This article explains the Exploitation of VM Typhoon 1.02 from vulnhub. This contains the steps from scanning to getting a normal user following with the post-exploitation and become a root user.
Summary:
Typhoon is a vulnerable VM contains some loop holes, which require enumeration skill to find it out. That was not so hard (coz it’s an intermediate level machine), but yes you have to spend some time on your enumeration skills.
This VM was developed by PrismaCSI which contains vulnerabilities like privilege escalation, Remote command executions, etc.
Enumeration with Nmap:
After setting the VM in my virtual box environment, I am going through a port scanning for the host with the following command
Nmap –sV –T4 10.0.2.6 –oA demo
After getting the open ports and the respective services with their version, I have tried to enumerate and do the vulnerability analysis for different services.
Below, I have tried anonymous login for FTP and the server allows the connection.
Like that, I have tried to open the application in the browser, as there is an Apache server was running in port 80 and I have found an application is running in that.
Nikto Scanning:
Going further, I did Nikto scanning for the host and found some of the interesting directories.
After that in ‘/cms/’ directory, I have found one content management system is running known as “LotusCMS”.
By clicking on the login option, I have redirected to the CMS login index page.
Then I have searched for the default credentials for this CMS login and I found this CMS is vulnerable to one remote code execution vulnerability present in the eval() function.
Browsing through the link, I have found that Metasploit provides one exploit for this vulnerability.
Exploitation:
I have opened msfconsole in Kali Linux and use the below exploit.
After that, I set the values for RHOST and the URI where the CMS is running in the application and also respective payload, LHOST, LPORT for the exploit.
When I run the ‘exploit’ command my reverse shell got executed and I got a meterpreter session.
After getting the meterpreter session I have spawning into an interactive /bash shell and I found that the user is ‘www-data with id 33.
So next I have to do a post-exploitation to become a root user.
Post-Exploitation (Local Privilege Escalation):
After getting into the system I have checked the version of the operating system using the below command
Uname –a
After getting the Linux version I have searched for the exploits using ‘searchsploit’ and found that the specific Linux kernel version “overlayFS” is vulnerable to local privilege escalation.
Then I have copied the exploit to the desktop and run a python server on my desktop to copy the same exploit to the target host with the below command.
Python –m SimpleHTTPServer 9000
Use the wget command to copy the same exploit from my kali machine to the ‘tmp’ directory of the target host. (Only tmp directory has the permission to copy files).
Compiled the specific exploit in the target machine using the below command:
Gcc <exploitname> -o <outputfile name>
When I ran the compiled file I will become the root user from the normal user by escalating the privilege.
Spawning the sh shell into interactive bash shell using the command ‘/bin/bash –i’
Root FLAG:
After being a root user in the server need to read the flag.
There are more ways to become a root user and compromise the system. Try Harder (Happy Ethical Hacking)!
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.