Hack the LAMPSecurity: CTF4 (CTF Challenge)

Th3 D347H 4RmY

Administrator
Staff member
Joined
Nov 30, 2018
Messages
609
Likes
26
Points
28
Age
19
Location
Some Where On Earth
Website
d3hf0rum.xyz
#1
Hello friends! Today we are going to take another CTF challenge known as LAMPSecurity CTF4 and it is another boot2root challenge provided for practice and its security level is for the beginners. So let’s try to break through it. But before please note that you can download it from here

Penetrating Methodologies

  • Network Scanning (Nmap, netdiscover)
  • Surfing HTTP service port (80)
  • SQLMAP Scanning
  • Extract databases and user credentials
  • Login into target machine via SSH
  • Exploiting target with SUDO binaries
  • Get the Root access
WalkThrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.103

Our next step is to scan our target with NMAP.

nmap -A 192.168.1.103

Result shows us that the ports 80(http), 25 (SMTP) and 22(SSH) are opened

Navigated to the URL and we were greeted with a Welcome page.

Navigate to the Blog tab and upon further enumeration we found out that the URL parameter ”id” is prone to SQL injection error as reflecting in the below screenshot image.



Lets’ enumerate the databases with SQLMAP command to get more details.

sqlmap -u --dbs --dump --batch

Upon successful completion of the SQLMAP scan , we got the list of all databases!! Now we tried using ehksdatabase, with the following command to extract other details

sqlmap -u -D ehks --tables --dump

Upon receiving the tables of all databases, we selected the user table of ehks database and tried extracting some more info with the following command

sqlmap -u -D ehks -T user --dump

As seen from the above screenshot , we got list of all users’ and their corresponding credentials for the user table of ehks database

Let’s further try to get in with user dstevens and its password (as displayed above) via the SSH .

ssh [email protected]

Awesome !! So we got the restricted shell which is our first success .Now let’s perform further enumeration and try to escalate privileges.

sudo -l

On performing sudo –l , we observed that the user dstevens has no restrictions set and has the privilege to run all the commands with sudo

sudo su

Hurray!! We got the root access.