PHP Template Injection
A super user of the target Joomla instance has been compromised.
/Play/GlasgowSmile/3-Exploitation/attachments/{9925A19D-ECC6-45FE-AE29-0671513731C5}.png)
Checking the template reveals that the protostar template is being used as default
/Play/GlasgowSmile/3-Exploitation/attachments/{D61D670E-24B4-4239-B7AA-A05496A1B404}.png)
It can be edited directly since the current user is a super user
/Play/GlasgowSmile/3-Exploitation/attachments/{17C75557-520F-4737-AE73-FBE16473CEC1}.png)
/Play/GlasgowSmile/3-Exploitation/attachments/{CEE00FBB-DD1F-4140-8CEF-6307818ACACE}.png)
Appending the generated PHP reverse shell payload into the bottom of the index.php file of the protostaar templates.
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ curl -s http://$IP/joomla/Invoking the payload
/Play/GlasgowSmile/3-Exploitation/attachments/{76314D75-1853-42FF-8A42-EE61F82EBE6F}.png)
Initial Foothold established to the glasgowsmile host as the www-data account via injecting a malicious PHP code into an existing template.