[VulnHub] LAMPSecurity: CTF5 Write Up

 Hello sunny day ! Because of CTF competition training , I 'll continue practicing with VulnHub 

As the entry's tittle ,  let's do this !

+GATHERING INFORMATION : After scanning the provided system (both manual and automatic ) , I figure out some stuff :

- OS :  Linux 2.6.X

- Web Server  ; Apache httpd 2.2.6 ((Fedora))

- DBMS : MySql 4.1.2

- PHP 5.2.4

+VULNERABILITIES :

- LFI 

+EXPLOIT : with LFI , I surf around and trying some payloads , but It doesn's work . I found out 3 forms for input login credential 

   

And all of them seem invulnerable to SQLi .

After some hours googling , fortunately I figure out how to bypass the authentication of NanoCMS

Bingo ! I already have the admin cred !

login successfully !

Manually surfing this page , I figure out the place allow me to create a new page

I decide to create a php simple shell to test this function , and It works!

Use another php shell , I completely connect to the system

And the final quest is get Root ! 

Try "sudo su"

So , I decide to "Spawning a TTY shell"

python -c 'import pty; pty.spawn("/bin/sh")'

but before that , we must find root credental by "grep" password root  

We have root passwd , so let's get ROOT!

Happy Hacking!