Typo 1: VulnHub CTF walkthrough (part 1)
In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named Akanksha Sachin Verma. As per the description given by the author, it is an intermediate-level challenge. The goal is to get root access of the machine and read the root flag.
You can check my previous articles for more CTF challenges. I have also provided a downloadable URL for this CTF here.
You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.
For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are a lot of other challenging CTF exercises available on VulnHub and I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.
Please note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
- Getting the target machine IP address by running the VM
- Getting open port details by using the Nmap tool
- Enumerating HTTP port 80 service with the Dirb utility
- Enumerating HTTP port 8000 and 8080 service with the Dirb utility
- Taking advantage of phpMyAdmin
- Logging in into the application and exploiting a vulnerability
After running the downloaded virtual machine in the virtual box, it will automatically be assigned an IP address from the network DHCP and the IP address will be visible on the login screen. The target machine IP address can be seen in the following screenshot: [CLICK IMAGES TO ENLARGE]
The target machine IP address is 192.168.1.103 and I will be using 192.168.1.102 as an attacker IP address.
Note: The target machine IP address may be different in your case, as it is assigned by the network DHCP.
Unlike my other CTFs, this time we do not require running the netdiscover command to get the target IP address. The next step is to scan the target machine by using the Nmap tool.
In this step, we will scan the target machine by using the popular port scanning tool Nmap. It is used to identify the open ports and services on the target machine and will help us to proceed further. The running command and the output of the Nmap scan can be seen in the following screenshot.
Command used: nmap -p- -sV 192.168.1.103
The output of the Nmap scan shows that five ports are identified as open on our target machine, out of which four ports are being used for running HTTP service and one port is for SSH service. In the next step, we will start enumerating the HTTP port.
As we have already identified that port 80 is available, let’s open the target machine IP address on the browser.
As shown in highlighted area of the above screenshot, we opened the IP on the browser and got an error “page not found.” After looking around other details on the page, we have found a hint on webpage “Typo3”. We are going to use the Dirb tool on port 80 to enumerate possible files and directories on the target machine.
Command used: dirb http://192.168.1.103
In the above screenshot, we can see that the Dirb scan generated a large output. When we closely look at the identified files and directories, we got “typo3” as directory on the target machine, which can be seen in the highlighted area of the above screenshot.
After that, we opened the directory in the browser, which takes us to a login page. It can be seen in the following screenshot:
In the above screenshot, we tried to access the “typo3” directory on the browser and found a login page. At first, we tried some default username and password combinations, but it did not work here. We also tried SQL injection to bypass the login page, but it also did not seem to be working in our case. So, I decided to move to the next port to further explore the target machine.
As we know from the Nmap result, our target machine has other HTTP ports. I opened the HTTP port 8000 on the browser and once again saw just a default page. In order to get some hidden directories, I ran the Dirb utility on this port. The running commands and their output can be seen in the following screenshot:
Command used: dirb http://192.168.1.103:8000
As can be seen in the highlighted area of the above screenshot, the Dirb tool does not show any result. I scanned the target machine using Nikto Vulnerability Scanner and Dirbuster, but none of them provided much useful information. As there was nothing found here to help us proceed, I decided to work on the next open port.
Another HTTP port was port 8080. We opened it into the browser and got the same default page again. As a next step, we ran the dirb scan again on 8080 port. The output of the Dirb tool can be seen in the following screenshot:
Command used: dirb http://192.168.1.103:8080
As can be seen in the highlighted area of the above screenshot, we found a file called “phpinfo.php” on the target system.
We checked the file, but we only got information about the running services and their versions, which would not be helpful in our case. I used other file and directory enumeration scanner — Dirbuster with a different dictionary and Nikto Vulnerability Scanner — but we got no further clues from those.
Let’s move on to the next open port, 8081, which is again running an HTTP service. We opened this port in the browser and got the same default page, so we quickly started the Dirb. Finally, this time we got an interesting result:
Command used: dirb http://192.168.1.103:8081
The Dirb tool output shows that that there is a phpMyAdmin folder on our target machine. So far, we have enumerated all the HTTP ports with multiple enumeration tools; we only found a web application on port 80 but we do not know the username and password for logging in. We also found the phpMyAdmin URL on port 8081. In the next step, we’ll explore it further.
Let’s open phpMyAdmin in the browser, which can be seen in the below screenshot.
The screenshot shows the phpMyAdmin login page. I tried various default username and password combinations for phpMyAdmin, which worked and allowed us to log into the database.
- Username: root
- Password: root
After getting into the database, we saw that the Typo3 database was available. I found the user table where the username and password details were being stored. It can be seen in the highlighted area of the following screenshot.
We have the login details for the Typo3 application, but the password was hashed. One way could be to try cracking the password hash, which would take a long time. A faster way is to identify the password hash algorithm, create a new password and update it into the database.
We did some more analysis and identified a website through which we are able to generate a new password, which can be seen in the following screenshot.
As can be seen in the highlighted area of the above screenshot, we created the password hash of Admin by clicking on the Generate Hash button. Now the hash is generated. As we have the root password of phpMyAdmin, we updated the password in the database.
In the above screenshot, we have updated the new password in the database for the “admin” user. We have the Typo3 username and password to login. So, in the next step, we will use these credentials to log in.
From step 3, we know that the Typo3 web application is running on port 80; from the previous step, we know the username and password to log in. Let’s try to log into the application, which can be seen in the following screenshot:
- Username: admin
- Password: Admin
As we can see above, the login was successful, and we are able to access the Typo3 application as admin user.
The first thing which we observed after the login is the Typo3 CMS version, which was 10.3.0. We checked the web for vulnerabilities in the CMS version but couldn’t find anything to exploit it.
We started enumerating the application for further vulnerabilities. During the analysis, we found an older version of the file manager extension that is vulnerable for code execution.
We will explore this vulnerability and execute on the target machine in the next part of this article.
TYPO: 1, VulnHub
Download TYPO: 1, Google Drive
Download TYPO: 1, VulnHub
Download TYPO: 1, VulnHub (torrent)