Today we are going to root a box from TCM Security Ethical Hacking course aka ACADEMY. Lets’ start shall we?
So we are going to run a Nmap scan on the academy box and the results are back.
Right off the bat, we see a port 21, 22 and 80 open and at port 21 we see anonymous access allowed moreover “note.txt” file is there, let’s check it out.
we see a file note.txt and so we can do a “get note.txt” to download it on our local machine and lets see what’s inside it.
we can see a student record with Reg no. and password and all but we have no way of knowing where to use it, let’s check the website at port 80.
Just a default Apache page well it gives a little info that probably PHP is running in background, we are going to do a little directory brute busting.
we used ffuf and got some directory back at /academy we found a student login page.
Now we found a Reg no. and password info at note.txt file but the password was likely to be a hash, so we’ll check it out using a built-in tool in kali called hash identifier.
It is possibly a MD5 hash, well try to crack it using hashcat tool
we cracked the password: student, now let’s login in /academy using the credentials.
WE logged in successfully and we found a file upload feature let’s see whether we can exploit this feature to upload some malicious file and get a reverse shell back.
Since we know its an Apache server we’ll try to run a php payload. We’ll google php reverse shell and there’s a neat shell from Pentest monkey, we are going to copy and paste it inside our local machine and then upload it using the picture upload feature.
php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Note: edit and change the IP address inside the script to whatever attacker machine you’re using and give it execute permissions using chmod command.
And open a netcat listner on another terminal and BAM!!!! you have a reverse shell let’s see now what all we can do.
Now we have to do Privilege escalation so in order to do that we are going to make use of an amazing script called linpeas.sh which we’ll go check any priv esc vector.
PEASS-ng/linPEAS at master · carlospolop/PEASS-ng
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) - PEASS-ng/linPEAS at master · carlospolop/PEASS-ng
So we are going to take the script and copy and paste in a file called linpeas.sh on our local machine and then we are going to host a http webserver using a python.
and then using wget <url> we’ll get the file from the webserver into the academy machine we get into.
and then after giving this file the execute permissions we’ll run this linpeas.sh file
What this script we’ll do is look for any sort of information or processes running inside the sys which we can leverage it to get the root privileges.
we have found some interesting files like /var/www/html/academy/includes/config.php and we found password of mysql server “My_v3ryS3cur3_P4ss” let’s try to cat out this config file.
we found the same password along with grimmie as username and when we saw /etc/passwd file we saw that grimmie is the admin level user, let’s try to ssh using grimmie.
It’s a success but now let’s try finding if there are any sort of cronjobs running for grimmie if yes we can use them to get a admin level shell.
we found nothing atleast with the privilege we have right now, let’s try a fantastic tool called pspy64 and similarly using wget to get this script from our http server and it will check for processes running in the machine like cron jobs and all.
GitHub - DominicBreuker/pspy: Monitor linux processes without root permissions
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see…
we saw that backup.sh is a file which is there
and after running pspy64 we saw that indeed it is running as a cronjob every few seconds and since grimmie is an admin level user this file is also running with the same privileges and we can get a admin level shell backup using this file.
now we can search for a one liner on google in order to get a reverse shell.
Reverse Shell Cheat Sheet
If you're lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards…
we are going to edit backup.sh and listen on port we specified along with our local ip inside the one-liner.
AND CONGRATULATIONS!!!! YOU HAVE PWNED THE MACHINE.
Special thanks to Heath Adams and TCM Security’s Ethical Hacking Course, All I have learnt is from his course and looking forward to learn and explore this amazing ethical hacking course.