My School: 1 Walkthrough
Description
Welcome to “My School”
This VM has been designed by Sachin Verma. This boot to root VM is fully a real life based scenario. It has been designed in way to enhance user’s skills while testing a live target in a network. Its a quite forward box but stay aware of rabbit holes.
Goal: Get the root flag of the target.
Difficulty: Intermediate
Network Scanning
We always start with network scanning, Let’s find the target IP address by running netdiscover.
$ sudo netdiscover -i vboxnet0 -r 10.10.10.1/16
As we saw in netdiscover result. Our target ip address is 10.10.10.19.
Enumeration/Reconnaissance
Our next step is scanning the target machine. let’s start with nmap.
$ nmap -p- -sV 10.10.10.19.
nmap result reveals opened ports on the VM. There are 2 ports who are running web server. now we should quickly enumerate the web.
After so much of enumeration, i couldn’t find any way to go ahead, even i couldn’t any credentials for find a way.
I think this a rabbit hole, but i am not sure about it.
let’s move to port 8080
opps..!!!!
wordpress setup is not configured, and seriously i had no idea to solve this situation. after gathering information about the same problem, i came to a conclusion for creating a database. let’s create a new database and new user for WordPress installation.
┌──(dark0㉿kali)-[~]
└─$ sudo service mysql start
┌──(dark0㉿kali)-[~]
└─$ sudo mysql -u root -p
MariaDB [(none)]> create database wordpress;
MariaDB [(none)]> create user ‘dark0’@’10.10.10.19' identified by ‘sombre’;
MariaDB [(none)]> grant all on wordpress.* to ‘dark0’@’10.10.10.19' with grant option;
MariaDB [(none)]> flush privileges;
hereby, we have created MySql database for wordpress. Now we need to edit a MySQL server configuration file, and change bind-address 0.0.0.0 for anywhere to access the database.
$ sudo vim /etc/mysql/mariadb.conf.d/50-server.cnf
bind address = 0.0.0.0
now, open the wordpress configuration setup and fill the database information we created just now.
now, let’s complete the wordpress instillation…
after completing instillation process login to wordpress.
hereby, we are in to the VM’s wordpress dashboard.
Now, let’s quickly take reverse shell…. hehe, favorite part… .^.
i am using theme editor for taking reverse shell.
update the 404.php error page with our php reverse shell code.
Turn on our listener. And Have some wine… just kidding.
Hit 404.php error page and wait for reverse shell to make connection with us.
http://10.10.10.19:8080/wp-content/themes/twentyseventeen/404.php
And yes, finally we have reverse shell with us…!!! let’s dig in.
$ cd /home/armour
$ cat user.txt
628435356e49f976bab2c04948d22fe4
okay, now did you remember the another cms which is running on port 80.
“CMSMS” let’s read the configuration file of cms for some credentials.
$ cd /var/www/html/cmsms
$ cat config.php
Here, we have a passowrd of user “armour” : SW)#$of4–9056d
By the way, i am grateful that i didn’t put brute-force on http://10.10.10.19/admin/login.php . And it is clear now that port 80 was a rabbit hole.
$ su armour
Way to root …!!!!
$ sudo -l
I don’t know much about rclone command.
okay, we can do many thing with rclone. we can replace passwd file.
so, i copied passwd file and edited armour user and group identification number as 0:0
Now at last Restart the VM.
Again take the reverse shell from wordpress.
$ su armour
SW)#$of4–9056d
and yes, we are finaly root.
root@myschool:/root# cat proof.txt
Best of Luck
02a4f62865fddf48345f51ffdbe073ec
That’s it..!! Thanks for reading. Stay tuned for similar walkthrough and much more than this.
:- Dark-0
