This was a very good machine for people who want realistic OSCP style machines.
Description is as given below:
Welcome to “Typo”
This VM is an intermediate level and you will enjoy while playing with its services and the privileges. There are things which you will learn with this box.
Goal: Get the root flag of the target.
Difficulty: Medium/Intermediate Level
Note: Set Domain Name — typo.local
Need hints? Twitter @akankshavermasv
DHCP is enabled
Your feedback is really valuable for me! Twitter @akankshavermasv
Was there something that you didn’t like about this VM?
Please let me know so that I can make more interesting challenges in the future.
This works better with VirtualBox rather than VMware
Lets get started, as usual we start off with a nmap scan
Enumerating the services , we found two interesting services one was typo3 cms in port 80
And phpmyadmin in 8081
We tried default creds root:root and we were able to login :)
Since we know that port 80 has a cms running , we tried enumerating the database related to it and we found two users and their hashed passwords one of them being admin user.
The passwords seemed to be argon2id encrypted . We tried to find out about it and found a website that will allow us to generate such hashes. We generated one with password admin . Below is a screenshot of that
We copied the hash in encoded form into the admin password area in phpmyadmin
And we moved over to the typo3 cms area and we were able to login as admin :)
Now in CMS a general rule is to find a file manager to upload files. We found the file manager but we couldn’t upload a php file. We tried various techniques to bypass it but were unsuccessful in it. So we went online to the documentation on typo3 cms .
In the documentation, it spoke about a file LocalConfiguration.php which can help in controlling the extensions which are allowed and not allowed to upload. Enumerating the settings of this cms, we found the area which modifies LocalConfiguration.php :
We changed the option for file extensions to null which would mean any type of file can be uploaded:
We then uploaded our shell in the file-list option
We navigated to where the file was uploaded and got our shell
Now was the time to escalate privileges . We ran linux-smart-enumeration script to check for misconfigurations. We got two binaries as suid i.e. apache2-restart and phpunit. We were interested in apache2-restart because it seemed like an unusual binary. We tried to cat it and got this
Among this gibberish , we can see that this binary executes a shell command of “service apache2 start” on pretext of root. Which means we can escalate to root taking advantage of a technique of path-privilege escalation. You can refer to the hacking articles for more info about this attack.
Now was root-time ! We executed the above attack on service binary and got root
And we got our root flag.
And that was it. Highly recommend this machine for OSCP aspirants.