SBN Typo 1: VulnHub CTF walkthrough (part 2)


In the previous article, Part 1 of this CTF, we were able to complete the following steps on the victim machine:

  1. Getting the target machine IP address by running the VM
  2. Getting open port details by using the Nmap tool
  3. Enumerating HTTP port 80 service with Dirb utility
  4. Enumerating HTTP port 8000 and 8080 service with Dirb utility
  5. Taking advantage of phpMyAdmin
  6. Logging in into the application and exploiting the vulnerability

We have already explored various open ports on the target machine and have gained access to the admin panel of a CMS-based website hosted on the target machine.

Let’s continue from there. In this article, we will start with exploiting the CMS in order to upload a shell on the target machine. The steps we’ll be convering in this article are given below.

The steps

  1. Logging into the CMS and identifying a vulnerability
  2. Uploading PHP shell and getting command shell access
  3. Getting the root access by using a local exploit
  4. Exploiting and reading the flag

The walkthrough

Step 7

In the following screenshot, we can see that we are logged into the CMS typo3 as the admin user.

As we can see, after the login, we were redirected to the “typo3” dashboard. In CMS, a general approach is to find a file manager and upload files on the target machine. In this case, we found the file manager, but we are not able to upload a PHP file.

We tried various techniques to bypass the restriction but none of them worked. We decided to go through the detailed documentation of the typo3 CMS for further clues about the installation.

In the documentation, we found a file labelled “LocalConfiguration.php”, which can help in controlling and managing the allowed extensions for file upload. While exploring the settings of the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by LetsPen Test. Read the original post at: