Hello, in this article I will show you step by step how to solve LAMPSecurity CTF5. The purpose of this CTF will be to become root. Click to get more information about CTF.
LEVEL : Medium
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb and Nikto tools
- Finding a NanoCMS exploit
- Getting PHP Reverse Shell via target
- Searching for sensitive data with the Grep tool
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.88.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sC -sV --reason -p- 192.168.88.183
Fuzzing was performed via dirb on open port 80.
dirb http://192.168.88.183/
To obtain more information specifically for port 80, a tool called nikto tool was used.
nikto -h 192.168.88.183
At this stage, manual checks were started based on the results obtained. A page like the one below was encountered and LFI vulnerability was detected by using Null Byte and the “/etc/passwd” content was obtained.
While continuing the manual checks, this time a login page named NanoCMS Admin Login was detected as below.
When researched on the internet using the word NanoCMS, it was understood that there is a ready-made “Content Management System”. At this stage, NanoCMS was searched for a previously detected exploit and a page like the one below was reached.
On this page, it is recommended to make a request to the endpoint named “/data/pagesdata.txt” and check whether there is sensitive data.
With the information obtained, a request as below was made and the admin user’s hash and password information was obtained.
This hash information obtained was used on the crackstation and checked whether it was in plain-text form and the result was obtained as follows.
Using the “admin : shannon” information obtained, NanoCMS was logged in and it was checked whether there was a feature on the application that could be re-written with the current user.
As a result of this check, it was determined that content editing can be done in the Edit Content field as follows, and a PHP code that will create a Reverse Shell has been added to this field.
In this step, first the 9999 port of the Kali machine is made available for listening with the nc tool. Later, a request was made to the page containing the PHP Reverse Shell codes added to NanoCMS and access was obtained from the target machine.
nc -nvlp 9999
After this step, some controls are provided for privilege escalation operations on the target. One of these checks is to read / (root folder) and all files under it and detect the ones that are “pass” in these files.
grep -R -i pass ./
Below, a hidden file was detected in /patrick folder and root password information was obtained.
At this stage, the target machine was rooted using the “root : 50$cent” information obtained.
Summary
- I think it is a good scenario to obtain sensitive data via Nano CMS and then use the grep tool for Privilige Escalation after the received Reverse Shell and become root.
Click here to see my other articles about OSCP Walkthrough. Link