Lampiao CTF Walkthrough - Boot-To-Root

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Laughter] hey guys hackersplate here back again with another video and welcome back to the vaughn hub ctf series on the channel so in this video we're going to be looking at lampiao one uh on volnhub now uh just pardon my uh mispronunciation of that word or that name i apologize uh i really haven't looked it up in regards to what it means it's a spanish word from what i understand but i could be wrong uh so this was a vm that i planned to upload on friday and actually completed it on friday but i was really speculating as to whether i should make a walkthrough of this just for the fact that it really did have a lot of rabbit holes that at first looked extremely promising but uh really led to nowhere so i would say that the design was extremely good because it kind of replicates how um our real type of penetration test would be in regards to penetration to web application penetration testing but i went through a lot of these rabbit holes and of course there are very few but uh when we talk about the cms system that was on this ctf uh it was very very interesting and i'll get into that but uh in this walkthrough i'll be covering uh what worked for me and and essentially my methodology now the reason the other reason i really wanted to cover this is because i saw a technique with this one that really forced me to think outside the box i think it took me about i would say about 45 minutes in total to get it but um anyway i got root and uh i thought of making this video now and uh primarily of uh because i wanted to explain the privilege escalation side of things which was quite nice to see that there are still uh ctfs out there that have a very straightforward um you know type of uh i would say pathway in regards to privilege escalation that being said let's get started so it was released on the 28th of july of july uh 2018 and was suggested to me on twitter uh so you can see the description is pretty simple would you like to keep hacking in your own lab try this brand new vulnerable machine lampia1 get root the level is easy all right so i've set it up on my um i've set it up on my virtual box right over here and it's good to go so let me just close that and show you that it is there we are and immediately we get uh the version of ubuntu but uh we will be able to enumerate that later all right so my methodology is very very simple the first thing i need to do is i need to discover the ip and i use net discover now for those of you who are asking how i knew that was how i know the adapters that i'm using well i've been running labs on my setup for a long time or on my lab and i guess uh it just comes down to what or how you want to run it now i'll explain something so net discover my interface is ethernet 0 i'm going to hit enter and let's see if we're able to discover any devices all right so let me explain something so for the tp link many people will probably guess those are my uh those are my routers we have a microstar which is i i'm guessing this computer we have horn high uh precision which is probably my uh my android device and we have the pcs system thing the the system technique uh the the way i found this is uh uh well just from a lot of research first of all and of course experimentation in regards to what target it could be so this is the one running on virtualbox if it is running on vmware you will see the vmware vendor host name right over here uh given by the mac address okay so there we are we know the ip is 192.168.1.106 i'm going to close that and i'll open up zenmap so when it comes down to enumeration and information gathering my methodology is extremely simple so what i do is i start off with a simple nmap scan where i do a bit of you know banner fingerprinting and also an aggressive scan so it would be as follows so nmap uh sv and a and then 192.168.1.106 sorry not 101. 0.106 and after this i'll just scan so we'll run that scan it shouldn't take too much time given that the machine is on is on my local network so uh let that scan now when we talk about the methods that are used here that's also primarily one of the reasons uh i'll be going through this virtual machine is when you talk of one of the techniques in regards to web application penetration testing and generating word lists all right so i'll get to that in a second all right so uh this was essentially the first scan that i run and you can see that you have an ssh port open and that is running open ssh 6.6.1 p1 uh i did a search exploit on that and i wasn't able to detect anything uh worthwhile in regards to an exploit you really won't find an exploit unless it's a really old version which in that case they might as well not create a ctf uh machine if they're going to make the challenge that easy we then have a port 80 which is as you know a web server so we're going to open that up now so uh 192.168.1.106 106. and i'm gonna hit enter and as you can see uh you're going to get a little uh easter egg here or just something to troll you uh and it's going to tell you it's easy and uh i don't know what that word is so i'm not gonna pronounce it and this looks to be and like an image uh from uh if you look at it from five looks like a pirate wearing a pirate's hat and that's pretty much it so i'm going to try and view the page source and you're not going to find anything interesting here so really you're you're just looking at the same text being displayed from the source so now it's time for further enumeration where i perform an intense scan and i scan all the tcp ports on the target because uh from this you could see that apart from a bit of shell code there weren't there wasn't anything here that we could have got we did have a few operating system guesses but as we know we already know what version of ubuntu is running so i'm just going to scan for all the tcp ports here and there we are we can already see a new port that's opened here on port 1898 so we'll wait for the scan to complete and once it's completed we'll get an idea of what exactly is running on that port all right so in regards to my um to my methodology my methodology it's really very simple i go through my standard method methodology