HackTheBox Writeup — Academy

This is my write-up for the HackTheBox machine ‘Academy’, which runs a Linux OS and is one of the ‘easy’ rated machines.

1. Academy Info Card.

1. Summary

Exploiting a vulnerable ‘roleID’ parameter in the web application’s user registration function gives us an account with elevated privileges, which reveals a new virtual hostname. Accessing this virtual host we find Laravel is running and is exposing its APP_KEY, which enables us to perform a RCE exploit via metasploit.

Some research finds Laravel can store passwords in .ENV files and locating this file for the main hostname ‘academy.htb’ reveals a password for cry0l1t3. Inspecting some log files reveals some hex encoded data, which when decoded turns out to be mrb3n’s SSH and user password. Finally, we exploit mrb3n’s sudo privileges on ‘composer’ to get a root shell.

2. Enumeration & Initial Foothold (www-data)

Starting off with an nmap scan for all ports reveals (cut-down version) just three ports open, with the main focus being port 80.

root@kali:# nmap -sV -sC -T4 -p- -oN all_ports.nmap 10.10.10.215

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1
|
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack The Box Academy
|
33060/tcp open mysqlx?

Let’s go and check out the web application (i’m using the boxes’ hostname ~academy.htb~ rather than IP address).

2. HTB Academy Web Application Home Page.

Nothing too interesting so far, some login and user registration functionality. Lets throw gobuster at it to try find some other directories and files whilst we look at this registration functionality.

gobuster dir -u http://academy.htb/ -w /usr/share/wordlists/directory-list-2.3-small.txt -x txt,php
3. GoBuster Results

Hmmm config.php and admin.php look interesting. The config file doesn’t actually show any useful information, but admin.php will be used later. I registered a user normally and the app gave literally no functionality, and of course I wasn’t able to log in as an admin via admin.php, so I took a step back.

Inspecting the user registration functionality, it seems an extra parameter is hidden from the main registration form (~roleID~) and is assigned a default value of 0.

4. Identifying Hidden ‘RoleID’ Parameter Sent with User Registration Requests.

I wonder what happens we register a user and change this to 1? We can do this in BurpSuite. Intercepting the requesting, changing just the roleID parameter to 1 and forwarding the next few requests returns us to the login page.

5. Elevating Account Privileges by Exploiting Vulnerable roleID Parameter

Logging in as a regular user doesn’t immediately present anything new, but when we try and log in to the admin panel (admin.php) with the credentials below we now get access to admin-page.php, which has some useful stuff.

6. Landing Page for Successful Admin Authentication.

From the image above we can see two key pieces of information we should take note of:

  • Usernames:- mrb3n & cry0l1t3
  • Virtual Hostname:- dev-staging-01.academy.htb

We also see there is some issue on this vhost that still needs fixing… that sounds promising. Adding dev-staging-01.academy.htb to our /etc/hosts file and accessing it in the browser gives us the below.

7. Landing Page for dev-staging-01.academy.htb

A lot of information here. But the first thing that stuck out for me was the error in the top left and the filename referenced (~laravel.log~). Some research will tell you Laravel is a php web-framework. Cool, but what use is this?

Well, some online research for Laravel exploits will identify a Remote Command Execution (RCE) vulnerability. This is only feasible if the APP_KEY is exposed, which luckily it is is we scroll further down.

8. Exposed Laravel APP_KEY enabling RCE Exploit.

This exploit has an exploit module, so we will just use that. To find it, simply use the two commands below within metasploit.

msf6> search laravelMatching Modules
================
0 exploit/unix/http/laravel_token_unserialize_exec
msf6> use 0

Then set the appropriate options.

9. Required Payload Settings in Metasploit

Then simply run and get a reverse shell on the box via command injection.

10. Initial Foothold as www-data

3. User Shell (cry0l1t3)

This shell is pretty useless, we need to elevate to an actual user. After so much manual enumeration and research, I came across Laravel’s environment configuration documentation. A quote from the documentation:

  • “It is often helpful to have different configuration values based on the environment where the application is running.” ← This can definitely be applied here given the two different web applications we have via two hostnames.

Laravel does this through a .env file that stores some common configuration values (including passwords), which are then used to access various services.

So knowing this, I went searching for the .env file for both web applications, and once I found this for the academy.htb web application, we find a hard-coded password at the bottom.

11. Hard-Coded Database Password in Academy.htb Environment Config File

This is shown as a database password, but after some password spraying against the users on the box (check home directories or /etc/passwd) we can actually use this to login as ‘Cry0l1t3’ via SSH or SU and grab user.txt.

12. User Shell as Cry0l1t3 and Grabbing the User.txt Flag

4. User Shell (mrb3n)

Running some simple user enumeration commands shows that cry0l1t3 is a member of the ‘adm’ group, which is used for system monitoring tasks and thus cry0l1t3 can read files within the /var/log directory.

cry0l1t3@academy:~$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)

After again so much manual enumeration, I came across an interesting log file:

/var/log/audit.log.3

Searching through the file I noticed some entries had hex-encoded data logged. Although most of this is has been used with nano or sh/bash, one entry is associated with the linux login command ‘su’.

13. Identifying a Potential Hex-Encoded Password

Decoding this in python seemingly gives us mrb3n’s password? Lets try it!

14. mrb3n’s user & SSH password.

Excluding the ‘\n’, using this password we get a shell as mrb3n via SSH.

15. Lateral Movement → mrb3n

5. Root

We are given a nice easy escalation to root after a lot of manual enumeration .

Checking mrb3n’s sudo privileges reveals mrb3n can run sudo on composer, and there is also a hint towards this in mrb3n’s home directory with a hidden config file.

16. mrb3n sudo privileges

Composer is a tool for dependency management in PHP — it helps you declare, manage and install dependencies (i.e. plugins/scripts) of PHP projects. However, such scripts have full access to the user account that runs composer, meaning running composer with sudo will mean its running with root privilege. We can abuse that to make it spawn a root shell :D — see GTFOBins for exploit.

17. Root Shell and Root.txt

Conclusion

Thanks for reading and keep an eye out for future writeups! Feedback is always welcome through, and my HackTheBox profile is linked below :)

--

--

--

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Hunting Simple Malware using core windows CLI tools.

How to tell if a browser extension may be up to no good

Performing Boolean-based Blind SQL Injection on DVWA Environment(Beginners).

RaspberryPi + Shinobi as a NVR solution

Tron [TRC tokens] is now supported on D’CENT Biometric Wallet.

SAML based User Authentication and SSO in Web Application

Sportcash One — AMA

Stellar Lumens (XLM) is now supported on D’CENT Biometric Wallet.

Jack Roberts

Jack Roberts

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

More from Medium

HTB: Silo Writeup w/o Metasploit

HackTheBox Writeup — BountyHunter

TryHackMe: Gallery Walkthrough

TryHackMe: Crack the Hash | Writeup