Hello, in this article I will show you step by step how to solve LAMPSecurity CTF4. The purpose of this CTF will be to become root. Click to get more information about CTF.
LEVEL : Very Easy
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb and Nikto tools
- Detection of SQL Injection and LFI vulnerabilities
- Exploiting SQL Injection vulnerability with Sqlmap tool
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.88.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sC -sV --reason -p- 192.168.88.174
Fuzzing was performed via dirb on open port 80.
dirb http://192.168.88.174/
To obtain more information specifically for port 80, a tool called nikto was used.
nikto -h 192.168.88.174
Manual checks were started at this stage based on the outputs obtained from Dirb and Nikto tools. SQL Injection vulnerability has been detected on a path obtained below.
This detected vulnerability has been noted to be examined in detail after the remaining checks are completed.
Where SQL Injection has been detected, other attack scenarios have been tried. In this step, LFI vulnerability was detected by utilizing Null Byte. Below is the “/etc/passwd” file was read.
After the checks on the web application were completed, the SQL Injection vulnerability was exploited with the Sqlmap tool as follows. The first purpose here will be to dump the target application Database and connect to the target via SSH using it if there is valid a user.
To achieve the above scenario, the aim is to run the following command and dump the entire Database. Looking at the output below, username and password information has been obtained in the Database.
sqlmap --url "192.168.88.174/index.html?page=blog&title=Blog&id=2" --batch --dump-all
Using the information obtained, attempts were made to connect to SSH on the target. After these tests, access was gained with the user information “dstevens: ilike2surf”.
After this process, the first check was to see whether the relevant user has sudo authority. According to the result obtained, it was understood that the user was directly rooted. In this step, rooted and CTF has been completed successfully.
ssh dstenves@192.168.88.174
sudo -l
whoami
sudo su
whoami
Summary
- I think this machine is perfect for those who want to see how SQL Injection vulnerability is detected and how it can be exploited with Sqlmap.
Click here to see my other articles about OSCP Walkthrough. Link
