Sunday, 21 February 2016

Walkthrough LampSecurity Version 7

CTF series LAMP SECURITY 7 : I have been spending a lot of time trying to improve my hacking skills in order to prepare for my OFFSEC certification challenge. I have been struggling to improve my average time to compromise  a box ( remember i need to do 5 in 24 hours to clear the offsec challenge) so any easy boxes i find along the way are welcome :P . They kinda increase my confidence. Lampsecurity7 seems like one such box. I am glad i pawned it and that too in optimal time (imho since the time can greatly vary depending upon the skill of the person). Thanks to the author for helping me prepare for the exam :-)

Detailed Steps to get root :

An nmap scan of the box reveals a number of open services.

We see a webapplication running on the box. While playing around with the webapplication we notice the /newsletter URL which by adding a ' to the URL we a detailed error message printed out which leads us to believe that the box suffers from sql injection.

We capture the traffic using burp and run sqlmap to see if we can find any interesting databases.

Sqlmap is able to dump a few databases for us namely i) information_schema
ii) mysql iii) roundcube  & iv) website

We try to dump the contents of these databases using the sqlmap -D parameter 

Sqlmap is able to dump various tables in the website database. We keep dumping the contents of these various tables till we see that the `users` table dumps a list of possible database users and their credentials (sqlmap helps us crack these as well . its so amazing and powerful !) . Luckily we see that the passwords are not salted.

We know that the box is running a ssh service so we try to login to the box hoping that at least some user would have reused his ssh credentials.

We ssh into the box and seems like julia is in the sudo users list and we can immediately escalate our priv to root :-) Simple and easy