Typhoon 1.02: A Vulnhub VM Walkthrough
Hi Everyone, this is my first write up for one of the VM Typhoon 1.02 from vulnhub. This contains the steps from scanning to getting normal user following with the post exploitation and become a root user.
Summary:
Typhoon is a vulnerable VM contains some loop holes, which require enumeration skill to find it out. That was not so hard(coz its an intermediate level machine), but yes you have to spent some time on your enumeration skills.
This VM was developed by PrismaCSI which contains vulnerabilities like privilege escalation, Remote command executions etc.
Enumeration:
After setting the VM in my virtual box environment, I am going through a port scanning for the host with the following command
Nmap –sV –T4 10.0.2.6 –oA demo
After getting the open ports and the respective services with their version, I have tried to enumerate and do the vulnerability analysis for different services .
Below, I have tried anonymous login for FTP and the server allows the connection.
Like that I have tried to open the application in browser, as there is an Apache server was running in port 80 and I have found an application is running in that.
Going further, I did nikto scanning for the host and found some of the interesting directories.
After that in ‘/cms/’ directory, I have found one content management system is running known as “LotusCMS”.
By clicking on the login option, I have redirected to the CMS login index page.
Then I have searched for the default credentials for this CMS login and I found this CMS is vulnerable to one remote code execution vulnerability present in the eval() function.
Browsing through the link, I have found that metasploit provides one exploit for this vulnerability.
Exploitation:
I have opened msfconsole in kali linux and use the below exploit
After that I set the values for RHOST and the URI where the CMS is running in the application and also respective payload, LHOST, LPORT for the exploit.
When I run the ‘exploit’ command my reverse shell got executed and I got a meterpreter session.
After getting the meterpreter session I have spawing into an interactive /bash shell and I found that the user is ‘www-data’ with id 33.
So next I have to do a post exploitation to become a root user.
Post-Exploitation:(Local Privilege Escalation)
After getting into system I have checked the version of the operating system using the below command
Uname –a
After getting the Linux version I have search for the exploits using ‘searchsploit’ and found that the specific Linux kernel version “overlayFS” is vulnerable to local privilege escalation.
Then I have copied the exploit to desktop and run a python server on my desktop to copy the same exploit to the target host with the below command.
Python –m SimpleHTTPServer 9000
Use the wget command to copy the same exploit from my kali machine to the ‘tmp’ directory of the target host. (Only tmp directory has the permission for copy files).
Compiled the specific exploit in the target machine using the below command
Gcc <exploitname> -o <outputfile name>
When I ran the compiled file I will became the root user from the normal user by escalating the privilege.
Spawing the sh shell into interactive bash shell using the command ‘/bin/bash –i’
Root FLAG:
After being a root user in the server need to read the flag.
There are more ways to become root user and compromise the system. Try Harder (Happy Hacking)
