Academy
In this walkthrough of the "Academy" machine, we explore how a forgotten note, weak encryption, and improper file permissions can lead to a complete system takeover. Deep Log Analysis is used to uncover clear text credentials, and SUDO Exploitation is used to escalate privileges to the highest level.
Tools: nmap, ffuf, hash-identifier, Hashcat, Linpeas.
Level: Intermediate level
Enumeration
Started with a standard Nmap scan to identify open ports and services.
nmap -A -p- -T4 <machine_IP>
Nmap result:
21/tcp open ftp vsftpd 3.0.3
ftp-anon: Anonymous FTP login allowed. note.txt
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian)) anonymous
Key Findings
- Port 21 (FTP):
vsftpd 3.0.3is running with anonymous login allowed. The scan revealed an interesting file namednote.txt, which is our primary point of interest. - Port 22 (SSH): OpenSSH is exposed, suggesting we might find credentials later to log in.
- Port 80 (HTTP): A standard Apache web server is running. If FTP hits a dead end, it will enumerate web directories here.
Why investigate FTP first?
Anonymous FTP access is a legacy configuration that administrators frequently overlook. It frequently overlooks the legacy configuration that allows anonymous FTP access. It frequently contains files—backups, notes, or configuration scripts—that were intended to be temporary but were never removed.
> ftp <machine IP>
After successfully logging in with FTP, try to access the note.txt file.
Anonymous FTP access turned out to be very informative. Inside, we found note.txt, which contained an SQL INSERT statement intended for the backend database.
This file unintentionally leaked a specific user record, identifying StudentRegno (10201321) as our login username and containing a 32-character password hash (cd73502828457d15655bbd7a63fb0bc8).
Cracking Weak Cryptography
To crack the password hash, I used the hashcat tool. But first, we need to determine what type of hash it is, so I use the hash-identifier tool.
It confirmed that it’s MD5. To crack this hash, I used
Hashcat tool and the rockyou.txt password file with the following command.> hashcat -m 0 hash.txt <rockyou file location>
Woot! We successfully cracked the hash and now have the password (student) for
StudentRegno (10201321).Web Exploitation.
Okay, so far, so good. According to the nmap response, we also have port 80 open, so navigate to the website using the machine IP and enumerate port 80.
When we visit the website, it receives the default Apache 2 Debian page.
No, as such information appeared on the page, proceed to perform directory fuzzing on the endpoint using the
ffuf tool with the following command.command : fuff -w <wordlist location>:FUZZ -u <url>/FUZZ
This revealed the two directories.
academy, phpmyadmin
Navigating to the /academy directory presented a login page. The cracked credentials (10201321 / student) successfully authenticated the session.
Upon accessing the "My Profile" section, it was discovered that the application failed to validate file uploads. This allowed for the upload of malicious PHP files.
let’s upload the .php reverse shell https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php .
Manipulate the shell PHP file and add the attacker's machine IP and update the port, then run the Netcat listener.
After uploading the shell file, access it using the page's view source code feature.
noticed the netcat listener response.
We got a shell, which is great, but not as a root user, as shown by the command whoami, which displays the www-data user rather than the root user.
So now what's next? We need to perform root user privilege escalation, and that's where the fun begins.
I’m going to use the tool LinPEAS (https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS).
Linpease is an automated tool that goes out and does hunting for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.
To use this tool, you need to start the Python server on the linpeas file location.
Using this server, use the wget command to download the linpeas file to the already connected target machine.
To change the file permissions, run the command chmod +x <filename> after successfully loading it on the target machine.
Run the file ./linpease.sh and look at the results.
The critical information and endpoints we received in the response are highlighted in red. One backup.sh file endpoint from the grimmie user has administrative privileges. The second option is password.
Let's see what the var/www/html/academy/includes/config.php endpoint contained.
The file contains the username
grimmie and the password "My_V3ryS3cur3_P4ss."Now, since we already know that the ssh port is open on the machine, let's connect with the following command
> ssh grimmie@<machine_IP>
Once you've successfully entered the machine, look for the backup.sh file. manipulate the file with nano command and Inject the one-liner Bash reverse shell code with the attacker's machine IP and save the file.
It runs as root, so when the
backup.sh script is run, the attacker gains root access.cat and ls commands to find the flag.txt file.
Summary :
Initial Vector: Information disclosure via Anonymous FTP (note.txt).
Access: Cracking the MD5 hash found in the note to access the web application. Foothold: Unrestricted file upload leading to Remote Code Execution (RCE).
Privilege Escalation: Clear-text credentials in PHP config files (Lateral Movement) $\rightarrow$ Exploiting a writable script running with root privileges.
Happy Hacking!!
0 comments:
Post a Comment