Hacking Articles|Raj Chandel's Blog

Hack the LAMPSecurity: CTF 7 (CTF Challenge)

at 9:46 AM Wednesday, August 8, 2018 0 comments

Hello friends! Today we are going to take another CTF challenge known as LAMPSecurity CTF7 and it is another boot2root challenge provided for practice and its security level is for the beginners. So let’s try to break through it. But before please note that you can download it from here https://www.vulnhub.com/entry/lampsecurity-ctf7,86/

Penetrating Methodologies

§ Network Scanning (Nmap)

§ Login form SQL injection

§ Upload php web shell

§ Spawn TTY shell (Netcat)

§ Mysql Login

§ Steal MD5 password

§ Crack MD5 hashes (John the ripper)

§ SSH login

§ Sudo privilege escalation

§ Get root access

Walkthrough

We found our target –> 192.168.1.127

Our next step is to scan our target with NMAP.

nmap -Pn -sV 192.168.1.127

As we can observe there are so many ports are open but here three ports 80, 8080 and 10000 are available for HTTP. When we navigated to the URL http://192.168.1.127 and we were greeted with a Welcome page

On exploring port 8080 we found a login page for admin account.

As we don’t know the login credential, so I tried SQL injection both text filed for username and password.

Boomm!! Here we got admin dashboard access, let’s explore more.

We can add new reading content for reader, click on the Add new tab to edit your content for reading.

Then we have uploaded php web shell present at /usr/share/webshells/php in order to compromise the web application. In background we have lunched netcat listener 1234 to access TTY shell of the victim’s VM.s

Since I don’t know the directory where our uploaded file is stored therefore, I run dirb for enumerating web directories.

dirb http://192.168.1.127

When I navigate for the directory /assets, here I got my uploaded web shell. As we knew, netcat is ready to catch the victim’s shell as soon as we will execute our php file.

Great!! We got the netcat session, now enter below command to obtain proper terminal of the target machine.

python -c "import pty; pty.spawn('/bin/bash')"

As we have enumerated above, the mysql is running then with the default credential user: root and password: blank we login successfully into mysql database.

mysql -u root

show databases;

show tables;

select username,password from users;

Hence from inside user tables we have found all MD5 hashes of password.

I saved all hashes into a text file named hashes and use john the ripper for cracking password.

john -w=/usr/share/wordlists/rockyou.txt -form=raw -md5 hashes

Awesome, it work and got decrypted password, now let’s try madrid for user: brain for ssh login.

So when tried brain: madrid for ssh login, we login successfully, then we check sudo right for him. Luckily found brain is the part of sudo member and able to perform root level task. To access root privilege to complete the challenge run following command.

ssh brain@192.168.1.127

sudo -l

sudo su

Yuppie!! We finished this challenge.

Hack the LAMPSecurity: CTF4 (CTF Challenge)

at 12:28 AM 0 comments

Hello friends! Today we are going to take another CTF challenge known as LAMPSecurity CTF4 and it is another boot2root challenge provided for practice and its security level is for the beginners. So let’s try to break through it. But before please note that you can download it from here https://www.vulnhub.com/entry/lampsecurity-ctf4,83/

Penetrating Methodologies

Network Scanning (Nmap, netdiscover)
Surfing HTTP service port (80)
SQLMAP Scanning
Extract databases and user credentials
Login into target machine via SSH
Exploiting target with SUDO binaries
Get the Root access

WalkThrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.103

Our next step is to scan our target with NMAP.

nmap -A 192.168.1.103

Result shows us that the ports 80(http), 25 (SMTP) and 22(SSH) are opened

Navigated to the URL http://192.168.1.103 and we were greeted with a Welcome page

Navigate to the Blog tab and upon further enumeration we found out that the URL parameter ”id” is prone to SQL injection error as reflecting in the below screenshot image.

http://192.168.1.103/index.html?page=blog&title=Blog&id=2’

Lets’ enumerate the databases with SQLMAP command to get more details

sqlmap -u http://192.168.1.103/index.html?page=blog&title=Blog&id=2 --dbs --dump --batch

Upon successful completion of the SQLMAP scan , we got the list of all databases!! Now we tried using ehks database, with the following command to extract other details

sqlmap -u http://192.168.1.103/index.html?page=blog&title=Blog&id=2 -D ehks --tables --dump --batch

