Scanning and Enum3ration
First thing I do is find the ip address and port scan, after that I find the active Apache server on port 13370.
![](../img/post2/image1.png)
arp-scan -l
nmap 192.168.2.102
After going to a webpage, I see a web site running on joomla.
![](../img/post2/image2.png)
Getting shell
In source code of page you can find the version of joomla.
![](../img/post2/image3.png)
Yeah, this version of joomla has many vulnerabilities, but in this case I need an exploit for changing the administrator password (Joomla! 1.5.x - 'Token' Remote Admin Change Password).
![](../img/post2/image4.png)
searchsploit joomla 1.5
After changing the administrator password, I successfully login into the site control panel.
![](../img/post2/image5.png)
After loading php reverse shell i get www-data.
![](../img/post2/image6.png)
Privil3ge escalation
In running processes you can see running Chkrootkit 0.49
![](../img/post2/image7.png)
ps -aux
![](../img/post2/image8.png)
After analyzing the vulnerability on exploitdb, I realized that I needed to create a file in the / tmp directory that should change the administrator password.
![](../img/post2/image9.png)
Now connect via ssh and get root.
![](../img/post2/image10.png)