Hack the LAMPSecurity: CTF 5 (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as LAMPSecurity CTF5 and it is another boot2root challenge provided for practice and its security level is for the beginners. So let’s try to break through it. But before please note that you can download it from here //www.vulnhub.com/entry/lampsecurity-ctf5,84/

Penetrating Methodologies

  • Network Scanning (Nmap, netdiscover)
  • HTTP service enumeration
  • Identifying exploit for the vulnerable CMS Web application
  • Access CMS admin login page & credentials
  • Generate PHP Backdoor (Msfvenom)
  • Upload and execute the backdoor
  • Reverse connection (Metasploit)
  • Import python one-liner for proper TTY shell
  • Exploiting target (exploit 9479)
  • Get the Root access

WalkThrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.145

Our next step is to scan our target with NMAP.

The NMAP output shows us that there are multiple ports opened. As HTTP service is also running, let’s begin with the same first and see what information we get.

Browsed the URL //192.168.1.145 and we were greeted with Phake Organization heading banner, and with many options to navigate further.

Let’s run Nikto tool here to find out more information

As we can see that the victim machine is prone to LFI/RFI vulnerability.

Now we will paste this malicious code (as highlighted above), in the URL as follows to exploit LFI vulnerability using the browser

As we can see from the output above, we have successfully received the output of /etc/passwd in the browser. We can use this content at some time later in the lab (if required)

Click on the Blog tab of the website //192.168.1.145 and it will redirect us to the URL //192.168.1.145/~andy/

We got a clue from Andy Carp’s blog that the site is powered by NanoCMS. NanoCMS is a lightweight CMS based on PHP that is now discontinued. Therefore we searched on the possible vulnerabilities associated with Nano CMS on the internet and was able to get the details from the following URL //www.securityfocus.com/bid/34508/exploit

The possible vulnerability identified is Password Hash Information Disclosure which allows unrestricted access to the path /data/pagesdata.txt

Let’s try to append the /data/pagesdata.txt with //192.168.1.145/~andy/ and navigate to the URL //192.168.1.145/~andy/data/pagesdata.txt.The following content will be seen which contains a lot of information. Upon further investigation we found that the Admin password hash is retrieved.

Open the website www.hashkiller.co.uk and decode the MD5 password hash received from above.

As seen the output “shannon” is the password extracted for the user admin.

Navigate to URL

Click on the Admin login sub-heading under the Login and we will be redirected to

Input the credentials in the Admin login page as follows :

Upon success, the following page will appear

Click on the New page options tab where we should be able to add new content with our own PHP code.

Let’s generate a Reverse PHP shell with the following command

Copy the code from <?php to die() as shown above . Open the NanoCMS Admin panel of the website, navigate to the New Page option and paste the reverse PHP shell in the Content section. Input any name in the Title and click on the Add Page.

Upon clicking on the Add page, the file “shell” has been uploaded successfully, as seen in the screenshot below (under Navigation)

Now in parallel, open the Metasploit console and perform the following

Once we have started the listener on the Kali Linux, click on the shell file in Andy Carp’s blog. As soon as we click the same, we will get a meterpreter console. From the below image we can observe Meterpreter session 1. But our task is not finished yet, we still need to penetrate further for the privilege escalation.

Using sysinfo command, we found machine architecture details which may eventually help us to find out the kernel exploit for privilege escalation

sysinfo

Searched across the internet to found the privilege escalation exploit that might apply to the Linux kernel version 2.6.23.1-42 and found the below link (as shown in the image above).

As we know that version of the kernel is vulnerable, we will download its exploit to the Kali machine from the Exploit DB website, as shown below:

Moving forward, we will compile the file as follows:

Now go back to the Meterpreter session and navigate to /tmp folder

Send the exploit file from Kali machine Meterpreter session to the target system

Further, navigate to shell

In order to access proper TTY shell, we had imported python one line script by typing following:

We got the limited shell!! Now let’s try to enumerate further

Proceed forward and go to the tmp folder by typing :

Let’s see what directories it has and for that type:

Assign the permissions to the exploit, before execution

Then type the following command to execute the exploit:

As soon the exploit executes we will get the root access!!

And to confirm this type:

Hurray!! We have successfully solved this challenge.

Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here

1 Comment Hack the LAMPSecurity: CTF 5 (CTF Challenge)

Leave a Reply

Your email address will not be published. Required fields are marked *