Updated: May 3, 2020
In this article we are going to solve another boot2root challenge Typo : 1 . This a medium/intermediate level machine . This is a very interesting machine and we can download this from vulnhub.
IP of the target : 192.168.43.8
Just like other challenges lets run the nmap to check for open ports and services running on the targeted system using the command .
sudo nmap -sC -sV -Pn 192.168.43.8
So many ports are open in this challenge . Now we decided to enumerate each of them one by one but before that lets set domain name to typo.local by editing the /etc/hosts file.
a simple message for the user and nothing else and same webpage on port 8000 and yipeee we got a blank page on port 8080 and a HELLO message on port 8081
Now we decided to perfom directory bruteforce on each port one by one using gobuster tool!
Port 80 , commad used :
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.43.8:80
before exploring these highlighted webpages lets perform the same operation on other ports too.
Nothing on port 8000 and port 8081 and on port 8081 this is what we got
okay now we have 3 useful webpages running on two different ports .
/phpmyadmin on port 8081 /typo3 on port 80 /fileadmin on port 80
we decided to open all of these but nothing in /fileadmin and in /phpmyadmin and /typo3 we have login panels .
Now we tried some random credentials on /phpmyadmin like root:toor admin:admin Admin:passsword Admin:Admin ...... and we succeed with root:root .
we are interested in database TYPO3 because there we can find the credentials to login into typo3 CMS .
we tried to crack these hashes but failed to crack them . Now if we notice more clearly then we can see that hash type is argon2id so we can generate argon2id hash of known password using https://argon2.online/ and can change the hash.
we generate the has using this website using the salt as 12345678 and input as haclabs so password is haclabs and output in encoded form is : $argon2id$v=19$m=16,t=2,p=1$MTIzNDU2Nzg$+fD3+BcEiSM3qEPkDsVoIg
we have changed the hash successfully and now lets login into the typo3 cms using the creds : admin : haclabs
we are logged in as admin successfully.
Now we need to upload our php reverse shell and have to execute it to get the reverse shell , but here file with php extension are restricted and after a lot of manual searching inside the admin panel we found that we can fix this thing by removing php from denied extensions by visiting Settings -> Configure Installation-Wide Options -> Backend(BE) -> [BE][fileDenyPattern] remove everything written there and click on write configuration.
Now by visiting Filelist then user we can upload our php script.
news.php is uploaded successfully and we can execute it by visiting the url http://typo.local/fileadmin/user/news.php and don't forget to start the listener on port specified in the script.
for privilege escalation we check for the SUID binary using the command : find / -perm -u=s -type f 2>/dev/null
we take reverse shell on another terminal also so that on one terminal we can run the /usr/local/bin/apache2-restart binary and on another termianl we can run pspy to examine the processes going on .
now lets run the pspy using ./pspy
till now we have nothing here , now lets run /usr/local/bin/apache2-restart on first terminal.
its clear that if we run /usr/local/bin/apache2-restart then user root is executing the command service apache2 start so here we can think to change PATH variable and can obtain the root shell .
cd /tmp echo '/bin/bash' > service chmod 777 service export PATH=/tmp/:$PATH /usr/local/bin/apache2-restart python3 -c'import pty;pty.spawn("/bin/bash")' cd /root
we are root now and this completes our challenge!