Hack The Box — Academy
Hello there! Thank you for taking the time to read my write-up of the recently retired machine Academy, from Hack The Box.
Academy is an Easy Linux machine that requires careful enumeration to complete.
What will be covered:
• Credential Abuse
With that out of the way let’s get into it!
To start things off, a Nmap scan is run on all 65,535 TCP ports in order to discover services that are reachable from the Internet. This is crucial step in any engagement because it allows the tester to get an idea of what type of system the target is. This process can also help in identifying potentially vulnerable services running on the host. This scan was run with the -sC -sV -T4 -v -p- flags set. The -oN flag outputs the scan to the nmap directory in.nmap format.
The scan reports three ports open on the host: 22, 80, and 33060. Nmap reveals a redirect to http://academy.htb/ on port 80 so I added academy.htb to the /etc/hosts file.
The first thing I do is visit http://academy.htb/ to check out the site. There are two options on the main page: Login and Register. Hovering over the links reveals http://academy.htb/login.php and http://academy.htb/register.php.
After clicking around for a little bit I come to the conclusion that there is nothing of real interest here. The user that is logged in is egre55, so I take note of that and move onto http://academy.htb/register.php. This time I send the requests through Burp Suite.
I notice the roleid=0 right away, so I changed that to a 1 and sent the request forward. I revisit http://academy.htb/login.php logging in with test:test and I get the same results as before. I just happened to guess http://academy.htb/admin.php just checking things out and sure enough I get a login page. I try my created account test:test on it and I get logged in!
There is some valuable information that can be gathered from this page. The first thing I noticed was the dev-staging-01.academy.htb. I’ll add that to /etc/hosts file and keep moving. The next thing I gather from this page is the two additional usernames cry0l1t3 and mrb3n. Moving forward, I check out http://dev-staging-01.academy.htb/.
Poking around the development area, I found some more sensitive information.
A quick Google search of “laravel exploit” brings me to an Exploit Database entry for a Metsaploit module that exploits a Token Unserialize Remote Command Execution vulnerability in Laravel PHP Framework 5.5.40 / 5.6.x < 5.6.30.
I fire up Metasploit Framework by executing msfconsole -q in the terminal. After running search laravel I am greeted with the module exploit/unix/http/laravel_token_unserialize_exec. I set all of the appropriate options before running the exploit.
The shell lands as the www-data user. I make the shell more interactive by entering python3 -c ‘import pty;pty.spawn(“/bin/bash”)’. After doing some enumeration in the directory where the shell landed, I decided to move on. I change into the /var/www/html/academy directory and run ls -la.
The first thing that stands out to me is the .env file. I run cat .env and expose another potential password.
I then add the usernames and the password I collected to files and run Hydra to see if I can get a valid login on SSH.
I get the credentials for the cry0l1t3 user. Now that I know I have a valid username and password combination for SSH, I’ll login to get a better shell. At this point, I am able to get the user.txt flag.
As part of my standard methodology when working through Hack The Box machines is to automate some of the enumeration by using LinPEAS from the Privilege Escalation Awesome Suite. I change into the /tmp directory and run wget to transfer the file.
As the script is running, an interesting discovery is made. Checking the audit logs reveals the su password for the mrb3n user. It is common to find passwords in audit logs because users will mistakenly enter their password as a username.
Running su mrb3n will switch from the current cry0l1t3 user to mrb3n.
The mrb3n user has the sudo privilege enabled which will allow me to escalate to the root user.
I know that the mrb3n user has the sudo privilege from previous enumeration of the system. Running sudo -l reveals that /usr/bin/composer can be used to run as the root user.
A quick search on https://gtfobins.github.io/ reveals sudo privilege escalation instructions.
I simply copy and paste this into my notes, add the full path for composer, and paste it into the terminal session.
As a result, I am able to get the root.txt flag and complete the challenge! Again, thank you for taking the time to read this and stay tuned for more!