Upon receiving the tables of all databases, we selected the user table of ehks database and tried extracting some more info with the following command

sqlmap -u http://192.168.1.103/index.html?page=blog&title=Blog&id=2 -D ehks -T user --dump

As seen from the above screenshot , we got list of all users’ and their corresponding credentials for the user table of ehks database

Let’s further try to get in with user dstevens and its password (as displayed above) via the SSH .

ssh dstevens@192.168.1.103

Awesome !! So we got the restricted shell which is our first success .Now let’s perform further enumeration and try to escalate privileges.

sudo –l

On performing sudo –l , we observed that the user dstevens has no restrictions set and has the privilege to run all the commands with sudo

sudo su

Hurray!! We got the root access

Hack the LAMPSecurity (CTF Challenge)

at 11:09 PM Tuesday, August 7, 2018 0 comments

Welcome to another boot2root CTF challenge “LAMPSecurity: CTF8” uploaded by Creosote on vulnhub. As, there is a theme, and you will need to snag the flag in order to complete the challenge and you can download it from: https://www.vulnhub.com/entry/lampsecurity-ctf8,87/

By author, it has a good variety of techniques needed to get root – no exploit development/buffer overflows. So, on the basis of our experience and knowledge, we have made progress in solving the lab.

Level: Beginner

Penetrating Methodologies:

§ Network scanning (Nmap)

§ Surfing HTTP web services

§ Web vulnerability analysis (Nikto)

§ Directory bruteforcing (Dirb)

§ Burpsuite to capture and modify request

§ Crack the password hashes (John - The Ripper)

§ SSH brute-force (Medusa)

§ Search and Capture the flag at various stages

Let’s start

First and foremost we’ll scan the IP address with nmap. In my case, the IP address was 192.168.1.112

nmap –A 192.168.1.112

As we can see that port 80 is open, we will scan it with nikto to check for web vulnerabilities

nikto -h 192.168.1.112

Here from its result, we came to know that it is vulnerable to XSS and found phpinfo.php page is also available.

Since port 80 was opened; so I explored target IP in the web browser and welcomed by following web page as shown below.

While checking its view-source page, here I found the first flag.

1^st flag: - #flag#550e1bafe077ff0b0b67f4e32f29d751

In our nikto result, we find out that phpinfo.php was available, check it as it contains various information about the php build and version on the target system, here we will find another flag

2^nd flag: #flag#550e1bafe077ff0b0b67f4e32f29d751

Next at the home page, we will read the articles posted on the home page, when you will read full article, you will find a new directory named “content” in the url.

As we haven’t seen this directory in the nikto result, we will brute-force this directory using dirb for more details about pages inside it.

dirb http://192.168.1.112/content

In the previous result, we found a page inside content directory named hidden, browse it and you’ll find another flag inside it.

3^rd flag: #flag#57dbe55b42b307fb4115146d239955d0

Let us create a new user to access user page

Let us post a small script to print hello on page in the comment section of the article to check for cross-site scripting vulnerability

After posting the comment, browse the page to check if our script works and the alert proves that the cross-site scripting works

Now let’s edit our script to get the session id of anyone who visits the page. Basically we want to capture the session_id of Barbara who is the author of this article. To get the session id, we will force it to send a request to a url which consists of our ip-address and its cookie value, so that when anyone will visit this page, it will look for a page with the name at our server and will list out the whole url as an unreachable url. The script for that looks something like this

After saving it, we now will send link of this page to the author through the contact page in her profile

Right after sending this link, start python server in your kali, after some time you will see that some error messages are starting to pop-up in the log, from these messages, you will find out the session id of Barbara. To start the python server, the command goes like this:

Now go to home page and refresh the page to intercept its request in Burpsuite, and then replace the existing session id with the one captured in previous step and then forward it to log in as Barbara

After checking about the permissions of Barbara, we came to know that she can publish a page, so we will create a php page to extract data from table users and dump all the usernames and passwords. The code for the following will be something like this

$result = db query(‘ select name, pass from users’);

while($record = db_fetch_object($result))

{ print $record->name . “:” . $record-> pass . “
”; }

After saving when you’ll browse the page, you will find that it has dumped the usernames and passwords on the page, save these credentials in a file

Use John - The Ripper to decode the values of password hashes

john -w=/usr/share/wordlists/rockyou.txt -form=raw-md5 /root/Desktop/users.txt

After getting the usernames and passwords, we will try to brute-force ssh on the target device to check for the correct credentials, for this we will use medusa but none of the credentials will be successful.

medusa -h 192.168.1.112 -U /root/Desktop/user_list.txt -P /root/Desktop/pass.txt -M ssh

Let’s go back to basics, we know that each mail user has a display name which different from his actual username, but his username is always used in his mail id, so we will go to each users profile and copy its username from his mailing address and make a new users list.

