Web
Nmap discovered a Web server on the port 80 of the target host.
The running service is Apache httpd 2.4.38 ((Debian))
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Wed, 25 Jun 2025 12:30:45 GMT
Server: Apache/2.4.38 (Debian)
Allow: GET,POST,OPTIONS,HEAD
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Wed, 25 Jun 2025 12:30:47 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Sat, 13 Jun 2020 18:53:52 GMT
ETag: "7d-5a7fbb701d4b6"
Accept-Ranges: bytes
Content-Length: 125
Vary: Accept-Encoding
Content-Type: text/html/Play/GlasgowSmile/2-Enumeration/attachments/{4B4108DF-3BC9-4E17-9E37-D7FE4DB152A0}.png)
Webroot
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php
________________________________________________
:: Method : GET
:: URL : http://192.168.210.79/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess.html [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 19ms]
.htaccess [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 21ms]
.htaccess.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 19ms]
.htaccess.php [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 21ms]
.htpasswd.html [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 21ms]
.htpasswd [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 21ms]
.htpasswd.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd.php [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 20ms]
index.html [Status: 200, Size: 125, Words: 7, Lines: 9, Duration: 21ms]
joomla [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 21ms]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 21ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1600 req/sec :: Duration: [0:00:49] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.210.79/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 125, Words: 7, Lines: 9, Duration: 23ms]
icons [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 19ms]
joomla [Status: 200, Size: 9992, Words: 501, Lines: 227, Duration: 57ms]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1869 req/sec :: Duration: [0:01:58] :: Errors: 0 ::/joomla/ Endpoint
/Play/GlasgowSmile/2-Enumeration/attachments/{089CA50A-8540-443F-8397-602059D8291D}.png)
There is a Joomla instance present at the /joomla/ endpoint
joomscan
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ joomscan --url http://$IP/joomla/ --enumerate-components --random-agent
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.210.79/joomla/ ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.3rc1
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.210.79/joomla/administrator/components
http://192.168.210.79/joomla/administrator/modules
http://192.168.210.79/joomla/administrator/templates
http://192.168.210.79/joomla/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.210.79/joomla/administrator/
[+] Checking robots.txt existing
[++] robots.txt is found
path : http://192.168.210.79/joomla/robots.txt
Interesting path found from robots.txt
http://192.168.210.79/joomla/joomla/administrator/
http://192.168.210.79/joomla/administrator/
http://192.168.210.79/joomla/bin/
http://192.168.210.79/joomla/cache/
http://192.168.210.79/joomla/cli/
http://192.168.210.79/joomla/components/
http://192.168.210.79/joomla/includes/
http://192.168.210.79/joomla/installation/
http://192.168.210.79/joomla/language/
http://192.168.210.79/joomla/layouts/
http://192.168.210.79/joomla/libraries/
http://192.168.210.79/joomla/logs/
http://192.168.210.79/joomla/modules/
http://192.168.210.79/joomla/plugins/
http://192.168.210.79/joomla/tmp/
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
[+] Enumeration component (com_ajax)
[++] Name: com_ajax
Location : http://192.168.210.79/joomla/components/com_ajax/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_ajax/
[+] Enumeration component (com_banners)
[++] Name: com_banners
Location : http://192.168.210.79/joomla/components/com_banners/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_banners/
[+] Enumeration component (com_contact)
[++] Name: com_contact
Location : http://192.168.210.79/joomla/components/com_contact/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_contact/
[+] Enumeration component (com_content)
[++] Name: com_content
Location : http://192.168.210.79/joomla/components/com_content/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_content/
[+] Enumeration component (com_contenthistory)
[++] Name: com_contenthistory
Location : http://192.168.210.79/joomla/components/com_contenthistory/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_contenthistory/
[+] Enumeration component (com_fields)
[++] Name: com_fields
Location : http://192.168.210.79/joomla/components/com_fields/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_fields/
[+] Enumeration component (com_finder)
[++] Name: com_finder
Location : http://192.168.210.79/joomla/components/com_finder/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_finder/
[+] Enumeration component (com_mailto)
[++] Name: com_mailto
Location : http://192.168.210.79/joomla/components/com_mailto/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_mailto/
Installed version : 3.1
[+] Enumeration component (com_media)
[++] Name: com_media
Location : http://192.168.210.79/joomla/components/com_media/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_media/
[+] Enumeration component (com_newsfeeds)
[++] Name: com_newsfeeds
Location : http://192.168.210.79/joomla/components/com_newsfeeds/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_newsfeeds/
[+] Enumeration component (com_search)
[++] Name: com_search
Location : http://192.168.210.79/joomla/components/com_search/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_search/
[+] Enumeration component (com_users)
[++] Name: com_users
Location : http://192.168.210.79/joomla/components/com_users/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_users/
[+] Enumeration component (com_wrapper)
[++] Name: com_wrapper
Location : http://192.168.210.79/joomla/components/com_wrapper/
Directory listing is enabled : http://192.168.210.79/joomla/components/com_wrapper/
Installed version : 3.1
Your Report : reports/192.168.210.79/The version information has been identified; 3.7.3rc1
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ joomscan --url http://$IP/joomla/administrator/ --enumerate-components --random-agent
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.210.79/joomla/administrator/ ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.3
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.210.79/joomla/administrator/components
http://192.168.210.79/joomla/administrator/modules
http://192.168.210.79/joomla/administrator/templates
http://192.168.210.79/joomla/administrator/includes
http://192.168.210.79/joomla/administrator/language
http://192.168.210.79/joomla/administrator/templates
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page not found
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
[+] Enumeration component (com_admin)
[++] Name: com_admin
Location : http://192.168.210.79/joomla/administrator/components/com_admin/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_admin/
Installed version : 3.1
[+] Enumeration component (com_ajax)
[++] Name: com_ajax
Location : http://192.168.210.79/joomla/administrator/components/com_ajax/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_ajax/
Installed version : 3.2
