muzec - Lord Of The Root Writeup | root💀muzec-sec:~#

Lord Of The Root a cool box on vulnhub which help others learn some basic CTF hacking strategies and some tools like Port Knocking,Sqlmap etc you can easily grab a copy here Lord Of The Root Download Here

We always start with an nmap scan…..

Nmap -sC -sV -Pn -oA nmap <Target-IP>

┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/lord]
└─$ nmap -sC -Pn -sV -oA nmap 172.16.139.200
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-03 02:59 EDT
Nmap scan report for 172.16.139.200
Host is up (0.00071s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|   256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_  256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds

We have only one port SSH that is strange let try checking the SSH for some clue.

Knock Friend To Enter the hint is clear seems we have to use port knocking on it Easy as 1,2,3 yes the 1 2 3 that only what we have let try it.

Port knocking is a stealth method to externally open ports that, by default, the firewall keeps closed. It works by requiring connection attempts to a series of predefined closed ports. With a simple port knocking method, when the correct sequence of port “knocks” (connection attempts) is received, the firewall opens certain port(s) to allow a connection.

Port Knocking

Port Knocking command knock 172.16.139.200 1 2 3 .

Now let scan it again with Nmap.

┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/lord]
└─$ nmap -sC -Pn -p- -sV -oA nmap 172.16.139.200
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-03 03:38 EDT
Nmap scan report for 172.16.139.200
Host is up (0.00060s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|   256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_  256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.26 seconds

Boom we have a new port open 1337 HTTP cool the power of knocking is cool now time to hit the port on HTTP.

A simple page checking source code nothing i try bursting directory nothing also strange right.

Running nikto also nothing.

Some i decided to check the robots.txt always check it.

Now i try checking the source code again now boom some secret text probably encoded.

Now let try decoding it to see what we have.

A secret directory /978345210/index.php nice let hit it.

Now we have a login page i have the habit of always testing for SQL injection first so i try the basic sql injection command now luck so let intercept it and use sqlmap .