## https://sploitus.com/exploit?id=C8FC4CA4-5F59-5A0E-93B1-B2749CBBD36E
# Full-Lifecycle CMS Penetration Testing (Joomla 4.2.5)
## ๐ Project Overview
This project demonstrates a full-lifecycle penetration test conducted on an open-source CMS (Joomla 4.2.5). The entire test follows standard methodologies (OWASP/PTES) from lab deployment up to exploitation, post-exploitation, and administrative account takeover.
---
## ๐ ๏ธ Phase 1: Lab Setup & Environment
To ensure safety and simulation of real-world scenarios, the target environment was containerized using Docker.
* **OS:** Ubuntu VMs via SSH connection.
* **Target:** Joomla 4.2.5 running on PHP 7.4 & Apache.
* **Database:** MySQL 5.7.
### Configuration (Docker Compose)
The environment was deployed using the following configuration:
```yaml
services:
db:
image: mysql:5.7
command: --default-authentication-plugin=mysql_native_password
restart: always
environment:
MYSQL_ROOT_PASSWORD: rootpassword
MYSQL_DATABASE: joomla_db
MYSQL_USER: joomla_user
MYSQL_PASSWORD: joomlapassword
volumes:
- db_data:/var/lib/mysql
joomla:
image: joomla:php7.4-apache
restart: always
ports:
- "8080:80"
environment:
JOOMLA_DB_HOST: db
JOOMLA_DB_USER: joomla_user
JOOMLA_DB_PASSWORD: joomlapassword
JOOMLA_DB_NAME: joomla_db
volumes:
- joomla_data:/var/www/html
depends_on:
- db
volumes:
db_data:
joomla_data:
```
---
## ๐ Phase 2: Reconnaissance & Scanning
Acting as an attacker, network and CMS-specific scanning tools were deployed from Kali Linux:
1. **Nmap:** Conducted to identify open ports and services on port `8080`.
2. **JoomScan / CMSeek:** Utilized to fingerprint the exact CMS version (`Joomla 4.2.5`).
---
## โก Phase 3: Vulnerability Analysis & Exploitation
Based on the version fingerprinting, vulnerability research led to discovering **CVE-2023-23752** (Improper Access Control in Joomla Core API).
### Attack Execution:
Using Metasploit Framework (`msfconsole`), the specialized exploit module was executed against the target:
* **Module:** `auxiliary/gather/joomla_vulnerable_config_disclosure`
* **Result:** Successfully extracted clear-text database credentials (`joomla_user` / `joomlapassword`).
---
## ๐ Phase 4: Post-Exploitation & Account Takeover
In a real-world assessment, misconfigurations often cascade. To test for **Credential Reuse**, the leaked database password was utilized to attempt an administrative takeover:
1. Navigated to the Joomla administrator login dashboard (`/administrator`).
2. Tested the extracted database password against the Admin login panel.
3. Successfully authenticated as the **Super User**, gaining full administrative access to the CMS core configuration without triggering any alerts.
---
## ๐ Phase 5: Remediation & Mitigation
To secure the system against CVE-2023-23752:
* **Update:** Upgrade Joomla to version `4.2.8` or higher immediately.
* **Network Security:** Restrict access to the `/api` endpoints using Web Application Firewalls (WAF) or server-level configuration blocks.