Practicle Ethical Hacking : Lab Academy Walkthrough

first look

its a default apace page nothing usual so i tried to enumerate more

nmap scan results

ports open 22 80 21 in which anonymous ftp is aloud at port 21 ftp

Get note.txt from anonymous ftp login in which we get many things like username and passwords

And the passwd is in md5 and the decoded value of md5 is student

now time to log in so lets fuzz the website and find admin panel using any tool you want right now i am using feroxbuster

And we got academy

Time to upload shell and get reverse shell

Go to pentestmonkey and use php reverse shell

upload the reverse shell and get connection

as soon you upload the shell instantly you got the shell

And we get the shell

make you shell interactive or its totally your call do what ever do you want

on home directory i get backup.sh which give me instant instinct that some kind of crontab is running and i was right

But if you see closely you will find that only grimmie user had permission to edit that backup.sh and currently we t www-data which is low level user right now

we have to became this grimmie user so that we can edit the backup file and got root so i decided to read the backup.sh cuz it is world readable

and from there i get grimmie password

Now we got the password 😉 time to log in into grimmie and edit the backup.sh

i login through ssh not through su cuz ssh has more stable shell

now use nano to edit the backup.sh file

Add the reverse shell from reverseshells.com and wait for the listener to connect as we all know that its a crontab so it will execute after 1 min

save it and wait for listener to connect eg nc -nvlp 2345

And we r root now

the box has been completely rooted feel free to comment if i left something 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

©2025 cyberspynet WordPress Video Theme by WPEnjoy