InfoSec LAB

BoilerCTF_Configuration_Files

Created: 3 min read

Configuration Files

Checking for configuration files after performing a basic system enumeration

log

www-data@Vulnerable:/var/www/html/joomla/_test$ ll
total 124K
4.0K drwxr-xr-x  3 www-data www-data 4.0K Aug 22  2019 sarFILE
4.0K drwxr-xr-x  3 www-data www-data 4.0K Aug 22  2019 .
 56K -rwxr-xr-x  1 www-data www-data  53K Aug 22  2019 index.php
4.0K drwxr-xr-x 25 www-data www-data 4.0K Aug 22  2019 ..
4.0K -rwxr-xr-x  1 www-data www-data  716 Aug 21  2019 log.txt
 52K -rwxr-xr-x  1 www-data www-data  52K Mar 19  2019 sar2html
 
www-data@Vulnerable:/var/www/html/joomla/_test$ cat log.txt
Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.

The log.txt file in the _test directory appears to be auth log, containing a CLEARTEXT credential for the basterd user; superduperp@$$ I will validate it against the target SSH server

Joomla Configuration File

www-data@Vulnerable:/var/www/html/joomla$ cat configuration.php
<?php
class JConfig {
	public $offline = '0';
	public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
	public $display_offline_message = '1';
	public $offline_image = '';
	public $sitename = 'THM Boiler Room';
	public $editor = 'tinymce';
	public $captcha = '0';
	public $list_limit = '20';
	public $access = '1';
	public $debug = '0';
	public $debug_lang = '0';
	public $debug_lang_const = '1';
	public $dbtype = 'mysqli';
	public $host = '127.0.0.1';
	public $user = 'joomlauser';
	public $password = 'passwordz';
	public $db = 'joomladb';
	public $dbprefix = 'wyot4_';
	public $live_site = '';
	public $secret = '5O2SmJUZB24rhcfL';
	public $gzip = '0';
	public $error_reporting = 'default';
	public $helpurl = 'https://help.joomla.org/proxy?keyref=Help{major}{minor}:{keyref}&lang={langcode}';
	public $ftp_host = '';
	public $ftp_port = '';
	public $ftp_user = '';
	public $ftp_pass = '';
	public $ftp_root = '';
	public $ftp_enable = '0';
	public $offset = 'UTC';
	public $mailonline = '1';
	public $mailer = 'mail';
	public $mailfrom = 'admin@example.com';
	public $fromname = 'THM Boiler Room';
	public $sendmail = '/usr/sbin/sendmail';
	public $smtpauth = '0';
	public $smtpuser = '';
	public $smtppass = '';
	public $smtphost = 'localhost';
	public $smtpsecure = 'none';
	public $smtpport = '25';
	public $caching = '0';
	public $cache_handler = 'file';
	public $cachetime = '15';
	public $cache_platformprefix = '0';
	public $MetaDesc = '';
	public $MetaKeys = '';
	public $MetaTitle = '1';
	public $MetaAuthor = '1';
	public $MetaVersion = '0';
	public $robots = '';
	public $sef = '1';
	public $sef_rewrite = '0';
	public $sef_suffix = '0';
	public $unicodeslugs = '0';
	public $feed_limit = '10';
	public $feed_email = 'none';
	public $log_path = '/var/www/html/joomla/administrator/logs';
	public $tmp_path = '/var/www/html/joomla/tmp';
	public $lifetime = '15';
	public $session_handler = 'database';
	public $shared_session = '0';

DB credential found; joomlauser:passwordz Secret found; 5O2SmJUZB24rhcfL

Interactive Graph View

Backlinks