Hello, in this article I will show you step by step how to solve LAMPSecurity CTF7. The purpose of this CTF will be to become root. Click to get more information about CTF.
LEVEL : Medium
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb and Nikto tools
- Detecting SQL Login Bypass on the login panel
- Obtaining a PHP Reverse Shell connection via file upload
- Obtaining user information via MySQL Database
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.88.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sC -sV --reason -p- 192.168.88.187
Fuzzing was performed via dirb on open port 80.
dirb http://192.168.88.187/
To obtain more information specifically for port 80, a tool called nikto tool was used.
nikto -h 192.168.88.187
At this stage, manual checks were started based on the information obtained. When a request is made through the browser using the IP Address of the target, the following page is obtained.
After some checks were made on the page, a few attempts were made on the login screen. SQL Injection vulnerability was detected from these tests and the application was logged in using the Login Bypass method.
admin' or '1'='1'-- -
After logging into the application, the resulting screens were checked and a page was identified to help add content. After simple checks, it has been determined that file upload can be done by adding the file containing the PHP codes. In this case, the PHP file that will make the Reverse Shell connection has been loaded.
While performing simple tests in the previous step, it was observed that the application uploaded the files it received from the user to the Path named Asset. In this case, access was gained by triggering the PHP file loaded in the previous step.
In the previous step, before clicking on the PHP file, port 9999 of the Kali machine was run to rest with the netcat tool. Then, access was obtained as follows.
At this stage, the codes of the application serving on the HTTP port were examined. According to the results obtained, it was determined that the MySQL root user did not have a password and a direct connection could be established.
At this stage, the database used by the application on MySQL was examined and the users and hashed password information on the application were obtained.
At this stage, the hash information obtained was checked whether it was available in clear-text form via crackstation. The results obtained are as follows.
Using the obtained password, the target was logged in via SSH using the user information. Among these users, the sudo right of the relevant user was checked using the information “brian: my2cents”. It has been determined that you can root directly after this process.
ssh brian@192.168.88.187 <- my2cents
id
whoami
sudo -l <- my2cents
sudo su
whoami
Summary
- I think it is nice, instructive and very enjoyable in CTF to login bypass using SQL Injection, find a Reverse Shell script in the Paths obtained with Fuzz, analyze the source code, connect to MySQL through it and then become root.
Click here to see my other articles about OSCP Walkthrough. Link
