Sunday 21 February 2016

Walkthrough LampSecurity Version 7

CTF series LAMP SECURITY 7 : I have been spending a lot of time trying to improve my hacking skills in order to prepare for my OFFSEC certification challenge. I have been struggling to improve my average time to compromise  a box ( remember i need to do 5 in 24 hours to clear the offsec challenge) so any easy boxes i find along the way are welcome :P . They kinda increase my confidence. Lampsecurity7 seems like one such box. I am glad i pawned it and that too in optimal time (imho since the time can greatly vary depending upon the skill of the person). Thanks to the author for helping me prepare for the exam :-)

Detailed Steps to get root :

An nmap scan of the box reveals a number of open services.



We see a webapplication running on the box. While playing around with the webapplication we notice the /newsletter URL which by adding a ' to the URL we a detailed error message printed out which leads us to believe that the box suffers from sql injection.



We capture the traffic using burp and run sqlmap to see if we can find any interesting databases.





Sqlmap is able to dump a few databases for us namely i) information_schema
ii) mysql iii) roundcube  & iv) website

We try to dump the contents of these databases using the sqlmap -D parameter 



Sqlmap is able to dump various tables in the website database. We keep dumping the contents of these various tables till we see that the `users` table dumps a list of possible database users and their credentials (sqlmap helps us crack these as well . its so amazing and powerful !) . Luckily we see that the passwords are not salted.

We know that the box is running a ssh service so we try to login to the box hoping that at least some user would have reused his ssh credentials.

We ssh into the box and seems like julia is in the sudo users list and we can immediately escalate our priv to root :-) Simple and easy




Sunday 7 February 2016

Walkthrough TopHatSec Freshly

Mission `Freshly` VM : I downloaded the virtual machine hosted at https://www.vulnhub.com/entry/tophatsec-freshly,118/  . There are a couple of challenges from TopHatSec and I would like to try them both. Well for starters here is `Freshly` :-)

Detailed steps for getting root : 

A nmap scan of the box reveals that ports 80,443 and 8080 are publically accessible  on the box.


We quickly run both nikto and dirbuster against the webserver. We see that the VM is running a login application on port 80 while on the other ports it is  running a wordpress blog.


Login prompt 
Wordpress blog
We also see an installation of  phpmyadmin on the webserver. We try the default credentials but dont succeed. Since there is a phpmydamin running on the box we guess that there may be mysql server running at the backend as well. Hence we try mysql authentication bypass by using a wronguser' or 1=1 LIMIT 1;# as username and junk as password. However we are not successful. Inspite of this its worth the effort to run sqlmap against the server to see if it can pick up some injection points either in the username or password fields.



Sqlmap tells us that the `user` parameter of the login form is sucesptibel to a mysql injection vulnerabilty. It readily exploits this vulnerability for us to give us a complete dump of the database when we use the --dump sqlmap option.



Excellent! now we can see that there are a total of 7 databases in the database. We must check out the interesting ones especially login, phpmyadmin, users and wordpress8080.



It seems that the table dump for the wordpress8080 database contains the admin password for the wordpress blog.  We try to login to the wordpress blog via the credentials and we are successful!


Once we have admin credentails on the wordpress getting a shell on the box is extremely simple. By default wordpress will not allow any php content to be run from the wordpress articles/posts. However since we have admin privs on the wordpress we can install a plugin called Exec-php to allow php code to run in the wordpress pages.

We install the plugin to our wordpress installation and then follow the instructions at https://wordpress.org/plugins/exec-php/installation/ to run php code in the article body. Once the simple php hello world example works we use the php-reverse-shell script available at http://pentestmonkey.net/tools/web-shells/php-reverse-shell . We set up a netcat listener and sure enough we get our shell :-)



There we have our flag. A fun challenge indeed :-)