and if nothing works or i don't yield any results from there i usually try and get or i usually try and oops robots.txt i usually try and start tinkering with a few things that might work so you can see robots.txt it really doesn't work i tried running a derb derp on this so i did try and run a bust uh dirb on it first and then did the buster but for some reason it was uh denying all connections all the connections were closing and i can demonstrate that right now so i'm just going to copy the ip right over there and i'll open up a or we can just do it right over here so dub and i'm just going to use the common word list and i'm going to hit enter and as you can see in a few seconds we will get an error telling us that the connections were filled so it looks like the connections are being denied in some way there we are so i wasn't able to enumerate any sub-domains from the main web server running on port 80 but now if we look at the results from the intent scan on all the ports we can see that we have an apache httpd 2.4.7 server running on port 1898 uh and uh there looks to be like um it looks to be like an image here which if you can essentially use an md5 uh you can essentially resolve it with md5 here we can see that it is running drupal 7. now before we get started you can see that it did actually get a robots.txt here with 36 disallowed entries and 15 of them will be shown so these include a what a standard drupal installation will contain now let me explain something about drupal i went so in depth into you know drupal exploits more specifically drupal 7 exploits i looked at drupalgeddon i looked at various reverse shells through uploading files uh you know file upload vulnerabilities all that good stuff but i really wasn't able to get a shell the best i got was a low privilege shell that had issues in in regards to connectivity so i really wasn't able to get any uh i wasn't able to get through that so after a while i left that path and i started going on the other one and i'll explain this and this was so uh it it was such a um it was it was a virtual machine that really tested your your patience because it had it had many many different ways of throwing you off your your track so to speak so um if we just open the pot here one eight nine eight so one eight nine eight and you know we just hit enter you can see it is a drupal installation more specifically a drupal 7 installation and we don't need to run the buster because nmap uh you know the awesome tool that it is already does it for you so i went through the includes through all of the directories i was able to enumerate the version the exact version and find the drupal get an exploits for it now i will be posting the drupal get an exploits for it in the description so you can check it out for yourself but for me it really didn't work and trust me i tried hard this is like where i like put all my energy into it so at this point i thought there was something wrong because i was getting a shell but for some reason the shell kept on disconnecting but it looked like this virtual machine had various rabbit holes that i had to go through and the whole idea with this virtual machine is or with this ctf challenge is the ssh that was essentially the vector that we needed to target so when i started going over it again i looked at ssh and i was like okay uh how can we get usernames and passwords here and that is where uh you know just from my past i was able to to start remembering how to use uh you know password profiling for web applications to generate uh to generate the different word lists or user lists to essentially start enumerating a bit or to get a bit of information in regards to credentials so if you look at the web application just standard you can see we have the name of the ctf challenge which is lampiao uh username and login tried any all vulnerabilities on that really did not work i tried to create a new account that did not work as well i went through the first article right over here and as you can see this had a lot of information that could help me start and you know could help me start generating my word list now for those of you are a bit confused you might be saying well how do you generate a word list from all of this do i just copy all the text well this is where i was i was also getting your voice but then thinking back at my penetration testing you know what i've learned a long time ago is you can use password profiling which uh is using the the tool called cool or cewl however you want to pronounce it it's a tool event used in i would say about two years or something like that so it was really good to see that uh i was able to do that now the other thing when looking at the way data is being posted on drupal it's very similar to other content management systems like wordpress you might be saying how so alexis well if you look at wordpress or wordpress scan if you are to perform a simple wordpress scan let's say if this was a wordpress installation and i read and i ran wordpress scan on this what would happen given the the posts wordpress scan would would be able to enumerate certain usernames now if you don't know how wordpress uh scan enumerates usernames it goes to all the posts made on that blog or that webpage and it looks for who or by who the the article or the post the blog post was posted by and it it is able to gather that is a user so on this page i was able to get that the user here you can see that this blog post was specified by the user thiago all right so this i also found was uh posted many times during uh or you know in all of this test uh in all of this text now pardon me i really don't know the language and i wasn't going to try and translate it but i know that when you have data like this the whole idea is to to use password profiling so how do i use password profiling well we use the the tool cue and we copy the ip uh in regards uh ins and we specify the blog post itself to generate any uh to generate a word list from this page okay so i'll open up my terminal here and what i'll do is i'll just clear everything and i'll open up the terminal again so i actually should have expanded that and open it up again so i'll use ql so c e w l and then we specify the i p with