Share
## https://sploitus.com/exploit?id=C8FC4CA4-5F59-5A0E-93B1-B2749CBBD36E
# Full-Lifecycle CMS Penetration Testing (Joomla 4.2.5)

## ๐Ÿ“Œ Project Overview
This project demonstrates a full-lifecycle penetration test conducted on an open-source CMS (Joomla 4.2.5). The entire test follows standard methodologies (OWASP/PTES) from lab deployment up to exploitation, post-exploitation, and administrative account takeover.

---

## ๐Ÿ› ๏ธ Phase 1: Lab Setup & Environment
To ensure safety and simulation of real-world scenarios, the target environment was containerized using Docker. 
*   **OS:** Ubuntu VMs via SSH connection.
*   **Target:** Joomla 4.2.5 running on PHP 7.4 & Apache.
*   **Database:** MySQL 5.7.

### Configuration (Docker Compose)
The environment was deployed using the following configuration:
```yaml
services:
  db:
    image: mysql:5.7
    command: --default-authentication-plugin=mysql_native_password
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: rootpassword
      MYSQL_DATABASE: joomla_db
      MYSQL_USER: joomla_user
      MYSQL_PASSWORD: joomlapassword
    volumes:
      - db_data:/var/lib/mysql

  joomla:
    image: joomla:php7.4-apache
    restart: always
    ports:
      - "8080:80"
    environment:
      JOOMLA_DB_HOST: db
      JOOMLA_DB_USER: joomla_user
      JOOMLA_DB_PASSWORD: joomlapassword
      JOOMLA_DB_NAME: joomla_db
    volumes:
      - joomla_data:/var/www/html
    depends_on:
      - db

volumes:
  db_data:
  joomla_data:
```

---

## ๐Ÿ” Phase 2: Reconnaissance & Scanning
Acting as an attacker, network and CMS-specific scanning tools were deployed from Kali Linux:
1.  **Nmap:** Conducted to identify open ports and services on port `8080`.
2.  **JoomScan / CMSeek:** Utilized to fingerprint the exact CMS version (`Joomla 4.2.5`).

 
 
 


---

## โšก Phase 3: Vulnerability Analysis & Exploitation
Based on the version fingerprinting, vulnerability research led to discovering **CVE-2023-23752** (Improper Access Control in Joomla Core API).

### Attack Execution:
Using Metasploit Framework (`msfconsole`), the specialized exploit module was executed against the target:
*   **Module:** `auxiliary/gather/joomla_vulnerable_config_disclosure`
*   **Result:** Successfully extracted clear-text database credentials (`joomla_user` / `joomlapassword`).



---

## ๐Ÿ”‘ Phase 4: Post-Exploitation & Account Takeover
In a real-world assessment, misconfigurations often cascade. To test for **Credential Reuse**, the leaked database password was utilized to attempt an administrative takeover:

1.  Navigated to the Joomla administrator login dashboard (`/administrator`).
2.  Tested the extracted database password against the Admin login panel.
3.  Successfully authenticated as the **Super User**, gaining full administrative access to the CMS core configuration without triggering any alerts.



---

## ๐Ÿ“ Phase 5: Remediation & Mitigation
To secure the system against CVE-2023-23752:
*   **Update:** Upgrade Joomla to version `4.2.8` or higher immediately.
*   **Network Security:** Restrict access to the `/api` endpoints using Web Application Firewalls (WAF) or server-level configuration blocks.