Deploy

Access the web server, who robbed the bank?

Visit the server and look at the start page. The page tells you the name:

Spiderman

Obtain user and root

What is the Joomla version?

After using almost every possible tool, I searched for a method to determine the joomla version using google and found this website. I followed the instructions, went to: "http://IP/language/en-GB/en-GB.xml" and got the version:

3.7.0

What is Jonah's cracked password?

After you determined the used joomla-version you can search for "joomla 3.7.0 python-script" as hinted by THM. You will find "JoomBlah". Download the script using wget and run it using python3 joomblah.py IP and you will get the user "jonah" together with the hash. Save the hash as a file and run hashid on the hash. After you figured out the hash (bcrypt) you can run john --format=bcrypt --wordlist=/path/to/wordlist hash-file and you get the password.

spiderman123

What is the user flag?

Go to "http://IP/administrator" and use the discovered login-credentials to log in. In the administrator-console navigate to templates and swap the "index.php"-template with a php-reverse-shell. After you exchanged the scripts start a listener by running nc -lnvp PORT and navigate your internet-browser to "http://IP/templates/beez3/index.php" to establish the shell. After you established the shell you can run cat /var/www/html/configuration.php. In the php-file you will find a password for the user "jjameson" so you can run su jjameson and enter the password to change the user. After you changed the user run cat home/jjameson/user.txt to get the flag.

27a260fe3cba712cfdedb1c86d80442e

What is the root flag?

To gain access to the root flag we have to change to the root-user. To do so you can run sudo -l and get the information that jjameson is allowed to run yum with sudo-rights. Use GTFOBins to find a way to escalate your privilege to the root-user. Follow the instructions provided by GTFOBins and you get a shell as root. Run cat /root/root.txt and you get the flag.

eec3d53292b1821868266858d7fa6f79

Credits

Found another way to compromise the machine or want to assist others in rooting it? Keep an eye on the forum post located here.

No answer needed