Context

Daily Bugle spider man inspired challenge.

Starting hypothesis

Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.

Method / Used Tools

enum

I started with a service enumeration scan against the target to identify the exposed attack surface. The nmap -sV scan revealed three open ports: SSH on 22, HTTP on 80, and MariaDB on 3306. The web server was running Apache 2.4.6 on CentOS with PHP 5.6.40, while the database service was accessible but did not allow unauthorized connections. This immediately suggested that the most promising entry point would likely be the website rather than the database or SSH, since SSH would require valid credentials and MariaDB was not directly open for interaction.

When browsing to the web application, the first visible clue was the word spiderman. At that stage, it was not immediately clear whether this was only thematic content or something that might later become useful as a credential or password pattern, but it was worth keeping in mind.

Joomla version

The next step was to better understand the web application. Directory enumeration led to the Joomla administrator login panel, which confirmed that the target was running Joomla. I first considered common web exploitation paths such as authentication bypass or SQL injection against the login form, but those attempts did not lead anywhere. Since direct access was blocked, I shifted focus toward fingerprinting the Joomla version, because identifying the exact release could uncover a known vulnerability.

I reviewed the page source, inspected loaded JavaScript files, and checked the network traffic, but none of these methods disclosed the version. I had also already tried whatweb and looked at /robots.txt, without finding anything useful. At that point, I decided to expand the attack surface through directory enumeration with dirsearch.

This phase was valuable because it exposed a number of standard Joomla paths and, more importantly, several files that could provide version information, including /README.txt and /LICENSE.txt. Among the interesting findings were:

• /administrator/, confirming the Joomla admin interface
• /configuration.php, which existed and returned an empty response in the web context
• /README.txt, which later revealed the exact Joomla version

After checking the documentation files, I found the version number inside /README.txt: Joomla 3.7.0.

This was a major turning point. A quick vulnerability check showed that Joomla 3.7.0 is affected by the com_fields SQL injection vulnerability, tracked as CVE-2017-8917. Rather than manually building the exploit from scratch, I used a public proof of concept from GitHub to speed up the process and focus on understanding the attack flow.

Running the exploit successfully extracted data from the Joomla database, including a user entry for jonah. The most important result was the password hash associated with that account. I saved the hash to a file and used John the Ripper with the rockyou.txt wordlist to crack it. This revealed the password:

spiderman123