[+] Enumeration component (com_banners)
[++] Name: com_banners
Location : http://192.168.210.79/joomla/administrator/components/com_banners/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_banners/
Installed version : 3.1
[+] Enumeration component (com_contact)
[++] Name: com_contact
Location : http://192.168.210.79/joomla/administrator/components/com_contact/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_contact/
Installed version : 3.1
[+] Enumeration component (com_content)
[++] Name: com_content
Location : http://192.168.210.79/joomla/administrator/components/com_content/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_content/
Installed version : 3.1
[+] Enumeration component (com_contenthistory)
[++] Name: com_contenthistory
Location : http://192.168.210.79/joomla/administrator/components/com_contenthistory/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_contenthistory/
Installed version : 3.2
[+] Enumeration component (com_fields)
[++] Name: com_fields
Location : http://192.168.210.79/joomla/administrator/components/com_fields/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_fields/
Installed version : 3.7.0
[+] Enumeration component (com_finder)
[++] Name: com_finder
Location : http://192.168.210.79/joomla/administrator/components/com_finder/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_finder/
Installed version : 3.1
[+] Enumeration component (com_installer)
[++] Name: com_installer
Location : http://192.168.210.79/joomla/administrator/components/com_installer/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_installer/
Installed version : 3.1
[+] Enumeration component (com_joomlaupdate)
[++] Name: com_joomlaupdate
Location : http://192.168.210.79/joomla/administrator/components/com_joomlaupdate/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_joomlaupdate/
Installed version : 3.1
[+] Enumeration component (com_media)
[++] Name: com_media
Location : http://192.168.210.79/joomla/administrator/components/com_media/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_media/
Installed version : 3.1
[+] Enumeration component (com_newsfeeds)
[++] Name: com_newsfeeds
Location : http://192.168.210.79/joomla/administrator/components/com_newsfeeds/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_newsfeeds/
Installed version : 3.1
[+] Enumeration component (com_search)
[++] Name: com_search
Location : http://192.168.210.79/joomla/administrator/components/com_search/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_search/
Installed version : 3.1
[+] Enumeration component (com_users)
[++] Name: com_users
Location : http://192.168.210.79/joomla/administrator/components/com_users/
Directory listing is enabled : http://192.168.210.79/joomla/administrator/components/com_users/
Installed version : 3.1
Your Report : reports/192.168.210.79/Re-running the tool with the administrator endpoint shows the version information of installed components; /joomla/administrator/
Fuzzing /joomla/
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/joomla/FUZZ -ic -e .html,.txt,.php
________________________________________________
:: Method : GET
:: URL : http://192.168.210.79/joomla/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 20ms]
.htaccess.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd.html [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 19ms]
.htaccess.html [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 20ms]
.htaccess.php [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd.php [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 20ms]
LICENSE.txt [Status: 200, Size: 18092, Words: 3133, Lines: 340, Duration: 21ms]
README.txt [Status: 200, Size: 4874, Words: 481, Lines: 73, Duration: 21ms]
administrator [Status: 301, Size: 331, Words: 20, Lines: 10, Duration: 19ms]
bin [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 21ms]
cache [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 20ms]
cli [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 20ms]
components [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 20ms]
configuration.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 19ms]
htaccess.txt [Status: 200, Size: 3005, Words: 438, Lines: 81, Duration: 20ms]
images [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 22ms]
includes [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 21ms]
index.php [Status: 200, Size: 10013, Words: 501, Lines: 227, Duration: 71ms]
language [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 19ms]
layouts [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 19ms]
libraries [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 19ms]
media [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 20ms]
modules [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 21ms]
plugins [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 21ms]
robots.txt [Status: 200, Size: 836, Words: 88, Lines: 33, Duration: 19ms]
robots.txt [Status: 200, Size: 836, Words: 88, Lines: 33, Duration: 19ms]
templates [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 20ms]
tmp [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 20ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1980 req/sec :: Duration: [0:00:49] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/joomla/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.210.79/joomla/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 9993, Words: 501, Lines: 227, Duration: 57ms]
media [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 19ms]
templates [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 19ms]
modules [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 20ms]
bin [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 21ms]
plugins [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 21ms]
includes [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 22ms]
language [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 21ms]
components [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 19ms]
cache [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 21ms]
libraries [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 21ms]
images [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 2173ms]
tmp [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 19ms]
layouts [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 19ms]
administrator [Status: 200, Size: 4929, Words: 214, Lines: 109, Duration: 45ms]
cli [Status: 200, Size: 31, Words: 2, Lines: 2, Duration: 20ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1709 req/sec :: Duration: [0:01:52] :: Errors: 0 ::N/A
Admin Panel
/Play/GlasgowSmile/2-Enumeration/attachments/{92A52D79-0347-4DB1-8622-083800A1593D}.png)
Login page for the admin panel is available at the /joomla/administrator/index.php endpoint
Authentication
/Play/GlasgowSmile/2-Enumeration/attachments/{D6A65B78-B567-4B3F-BF9A-C4946F45507A}.png)
/Play/GlasgowSmile/2-Enumeration/attachments/{2505ABB2-ACBC-4690-AE25-DD8E28B1535D}.png)
Brute force attack was made to gain access to the admin panel
/Play/GlasgowSmile/2-Enumeration/attachments/{194014FE-C4F2-4EE2-9484-A78AFD679A8D}.png)
The current user, joomla, is a super user
There are many ways to get code execution on the host system once a super user is compromised in a Joomla instance, such as installing a malicious extension and injecting a malicious PHP code into an existing template