Academy - [HTB]

Cover Image for Academy - [HTB]
Marmeus
Marmeus

Introduction

Academy is an easy linux machine where the attacker will have to find the way to register as administrator in the HTB Academy web page in order to get access to a "Launch Planner". Then, accessing to a subdomain the attacker will have to gather useful information for a metasploit exploit to get a reverse shell. After that, looking inside the web page files he or she will find some credentials that can be use to retrieve the user flag and finally, the hacker will have to look through a lot of logs as a means to get some credentials and the way to become root.

Enumeration

As always, let's begin looking for open ports in the machine.

Then, analyzing what is inside these ports in order to find some domains, versions, etc.

Despite the version of the SSH and HTTP service doens't provide more useful information, so let's have a look at some web pages.

Trying to get access to the web server with firefox, the server automatically redirects us to the domain academy.htb. Once added to the /etc/hosts file appears a HackTheBox page with login and register pages.

Academy web page

Using gobuster provides new files like admin.php. However, we don't have any credentials to get access to the administrator panel.

Explotation 1

Nonetheless, we can create an administrator accounts by intercepting the register request using burpsuite, modifying the roleid value parameter by a 1.

Academy login
Burp interception

Now, we are able to access to the admin's web page, obtaining a new domain (dev-staging-01.academy.htb) and what appears two user names (cry0l1t3 & mrb3n).

Academy Launch Planner

Accessing to this new domain, we obtain a lot of error logs and details about the web application.

Log pannel

The application use Laravel as application framework and it has an APP_KEY encoded in base64.

APP_KEY

Looking with searchsploit appears to be a metasploit module that can be used to obtain a reverse shell.

Searchsploit

Explotation 2

The exploit options are the following

In order to make the exploit works (obtaintining a reverse shell) we need to specify the APP_KEY, RHOSTS, VHOST and LHOST (Our kali IP) parameters.

Because the mestasploit shell is a little bit gunky, I'm going to use netcat, python and bash in order to create another reverse shell which I can upgrade to get a better experience with the shell.

Upgrading the shell

Kali:

Academy:

Kali:

Now we are able to use Ctrl+C and the keyboard arrows.

Privilege escalation 1

Inside the file /var/www/html/academy/.env there is a credential for the local database.

The password can be used to access to the system as cry0l1t3, which is part of the group adm.

The adm group is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.

In the file /var/log/audit/audit.log.3 there are some commands or data which looks like be encoded in hexadecimal.

Encoded data

Decoding the data into ASCII we obtain the following strings.

Privilege escalation 2

Now can we become the user mrb3n, who can execute the binary composer as root.

A quick search in GTFObins provides a quick way of getting a shell as root using composer.

Finally, I will like to thank the members of NetOn who help me out solving this machine.