the uh the uh the the specific parameters or the blog post it really doesn't matter and this can work on any other web application and then we write out uh our list we let's say we want to write it out to or or actually first let me just move on to my desktop and uh cool and i will paste in that and we want to write this out into um let's just call it uh root desktop and um and i'm gonna call it list dot txt all right and i'm gonna hit enter and that is going to generate a word list uh based on all the uh words that are found on that web page so if i was to just uh cat that so if i just catch the list here you can see that we have all the uh we have all these words that are on that webpage and you can see most of them have words that you would find like body text so it essentially just generated a whole bunch of words from that web page now uh what i wanted to specify is if i cat and i also grep here for i pipe it out and grip uh to the user that we created like tiago you can see if we enter let's see if it's able to grab for tiago if that was the user let me just check if i spelt that correctly if it was tiago with a ti yes tiago with the ti let me just see if it was able to go through so yeah you as you probably would have guessed this word list or this list rather is quite large and yeah we'll just wait for this to complete grapping uh and while that is gripping we now need to we can start using hydra to brute force the ssh protocol so um uh what i'll do is i'll just open up my terminator here and let me just expand or increase the font size as many of you recommended in the previous video so i'll increase that like so and i'll open that up so we're using hydra so it's very simple to run hydra here so hydra we want to specify the username as tiago right over here so tiago and uh that is the user that we're going to be going for uh thiago uh now by the way you can also use uh the the uh the user list i actually tried this but i wasn't able to get anywhere because the it was taking forever really uh so uh the list the username is thiago and then we're selecting a password list here which is i believe the password list should be specified on the desktop uh so root desktop and that is going to be list.txt and now what protocol are we attacking which uh the protocol we're attacking is ssh 192.168.1.106 i believe if this is that the correct ip let me just confirm that one more time uh ps.106 and let's see if this was able to grip thiago so yeah that is taking a while probably because the list is huge um anyway uh we'll get to that in a second so uh 192.168.1.106 using that list and i'm going to hit enter all right so this brute force when i run it took about i would say five minutes or so uh and we'll wait for this to complete uh looks like i had uh my previous uh hydra session running so anyway it is going to go through uh the brute force and i'll get back to you when this is complete all right so the brute is complete and as you can see we were able to get uh the user tiago and the password virgo lino or something to that extent apologies if i'm butchering any of these words if they have a significant meaning to anyone out there so we can essentially just log in via ssh now so ssh and we'll use thiago thiago and thiago that is tiago at 192.168.1.106. sorry about that and uh we hit enter and the password unless we're going to accept uh the fingerprint yes and the password is going to be gulino and i'm going to hit enter and let's see if that gives us access and yeah i probably uh butchered that so i'm just going to copy that and we'll paste that in here i'm going to hit enter and voila welcome uh we have um ssh access now and uh the first thing i like to do is let's just get a rid of all of that extra data that we don't need all right so we're in so the first thing we're gonna run is id just to see what privileges we have and indeed we are not roots this is the whole charm about this virtual machine so id we are thiago what's my current working directory in anything inside here nothing so we're in home thiago nothing inside that directory so uh let us see the current configuration here so cat sc issue and we are running ubuntu 14.04.5 lts uh and we can run your name a here uh and i'm gonna hit enter now the interesting thing as i mentioned uh you can look at all the details in regards to the kernel there uh this was this virtual machine i feel really uh explained or demonstrated uh the correct way of going about privilege escalation and local enumeration once your we have performed exploitation or after or you know post exploitation uh simply put so uh after running all of these commands it's uh very very simple or it's clear that we need to escalate our privileges to root now the the whole idea is how do we do that well uh i used the linux privilege uh the linux exploit suggester i used the version one i know most of you like using version two but this one is the one that is the has been the most reliable for me especially when running it on linux uh with windows as you know you probably have to use any of the other enumeration scripts uh they are mostly in python i'll be covering that hopefully my next machine is a windows machine so that we can actually do that so on this machine we know that wget is there so we can just use wget and i'm going to just paste in the linux exploit suggester here i'll be posting this github repository i've forked it to my repository so you can always access it if you need it because it's always being changed for some reason so i'm just gonna hit enter and there we are we're able to to bring it on to our system so we'll use the chmod 775 to give it executable permissions linux exploit suggester when hit enter and we can finally launch it so next exploit suggest and let's see what uh it is able to enumerate in regards to the uh to the exploits all right so these are all kernel based or kernel level exploits that will give us complete access to whatever machine we are attacking now if we just go to the top you can see that it is going to give you information in regards to the kernel the architecture the distribution version uh the package listing if that's interesting for you there is a key ring here i really did not focus on any of these