For example: Steve Pinkton profile name is spinkon

Let’s try to brute force again, this time we will be successful as the three of the usernames will be having the password in our password list we made from the decrypted passwords

Now let’s login to target device using first credentials, here we found another flag along with the banner displayed, when you log in, you will find another flag, then list out all the files and directories, here you’ll find a file named flag, check its contents to discover one more flag.

4^rd flag: #flag#5e937c51b852e1ee90d42ddb5ccb8997

cat flag.txt

5^th flag: #flag#0ab251c07822d26b07b88136739ae39b

Here we try to escalate privilege using sudo su command but it gives an error that jharraway is not in the sudoers list

Close the current connection and login to target device using second user: bdio’s credential, then list out all the files and directories, here you’ll find a file named flag, check its contents to discover one flag.

Here we try to escalate privilege using sudo su command but it gives an error that bdio is not in the sudoers list

Again close the connection and connect using third credentials, use ls command to list files, here also you’ll find a file named flag, check its content to get one more flag, let’s try to escalate privilege using sudo su command and BANG, you are now logged in as root. List all files using ls to discover another file named flag.txt but it holds same value as 5^th flag, check its content to discover another flag.

ssh spinkton@192.168.1.112

cat flag.txt

sudo su

cat flag .txt

6^th flag: #flag#fd38e201f27e98e13abcf62890c43303

Also you will also find one flag in /etc/passwd, to check it use

cat /etc/passwd

7^th flag: #flag#5b650c18929383074fea8870d857dd2e

Wow!! we finished this challenge by grabbing all hidden flags.

Hack the SecOS:1 (CTF Challenge)

at 1:10 AM 0 comments

Hello readers and welcome to another CTF challenge. It is developed by PaulWebSec. The aim of this lab is to get the root on the VM and read the congratulatory message. The virtual machine can be downloaded here. I quickly loaded up the machine and it was primed and ready!

Steps involved:

§ IP discovery and port scanning

§ Running the web app

§ Running a CSRF attack on administrator

§ Tricking admin to visit a fake page by sending him a message

§ Waiting a few minutes to let admin visit that page

§ Getting credentials and logging in SSH using these

§ Running overlayfs on the system

§ Getting root access!

So, let’s start.

I need not say this after so many articles but the first and foremost step is running netdiscover to find the IP address of the VM.

The IP address in my case was 192.168.1.128

I run an aggressive nmap scan on this IP address to find which ports were open and the first clue to start the attack on.

We found a web app working on port 8081. Without any delay we opened it.

First hint was the message shown—“Secure Web App is a part of the vulnerable VM called secOS-2”

Hence, we inferred that this VM has web based vulnerabilities. Next step was to run a nikto scan which didn’t yield much info either.

So, we ran dirb in hope that we find something good here.

Of course there is a login page! And a login page in a web vulnerable app means a route to shell!

We moved forward to the login page directly.

Although, on inspecting the page, there were no satisfactory results but there was still a register user page available to us. We headed over there.

So we created a new user with the help of the register form. You can keep any name you want but sooner or later you’ll find, like we did, it isn’t of much use. More on that later.

Since, we got redirected to the home page, it was fair to assume we got registered. Let’s try and login into the web app using that user.

There wasn’t much of information on the page except for the fact we saw a “My Messages” tab on homepage.

Although, it is worthy to note that Burp Spider showed us a page called “hint” and upon inspecting that page we found the following details:

First: The admin visits the site very frequently.

Second: He runs it locally on 127.0.0.1

Third: CSRF is applicable!

After some going around, we found under “users” tab that Spiderman was administrator. Could it be possible that we prompt the admin to change its password to our custom pass?

Hence, we wrote a quick HTML CSRF in a text file and saved as csrf.html inside /var/www/html.

What this does is that it will prompt the administrator user to change its password to “passw0rd”

We saved the page to /var/www/html directory, started apache, ran the HTML code and waited for 2-3 minutes and we got logged into administrator account!