Academy is an easy-medium rated box in HackTheBox. Let’s see how it goes.
As usual, let’s start with our nmap enumeration.
We can see from the nmap results that we have the SSH port 22 open, HTTP port 80 open and a MySQL hosted port 33060 open.
Port 80, HTTP looks like the best place to start.
Navigating to the site, we get this plain old home page.
We can see that we have login and register. However, navigating to /admin.php also showed us an admin login page.
Lets try registering so that we can login later. After registering and playing around after logging in, I can’t seem to find a foothold. So, I went back to registering and intercepting the request with burp to see if there’s anything we can do.
Hmm, the roleid parameter seems suspicious. Maybe according to my suspicion, it is the value to control the type of user. I change it to 1 and register. After registering, I goto /admin.php that I had found earlier and try logging in with the details. To my surprise, I find myself logged in as admin.
Looking at the page, it seems like there’s another website being hosted in another subdomain. After adding this into my /etc/hosts, I head there to see what it is.
Looks like a debugging page. After reading some of it, I found that it’s a Laravel debugging page. I also found something weird in the debugs.
This APP_KEY looks suspicious.
After searching a bit for Laravel exploits, I find this exploit which exactly needs the APP_KEY to work. This seems perfectly matched so lets see if this exploit works.
This https://github.com/kozmic/laravel-poc-CVE-2018-15133/ looks perfect for the job.
I follow the format it presents me with.
I change the exploit to fit my needs and boom, I get a reverse shell!
I had saved the steps I followed in a file.
Apologies if the text is too hard to read. The text is basically what I followed from the github page linked above.
I finally get a reverse shell.
Nice, now let's look for ways to escalate privileges.
When I look at the /home directory, there seem to be an awful lot of users present.
Well, after going through each of their directories; I still can’t find anything.
When enumerating through the /var/www/html folder where the site was hosted; I find a .env file with passwords.
Looks like the password can be useful. After trying the password for each user; it works for the cry0l1te user!
Nice, we’ve escalated our privileges again!
But yet, we’re not root yet. So lets keep trying. Again, after some manual enumeration, I run linpeas.sh to see if I’m missing something. To my surprise, the cheeky little sneaky password for another user is found on the logs!
I try logging into the user m3ben and boom!
Nice, another user pwned. So, I look at ‘sudo -l’ to see if this user can run anything as sudo.
Looks like we can run a program called composer as sudo.
I then look at GTFObins to see if we can exploit composer for our own needs. Seems like we can!
Following the path from GTFObins, I finally exploit composer to get a full rooted shell on the machine.
Finally! This machine is rooted as well.
No comments:
Post a Comment