We start by scanning the host with nmap –A –T4 –p- 192.168.1.11 –vv
Using dirb on port 80 and port 8081 came with a results:
On page http://192.168.1.11/phpmyadmin/index.php we got the main login page where we can use root:root to access the page and take a look:
We got 2 users on the TYPO3 database one of them is the admin:
We can change the password of the admin but we cannot crack it as it’s an Argon2, searching google we got a website that we can use to make our password with:
Now let’s change the admin password with the one we generated it:
Visit the link http://192.168.1.11/typo3/index.php and login as admin and the password hacker:
I tried to upload a shell.php file but the site is configures to not upload any php file, so what we need to do is to go to Settings and then click on Configure Installation-Wide Options, in the search just write php and then from the [BE][fileDenyPattern] delete the line \.(php[3-8]?|phpsh|phtml|pht|phar|shtml|cgi)(\..*)?$|\.pl$|^\.htaccess$
Next we go to Filelist and upload our shell.php file, I’ve uploaded it to the user folder:
Now open up the file to get a shell back, make sure your machine is ready with a listening port:
Now i tried to exploit the kernel and the system but no exploit on the run, running the command find / -perm -u=s -type f 2>/dev/null got a file apache2-restart
We going to abuse this file:
cd /tmp
echo “/bin/bash” > service
chmod +x service
export PATH=/tmp/:$PATH
apache-service2
Now we root so let’s catch the flag:
