Open in app

Sign in

Write

Sign in

Lampiao Walkthrough

Erdemstar
3 min readMar 9, 2024

Hello, in this article I will show you step by step how to solve Lampiao. The purpose of this CTF will be to become root and read flag in /root director. Click to get more information about CTF.

LEVEL : Easy

Steps

  • Learning the target’s IP address with Netdiscover tool
  • Detection of open ports with Nmap tool
  • Collecting information via port 1898 with Dirb and Nikto tools
  • Generating password wordlist using Cewl tool
  • Performing SSH Brute Force with Medusa tool
  • Becoming Root using Kernel Exploit

Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.

netdiscover -r 192.168.1.0/24

The detection of open ports on the target machine was done as follows.

nmap -A -Pn -n -sC -sV --reason -p- 192.168.1.3

Dirb and Nikto tools were run on port 80 and no other results were obtained except the screenshot shared below.

Here, information was obtained through the 1898 port by using the Nikto and Dirb tools used in the previous step.

dirb http://192.168.1.3:1893
nikto -h 192.168.1.3:1893

With the information received via port 1898, the target application was checked with the browser and 2 user information was detected. (I did not take any photos of the screen for these processes, but I do not think it is difficult to obtain).

Using this information, a Brute Force attack on SSH was made and no results were obtained.

The paths obtained from port 1898 were checked one by one and a blog post was detected in the endpoint named “node/1”. A tool called Cewl was used to convert the target blog post into a worldlist and use it in the Brute Force process.

cewl http://192.168.1.3:1893/?q=node/1 > password.txt

Using the information obtained, Brute Force was performed again with the Medusa tool via the SSH port. In this step, the password information of the user “tiago : Virgulin”o was detected.

medusa -u users.txt -P password.txt -h 192.168.1.3 -M ssh -L 5

Some attempts were made on the Privilege Escalation side, but no results were obtained. The final step here is to download an exploit suitable for the kernel version of the target machine and become root. Below, this process is carried out step by step.

The exploit worked on the machine and became rooted. In this case, both root is established and the file named /root/proof.txt is read.

g++ -Wall -pedantic -02 -std=c++1 -pthread -o dcow 40845.cpp -lutil
chmod 777 dcow
./dcow -> root password is "dirtyCowFun"
su 
cd /root
cat flag.txt

Summary

  • I solved and took enjoy but creating wordlist using Blog page is rare method. it little like puzzle CTF.

Click here to see my other articles about OSCP Walkthrough. Link

Oscp Preparation
Vulnhub
Vulnhub Walkthrough
Penetration Testing
Application Security

--

--

Erdemstar

Written by Erdemstar

134 Followers

i do break my limits which i already have

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams