Vulnhub My School: 1 Walkthrough

by Vince
in Blog
Hits: 2818

The description states:  "This boot to root VM is fully a real life based scenario. It has been designed in way to enhance user's skills while testing a live target in a network. Its a quite forward box but stay aware of rabbit holes.

There are quite a few directions this could have gone and I'm not sure I took the intended route, especially with the entry.  I feel like I found my foothold and just plowed on through it.  In general, I would say this is an easy box but you need the skills to setup an application outside of the vulnerable machine to use in my exploitation route.  That will make more sense shortly. 

We kick off with Nmap:


Lots of ports but the web port is always a good place to start.  We find CMS Made Simple which I know has vulnerable versions:


However, when digging in, this isn't one of those versions that allow unauthenticated RCE.


Moving along, we hit port 8080 and we find Wordpress waiting to be installed:


Having installed Wordpress a bunch of times, I know that I'll need a MySQL server and I haven't compromised one on this system yet.  I could mess around there or I could just point to mine.

On my server, I create a blank database:


I need to give root remote access, the percent sign allows us to access the remote MySQL server from any IP.  Otherwise, we'd list a specific IP address. 


We also need to change the bind-address from 127.0.0.1 to 0.0.0.0


Once we change to 0.0.0.0, save, and exit.  We need to restart MySQL.

Back at the Wordpress install, we need to populate our values:


We hit Submit.


We run the installation.


We choose a password.


We're finished with the installation and we choose Log in.


We enter our credentials and we're in...


In a previous post, I wrote about how to build a Wordpress reverse shell plugin.  I upload my plugin:


I activate my plugin:


My handler is already setup:


We catch the shell and we clean up the environment:


The Wordpress credentials will do us no good since we setup MySQL but the credentials for CMS Made Simple might be useful to us:


We find the user armour, we move into that home directory, and we find the user flag:


On a hunch, I attempt to reuse the MySQL credentials for armour and we're successful.


Checking sudo privileges:


I'm not familiar with rclone and there are no man pages.  I execute the command to see if that provides any information:


We can perform a number of tasks.  The cat command is interesting, I attempt to read the shadow file:


Perfect!  That copy command might allow us to copy any shadow file to /etc/shadow.  In advance of using this copy function, I add the armour shadow entry into my shadow file to prevent from getting locked out in case this goes sideways.  With our shadow file in place:


I execute the rclone copy command:


And we're root!  One last thing to do:



That's a wrap!  That was a fun box and the "real world" aspect of it is true.  I've discovered a number of installs just floating around like that just waiting to be popped.