Skip to main content
Rekkodo Tech
  1. Security/

HackTheBox Academy

·3 mins

academy

Academy from HackTheBox was relatively an easy and straightforward machine, it starts with two open ports SSH on 22 and HTTP on 80 we find an app we abuse the registration system to gain admin access to it then we discover subdomain which is a development server full of information, from there we get a shell on the box, after that we find many users and some credentials around, we try to escalate till we get access to user mrb3n who can use sudo on composer that will give us root access. so let’s start!

Recon #

Nmap #

Nmap full TCP scann shows us 2 open ports.

nmap full tcp scan
Nmap targeted scan with default scripts and version enummiration against port 22,80, from apache version we can guess this is ubuntu Fossa.
nmap targeted scan
Adding academy.htb (revealed in the nmap scan) to /etc/hosts
add academy.htb to /etc/hosts

Looking at the source page revealed nothing so let’s check the links on the page.

source page

Gobuster #

Fuzzing directories got few hits admin.php config.php

gobuster fuzzing directories
Alright let’s take a look at the application from a user point of view by creating an account
user point of view
Hmm, something looks weird i registered with username rekkodo and it looged me with username egre55, time for burpsuite.
logging to academy

Burpsuite #

Looking at registration post request in burpsuite we notice roleid=0 which i can assume it decides if user will be regular or admin account so let’s change that to 1 and see what happens.

burpsite
We try to login with the created account rek who has roleid=1 but from admin.php page.
admin logging page
We did logging to the backend and we see Academy Launch Planer, we do notice the mention of fixing issue in the subdomain dev-staging-01.academy.htb.
Academy Launch Planer
Let’s add dev-staging-01.academy.htb to /etc/hosts.
/etc/hosts
By navigating to the new discovered subdomain we see tons of information like technology used is laravel, APP_KEY, DB system is MYSQL as we did find username and password of databse called homestead
dev-staging-01.academy.htb
We took the information found and put them in CherryTree trying to stay organized.
cherytree note taking
After a little searching in google I found CVE we can use to gain intial foothold on the box.
laravel exploit github repo
Cloning the repo to our local machine.
cloning the repo
After reading the python script we try it with APP_KEY found earlier to get RCE with command id we get a hit, RCE works!
using the exploit

User shell #

We set up nc listener on port 9000 and execute the python script with reverse shell to us and we get hit back.

getting a reverse shell
As soon as we get a shell we see an interesting file .env and as we suspected it contains credentials.
checking .env file
By checking /home or /etc/passwd we can tell there are several users so we try ssh login with the found credentials against those users.
ssh as a user
Looking around in the system we see juicy files in /var/log/audit, in audit.log we get more ceredentials, we use them to login as mrb3n.
escalating to another user

Root shell #

We are logged in as mrb3n and we discovered after typing this command sudo -l that this user can use sudo on composer.

finding a priv esc to root

mrb3n@academy:~$ TF=$(mktemp -d)
mrb3n@academy:~$ nano $TF/composer.json
{"scripts":{"rekkodo":"echo ' public key ' >> /root/.ssh/authorized_keys"}}
mrb3n@academy:~$ sudo /usr/bin/composer --working-dir=$TF run-script rekkodo

From our attacking machine we use our private key to login as root.

yami@sama:~$ ssh -i .ssh/id-rsa root@academy.htb

changing to root user