Today we are going to crack a machine called the Academy. It was created by egre55 & mrb3n. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!

Penetration Testing Methodology

• Network Scanning
  • Nmap Scan
• Enumeration
  • Enumerating Virtual hosts
  • Browsing HTTP Service in Browser
  • Registering into Application
  • Exploiting Parameter Tampering for Administrator Access
  • Directory Bruteforce using dirb
  • Enumerating Admin pages
  • Enumerating Virtual Host
  • Enumerating Laravel PHP Framework
  • Extracting APP_KEY
  • Searching for the exploit on Searchsploit
• Exploitation
  • Exploiting Unserialize RCE using Metasploit
  • Enumerating DB Password
  • Reading /etc/passwd file
  • Password Spraying using Hydra
  • Logging in as cry0l1t3
  • Reading User Flag
• Privilege Escalation
  • Uploading and Executing LinPEAS
  • Enumerating Logs for credentials of mrb3n user
  • Logging in as mrb3n user
  • Enumerating Sudo permissions
  • Exploiting Sudo Permissions on the composer
  • Getting Root Shell
  • Reading the Root Flag

Walkthrough

Network Scanning

To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.

IP Address assigned: 10.129.106.234

Now that we have the IP Address. We need to enumerate open ports on the machine. For this, we will be running a nmap scan.

Enumeration

From the nmap scan of port 80, we can see that it is trying to redirect to http://academy.htb/ So let’s add this link into our etc/hosts file.

Since we have added the host, we can now see the website in the browser. It is the clone of the HTB Academy Website.

Among the broken links, there was a register.php page. We tried to register on the application. It is always a good practice to use Burp To inspect the requests being sent to the server to understand the working of the application.

We found that apart from the username, password there is a parameter of role d that is travelling as well to the roiled server. It has the value of 0 by default.

We tried changing the value to 1 to see if we get some additional access on the application

The basic application remains the same as shown below.

We performed a directory Bruteforce in order to detect any high privilege pages or some sensitive pages with information. This led us to the admin.php page.

We open the detected page and we found a hostname “dev-staging-01.academy.htb”.

We add this hostname in our /etc/hosts file corresponding to the IP address as before.

Now we try to browse the dev-staging-01.academy.htb to find that it is reverting an Internal Server Error. There are some paths visible that suggest that Laravel is working behind the scenes. Also, we try to enumerate the browser console to find the Environment Variables. IT states that App_name is indeed Laravel and there is a base64 encoded key here. It also contains a ton of other information.

Since we know the Laravel Framework is at works, we decided to search for it in the Searchsploit. We found a Unserialize Command Execution.

Exploitation

As it is present inside the Metasploit, we use it from there. Here it requires the IP Address of the Target Machine, IP Address of the Attacker Machine, The Base64 APP key we found earlier, the Virtual Host that is running Laravel. After providing all the data, we execute the payload.

Through the RCE, we get ourselves a shell. We converted it into a TTY shell using a python one-liner. The shell we got is for the user www-data. We started our enumeration of the machine in order to find a way to elevate privilege. This led us to the academy directory in the /var/www/html folder. Here we found a hidden directory by the name of .env. We read the .env file to find the DB Credentials of MySQL

We read the /etc/passwd file to collect the users for the SSH login.

We took the usernames found and created a dictionary by the name of user.txt and we took the DB password that we found and pasted it into a text file by the name of pass.txt. Now we will perform Password Spraying on all the users to see if any one user has the same password for the ssh login. We will do this using hydra tool. Hydra told us that the user cry0l1t3 has the password that we were looking for.

We logged in through ssh for user cry0l1t3. Again, we convert the shell into a TTY shell and then looked for the user flag.

Privilege Escalation

Now in order to elevate privilege on the Target machine, we will use LinPEAS post exploitation script to enumerate the machine. We already have the script on our local machine, we hosted it on port 8000 and then downloaded it to the target machine using wget inside the /tmp directory. Now we provide it with the appropriate permissions for execution and then LinPEAS.

LinPEAS extracted the credentials for the mrb3n user inside the audit logs.

sh “su mrb3n”,<nl>

su “[email protected]!”,<nl>

We use these credentials to login as mrb3n user. Then we convert the shell into a TTY shell and enumerated it for sudo permissions. We found that we can execute a composer with elevated privileges. We are in luck as composer is one of the binaries that are mentioned in the GTFOBins. From there we got the method to get the root shell. Upon following those methods, we get root on the target machine. We read the root flag to conclude the machine.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn