TCM Security — Practical Ethical Hacking Course
The first step was to check the IP Address of the machine and that was done using ARP Scan.
Then, I did the ran the NetDiscover Scan and found this below.
After that, I did the old-fashioned NMAP Scan using the command : nmap -p- -T4 -A 192.168.1.5
In the NMAP-Scan I found a FTP Port Open with the Name : anonymous
So, I tried to login with that and I got the entry. I found a note over there so I downloaded it and got some information present into it.
From here, we got some potential information like the Student Registration Number and the Password Hash.
Then I tried to crack the hash using hash-identifier but it didn’t provide me the correct password. So I ran hashcat and gave it the famous RockYou list and got the potential password.
Now when I was running through the scanning part I found out that the port 80 http is open. So, I tried to hit that over in the FireFox and got the Debian Index Page.
I started fuzzing the directories now using dirb and fuff and got 2 potential directories : /academy and /phpmyadmin
I jumped back to FireFox and typed in both the Urls and found them both up and running.
In the academy directory I used the Registration Number and Password and got into the User’s Dashboard Successfully.
I found out that an image can be uploaded in the profile section as the Profile Image. I then tried to upload a txt and it successfully got uploaded. So I found a Local File Inclusion Remote Control Execution Vulnerability.
I expolited the vulnerability using PHP Reverse Shell as the website was using PHP in the backend. I hopped onto this link : https://github.com/pentestmonkey/php-reverse-shell
Did some editing and uploaded the .php file and started the NetCat listener on my Kali.
BOOM! I got the reverse shell and I started exploiting it.
Now to get more info I either needed sudo permissions or something that I cound install over there. I ran a Python Server on Kali and uploaded a Shell file named LinPeas and provided it with executable permissions.
After running Linpeas I found some information regarding the Machine. The potential Information that I found was :
These were some of the fishy files that I found. Out of which I found out that there is a Bash File running so I immediately checked the file and found ou this :
From this I can figure out that it removed the backup.zip file and zipped that filed and gave it 700 permissions.
So I wanted to check that if this file is running over and over again or not.
But still I found I something in the LinPeas Scan which gave me the permission to SSH and it was :
I logged on to SSH using this password by the Username “Grimmie” and BOOM got the SSH too.
Then I checked the command to know about the system processes running.To know about the processes running I used the program named a as pspy which can be found on : https://github.com/DominicBreuker/pspy
I downloaded that on the machine using SSH Login.I found that the backup.sh runs over and over again after a certain period of time.
I then replaced the backup file with the Bash Reverse Shell through the link : https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
And opened a listener at the port I wanted and got the Reverse Shell again. But this time I found out a flag which said :
