LAMP Security: CTF4

LAMP Security: CTF4 is one of the easy machines on VulnHub which mainly focuses on SQLi.

So, lets begin!

Enumeration

As usual, the first thing that we need to do is run an nmap scan and check if some webpages are hosted on port 80/443. We can initially start the nmap scan and head over to the browser.

Here it can be seen some static pages are hosted.

Meanwhile, we get our nmap results as well

From the nmap scan, we can see that port 22, 25 and 80 are open. Right now we can focus on port 80 and explore the web pages for any issues that can be exploited.

We can start a directory traversal attack to search for any hidden directories and along with that we can check each and every link present on the website along with its source-code for any kind of information disclosure.

It can be seen that multiple directories have been detected.

In the /admin directory, there is a login page where we can try some basic SQLi but none of it works. For now, we can note this directory so that if we find some credentials they can be tried over here.

The /calendar directory appears to have a calendar which appears not to be of much use to us.

In the /mail directory, we can find another login page which appears to be for a web mail client called as SquirrelMail. We can search for exploits related to SquirrelMail, but none of them appear to be helpful in our case.

The /sql directory appears to be useful as it contains a file named as db.sql which contains the following queries

From these queries, it can be easily understood that there is a database named as ehks which as a table named user having columns user_id, user_name and user_pass. So, if we find a SQLi vulnerability on some web page then we can use it to obtain details from the user table.

On the blogs page, we can see links to multiple blogs along with their author’s username (We can note these names as they can be useful in later stages). We can check each of these blogs for any useful information.

When we click on the link to the blogs, it can be seen that multiple parameters are being sent in the GET request. So, we can test them for SQLi.

As expected, when we pass ' to the id parameter it returns an error because most probably id would be having a data type of INT and ' is used with VARCHAR.

Gaining Access

Now that we know about the SQL vulnerability, we can try to exploit it to obtain sensitive information. We can proceed as the steps mentioned below:

  1. Determine the number of columns being returned so that we can craft our payload accordingly.

When we try to order by column number, no error is returned till number 5. But when we try to order by 6-- an error is returned because there is no 6th column. So, we can conclude that there are 5 columns.

2. Next step would be to determine the columns that have data type as VARCHAR, so that we can use those columns to exfiltrate data.

From the above requests, it is clear that column numbers 2, 4 and 5 can be used for accessing the data in the database.

Using this information with that of obtained from db.sql we can try to access the content of the user table

It can be seen that we have the usernames and password hashes of multiple users. We can crack these passwords using Crackstation.

We can use these username and password combinations to access the machine via SSH as port 22 is also open.

Usually the first entry in a table belongs to the admin. So, we can try SSH login with the credentials of first entry in the table which belongs to dstevens.

But when we try to connect to the machine via SSH we get an error

This error is generated when you try to connect with a machine that is outdated because of which the recent cryptographic algorithms are not available on that machine. To resolve this issue we can use the command

Using this command, we get SSH access as dstevens

From the results of the id and groups command it can be seen that user dstevens is an admin.

Privilege Escalation

The first thing that we can look at is the output of sudo -l command

And it can be seen over here that user dstevens can run all the command with sudo privilege. So, we can easily switch to root using the command sudo su

With this we have obtained the root access to this machine!

Some Key Points to Take Away

  1. Always check the URL parameters for possible SQLi.
  2. Change the SSH cryptographic algorithm when try to connect with a legacy machine.

Mind Map

References

  1. LAMP Security: CTF4
  2. CrackStation
  3. Solution for SSH Unable to Negotiate Errors

Do check out my other work and write-ups at https://github.com/0xNirvana

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store