Typhoon: 1.02 Write-Up
Hi,
In this write-up, we are going to examine some of the vulnerabilities that Typhoon has.
Typhoon 1.02: https://www.vulnhub.com/entry/typhoon-102,267/
by PrismaCSI.
Let’s begin with pinging the target to see if it is up and running.
As we can see from Time To Live value which is 64, our target is a linux machine.
Let’s find some open ports and what services are running on that ports.
Nmap found 24 open ports. Let’s begin to analyze what vulnerabilities are there for us to exploit.
Port 21 — FTP:
Let’s see if there is any vulnerability about this version : vsftpd 3.0.2
searchploits came up with nothing, let’s ask Google if it knows something.
Nope, it does not.
We already know that we can login as anonymous from nmap result. Let’s try that.
It’s empty? I wonder why, really.
Let’s use brute-force attack to find username(s) and password(s).
It took very long time so I stopped it as we already got 1 credential.
admin:metallica
Port 22 — SSH:
Version: OpenSSH 6.6.1p1
Let’s do brute-force attack on SSH.
I’ve created a userlist that contains “admin, root and typhoon” and used rockyou as password list.
After waiting enough, we have a username and a password.
admin:metallica
Port 25 — SMTP:
SMTP (Simple Mail Transfer Protocol) is a set of communication guidelines that allow web applications to perform communication tasks over the internet, including emails. It is a part of the TCP/IP protocol and works on moving emails across the network.
Let’s enumarate it using metasploit module called smtp_enum:
Port 80 — HTTP:
Let’s use gobuster tool to find directories.
Drupal:
Drupal is free, open source software that can be used by individuals or groups of users — even those lacking technical skills — to easily create and manage many types of Web sites. The application includes a content management platform and a development framework.
I tried to find the default credentials but according to a comment on drupal.org, there isnt any.
It uses Drupal 8. There must be an exploit we could use.
Let’s use unix/webapp/drupal_drupalgeddon2 metasploit module to see if we can get access to the machine.
And we got the meterpreter session on the target.
phpMyAdmin:
Let’s try a brute-force attack using Burp Suite.
It did take a very long time. Let’s try to find default credentials as we tried on drupal.
root:toor
And we are in.
XVWA Admin Password: 21232f297a57a5a743894a0e4a801fc3 — admin — Possible algorithms: MD5
DVWA Admin Password : 5f4dcc3b5aa765d61d8327deb882cf99 — password — Possible algorithms: MD5
Calendar Admin Password: 5f4dcc3b5aa765d61d8327deb882cf99 — password — Possible algorithms: MD5
MYSQL Root Password: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 — Possible algorithms: MySQL4.1/MySQL5
There is flag on datatable: an0ther_fl4g_br0!
Lotus CMS:
There is an exploit called LotusCMS 3.0 — ‘eval()’ Remote Command Execution.
It worked manually.
There is a RCE (Remote Code Execution) for Lotus CMS in metasploit.
Port 139,445 — SMB:
Let’s enumerate using smbclient and enum4linux.
Port 6379 — Redis:
Working on it…
Port 8080 — Apache Tomcat/Coyote JSP engine 1.1:
Apache Tomcat provides software to run Java applets in the browser.
Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for JavaServer Pages (JSP).
Using this module auxiliary(scanner/http/tomcat_mgr_login), we have found credentials.
tomcat:tomcat
We have created ourselves nice reverse shells. Let’s use one of those to connect to our target. I prefer SSH.
ssh admin@<IP>
Password is metallica.
Let’s run “sudo -l” command:
User admin may run the following commands on typhoon:
(ALL) ALL
Well…
There are , I believe, other vulnerabilities besides that we covered in this write-up.
I hope this writeup helps to those who are interested in cyber security.