The LAMPSecurity project is an effort to produce training and benchmarking
tools that can be used to educate information security professionals and test
products.
The LAMPSecurity series is not particularly challenging, for each VM in the series I've targeted the web application as the entry point.
Host Service Enumeration
Port
Service
Version Detection
TCP: 22
SSH
OpenSSH 5.3 (protocol 2.0)
TCP: 80
HTTP
Apache httpd 2.2.15 ((CentOS))
TCP: 139
Samba
Samba smbd 3.X (workgroup: MYGROUP)
TCP: 901
HTTP
Samba SWAT administration server
TCP: 8080
HTTP
Apache httpd 2.2.15 ((CentOS))
TCP: 10000
Webmin
(Webmin httpd)
Web Application Enumeration
Host enumeration discovered two web application, one on port 80 and one on port
8080, as with the previous CTF series VM’s, other entry points are
ignored and the web application is used for the entry point.
Web Application on Port 8080
Inspection of the web application revealed it’s vulnerable to an SQLi
authentication bypass. By Entering ' or 1=1 -- . in the username
field an attacker can successfully login as admin.
Admin account:
PHP Shell Upload
With admin access to the web application it was possible to upload a reverse
shell.
Execution of the php shell was not possible via the web application directly.
Dirbuster
Dirbuster disclosed the location of the file uploads directory
/assets/.
Reverse Shell
Executing the php script resulted in a reverse shell as the user apache:
Local Enumeration
Local enumeration discovered mysql root account could be accessed locally
without a password:
MySQL
Hashcat md5 cracking
The hashes were placed in a text file using the following format:
NOTE: In order for hashcat to ignore usernames in a hash input file you need to
specify --username