vulnerabilities what caught my attention was that dirty car worked dirty cow is probably the ultimate in ubuntu in ubuntu um hacks or exploits i tried dirty car one and i got some issues in regards to it changing the uh the uh the super user password so i had to use dirty cow too uh so the great thing about the the uh exploit suggester is that it gives us uh the exploit db url here so you can essentially just copy the url right over here and we can get the c plus plus exploit here now of course given that it is in c plus plus we will have to compile it all right so um i'm just going to w get that as well and it's going to resolve exploit db and it's going to get the file so if we list the files in the current working directory which is in home thiago we can see that we have the um the the c plus plus exploit over there so what i like doing uh for all my exploits just to avoid any issues i like giving them permissions to be read and executed of course you need that because we are going to compile it now the the first thing i did is i used the gnu uh you know the uh new compiler but for some reason i got an error so i did what every penetration tester should is inspect the exploit before you run it madly even if it's a very well built one uh like dirty cow so nano and we would open it up so like so and you can see the first note here is giving us instructions in regards to how to compile this exploit so we have g plus plus and we have all the other uh permissions uh not permissions uh parameters and options in regards to how to compile it so thank you uh decal for this and i'm just going to copy that right now very very simply and we don't make any changes uh to the exploit you can go ahead and look at it and inspect it just to understand how it's all uh how it's all going about it we're just going to exit now and we are just going to paste in that um that command so we're using the uh gnu plus plus compiler and you can look at all the other permissions i really was trying to understand what exactly is happening i tried to go through it it's essentially just to do with the permissions and the modules that were imported all right so i'm going to hit enter and uh there we are uh let that compile and once it's done it should give us um an uh a next executable here uh there we are we the executable is called decal and we simply just launch it and type in decal and we are good there we are received a su prompt and the root password was changed to dirty cow fun and you type id you can still see we are in thiago so i'll try and use super user and i'll try and type in dirty cow uh fun or the password the password it was able to change it into when hit enter and we are in route there we are we have root access and and now there we uh we can finally go go back to the uh root director and we have the flag over there so i'm just gonna uh get the flag and voila we have root access and we were able to get the flag all right quite simple right well i can tell you um when i went down the drupal uh the drupal route things were looking really bleak uh i really really tried exploiting it and also once i got the low privilege shell things were still not looking bright at all so yeah i would say this was a good virtual machine not the best or the most straightforward and i guess it all comes down to mindset and that's also something that i want to conclude on um i would say that if you're doing ctfs the mindset is completely different if you're performing a penetration test if you are a penetration test and you do it you know for a living uh the mindset is very different because you know you you will over time develop your own methodology as to how you go about you know attacking a web application with a ctf you know things are you really have to throw that out of the you really you really need to get rid of that and you know start tinkering with everything and try out everything you've ever learned and also perform research because that's the whole idea in regards to ctf they better your skills because they make you understand more about what what vulnerabilities exist and how to go about exploiting them and if you do it enough these things become second nature and you're able to create your own type of mindset when it comes to targeting or attacking a virtual machine or ctf challenges um that being said yes this is uh quite a simple one once you go you are on the correct uh you are in the direct in the correct direction sorry about that uh and it uh this one was really focused on testing your skills in regards to as i mentioned password profiling and privilege escalation because none of these services that even if you're able to enumerate locally any of the services running there wasn't anything you could exploit locally so you have to bring in your own dirty cow exploit and use that as well so uh the the key things that i want you to take away from this are enumerate enumerate enumerate password profiling uh and also well hydra is quite simple to use so nothing really there and also local enumeration uh you know post exploitation all that good stuff um so we're able to get uh the root uh the the flag i guess that's what they were calling it here uh yeah so the flag were able to get the flag and yeah overall i would say this is a very very good ctf challenge to kind of take you away from the uh you know the common challenges that you'll run into but that being said that's going to be it for this video guys if you found value in this video please leave a like down below if you have any questions or suggestions let me know in the comment section or on my social networks and i'll be seeing you in the next video [Music] peace

Info

Channel: HackerSploit

Views: 18,803

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, ctf, ctf challenge, hacking, kali linux, lampiao vulnhub walkthrough, lampiao vulnhub, lampiao ctf, lampiao ctf walkthrough, ctf walkthrough, ctf walkthroughs, ctf walkthrough defcon, hacking ctf walkthrough, bulldog ctf walkthrough, vulnhub walkthrough, vulnhub lampiao, vulnhub toppo, vulnhub stapler, vulnhub tutorial, vulnhub temple of doom, vulnhub toppo walkthrough

Id: pgfYKUXGhOY

Channel Id: undefined

Length: 25min 54sec (1554 seconds)

Published: Tue Sep 18 2018