Sunday 21 February 2016

Walkthrough LampSecurity Version 7

CTF series LAMP SECURITY 7 : I have been spending a lot of time trying to improve my hacking skills in order to prepare for my OFFSEC certification challenge. I have been struggling to improve my average time to compromise  a box ( remember i need to do 5 in 24 hours to clear the offsec challenge) so any easy boxes i find along the way are welcome :P . They kinda increase my confidence. Lampsecurity7 seems like one such box. I am glad i pawned it and that too in optimal time (imho since the time can greatly vary depending upon the skill of the person). Thanks to the author for helping me prepare for the exam :-)

Detailed Steps to get root :

An nmap scan of the box reveals a number of open services.



We see a webapplication running on the box. While playing around with the webapplication we notice the /newsletter URL which by adding a ' to the URL we a detailed error message printed out which leads us to believe that the box suffers from sql injection.



We capture the traffic using burp and run sqlmap to see if we can find any interesting databases.





Sqlmap is able to dump a few databases for us namely i) information_schema
ii) mysql iii) roundcube  & iv) website

We try to dump the contents of these databases using the sqlmap -D parameter 



Sqlmap is able to dump various tables in the website database. We keep dumping the contents of these various tables till we see that the `users` table dumps a list of possible database users and their credentials (sqlmap helps us crack these as well . its so amazing and powerful !) . Luckily we see that the passwords are not salted.

We know that the box is running a ssh service so we try to login to the box hoping that at least some user would have reused his ssh credentials.

We ssh into the box and seems like julia is in the sudo users list and we can immediately escalate our priv to root :-) Simple and easy




7 comments:

  1. Such an interesting blog on PHP! Hope readers who visit your blog will definitely impress in the way of your writing. Thank you admin, do post your thoughts frequently.
    Regards:
    PHP Training Chennai | PHP Training Institute in Chennai

    ReplyDelete
  2. Playtech Announces Multi-Year Deal with Evolution Gaming
    Evolution 서울특별 출장마사지 Gaming and Evolution 사천 출장안마 Gaming (EVO.V) will enter the Global Gaming Technology In this 김제 출장안마 week's Evolution 진주 출장안마 Gaming Genre: Gaming, ‎Entertainment, 성남 출장샵 ‎Technology

    ReplyDelete