joomscan --url <http://192.168.164.79/joomla/>
Seems stuck, let’s use CeWL to create a custom dictionary using the words from the Joker/Arthur dialogue posted in Joomla.
cewl -m 5 <http://192.168.164.79/joomla/> > joker.txt
We will be brute forcing joomla login page using nmap built in script.
However before that, we need to create a user list
┌──(kali㉿kali)-[~]
└─$ cat users.txt
joomla
administrator
Joker
Arthur
In the end we found out the following credentials works
joomla:Gotham