Academy is an easy-rated Linux machine from HackTheBox, created by egre55 and mrb3n. In the current post, my IP is 10.10.14.44, and the target IP is 10.129.167.56
This machine features an apache server hosting a PHP website. The website doesn't look special until you intercept the registration process, where you can change a obvious parameter to change your privileges to that account, then when you fuzz the website, you find an admin login url. In that URL there is an sub-domain with error logs from Laravel, revealing in the process the API_KEY used for an exploit for RCE. Inside the machine, there are a lot of techniques used to pivot between users and the change your user to root.
Recon
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
Local Terminal
$ ping -c 1 10.129.167.56
Pinging 10.129.167.56 with 32 bytes of data:
Reply from 10.129.167.56: bytes=32 time=141ms TTL=63
Reply from 10.129.167.56: bytes=32 time=173ms TTL=63
Reply from 10.129.167.56: bytes=32 time=142ms TTL=63
Reply from 10.129.167.56: bytes=32 time=144ms TTL=63
Ping statistics for 10.129.167.56:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 141ms, Maximum = 173ms, Average = 150ms
By the TTL, we can assume that is a Linux Machine.
Local Terminal
$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.167.56 -oN Ports
Nmap scan report for 10.129.167.56
Host is up, received reset ttl 63 (0.16s latency).
Scanned at 2023-06-06 10:37:16 Pacific SA Standard Time for 16s
Not shown: 65283 closed tcp ports (reset), 249 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
33060/tcp open mysqlx syn-ack ttl 63
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 16.10 seconds
Raw packets sent: 76803 (3.379MB) | Rcvd: 74737 (2.990MB)
Local Terminal
$ nmap -sCV -p 22,80,33060 10.129.167.56 -oN Target
Nmap scan report for 10.129.167.56
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=6/6%Time=647F44D8%P=i686-pc-windows-windows%
SF:r(GenericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.95 seconds
If you search for "OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 launchpad", you can find the specific machine type, in this case the result was: "Ubuntu Focal". It could be useful to find an vulnerability for a certain version.
Information that we have now: It's a website (port 80) that use Apache/2.4.41, with an open mysqlx (port 33060), there is no response for now.
Because of the following message "Did not follow redirect to http://academy.htb/" we have to add the IP to /etc/hosts/
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://academy.htb/FUZZ.php
Total requests: 220546
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 76 L 131 W 2117 Ch "index"
000000039: 200 141 L 226 W 2627 Ch "login"
000000245: 200 141 L 227 W 2633 Ch "admin"
000000024: 302 1049 L 4114 W 55034 Ch "home"
000000051: 200 148 L 247 W 3003 Ch "register"
000001476: 200 0 L 0 W 0 Ch "config"
000045226: 403 9 L 28 W 276 Ch "http://academy.htb/.php"
Index.php: Nothing
login.php: useful after registration.
admin.php: Admin login panel, it could be useful.
home.php: Redirect to login.php
register.php: Registration form.
config.php: 403, Empty
Our alternatives now is to intercept the registration panel with burpsuite.
Exploitation
At the response, we can see that between the parameters, there is a "roleid", before we found an admin.php.
So, our best action is to change the roleid to 1 and create a new account.
Then, go to http://academy.htb/admin.php and login with the new user... after this, you will see the following thing:
The website shows a Laravel error, maybe it could be vulnerable to something, search it at exploit-db.com. I tried the CVE-2021-3129 but it doesn't work. And the CVE-2018-15133 requieres metasploit, but there are alternatives at github.
And you are in! Close the CVE Interactive Terminal and do a Bash Upgrade at the other terminal
User Pivoting [cry0l1t3]
Target Terminal [www-data]
www-data@academy:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@academy:/var/www/html$ ls -la
total 20
drwxr-xr-x 4 root root 4096 Aug 13 2020 .
drwxr-xr-x 3 root root 4096 Aug 7 2020 ..
drwxr-xr-x 12 www-data www-data 4096 Aug 13 2020 academy
drwxr-xr-x 12 root root 4096 Aug 13 2020 htb-academy-dev-01
-rw-r--r-- 1 www-data www-data 50 Aug 9 2020 index.php
# We are at -dev-, is a good idea to check the current working files at academy
www-data@academy:/var/www/html$ cd academy/
www-data@academy:/var/www/html/academy$ ls -la
total 280
drwxr-xr-x 12 www-data www-data 4096 Aug 13 2020 .
drwxr-xr-x 4 root root 4096 Aug 13 2020 ..
-rw-r--r-- 1 www-data www-data 706 Aug 13 2020 .env
-rw-r--r-- 1 www-data www-data 651 Feb 7 2018 .env.example
-rw-r--r-- 1 www-data www-data 111 Feb 7 2018 .gitattributes
-rw-r--r-- 1 www-data www-data 155 Feb 7 2018 .gitignore
drwxr-xr-x 6 www-data www-data 4096 Feb 7 2018 app
-rwxr-xr-x 1 www-data www-data 1686 Feb 7 2018 artisan
<...>
There is an interesting hidden file called .env, type cat .env
Usually the logs located at /var/log/audit/ are important, but they have a LOT of information, a good alternative is to use "grep" to find relevant data.
Target Terminal [cry0l1t3]
$ cd /var/log/audit/
# Remember that our current uid is 1002, so we need another one.
$ grep -r "uid=1001" | grep "cmd"
audit.log:type=USER_CMD msg=audit(1612880564.224:115): pid=1336 uid=1001 auid=1001 ses=1 msg='cwd="/home/mrb3n" cmd=636F6D706F736572202D2D776F726B696E672D6469723D2F746D702F746D702E6F4A4833443269514D322072756E2D7363726970742078 terminal=tty1 res=success'
audit.log:type=USER_CMD msg=audit(1612880564.412:119): pid=1353 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=7375646F202D4B terminal=tty1 res=success'
audit.log:type=USER_CMD msg=audit(1612880607.016:128): pid=1788 uid=0 auid=1001 ses=1 msg='cwd="/tmp/tmp.oJH3D2iQM2" cmd=2F7573722F62696E2F656469746F72202D2D202F terminal=tty1 res=success'
<...>
# From here, we want:
# 2F7573722F62696E2F656469746F72202D2D202F
# Between "cmd=" and "terminal=
From here, we want a hash like "2F7573722F62696E2F656469746F72202D2D202F" between cmd= and Terminal=, to apply xxd -ps -r
exithistory
mrb3n_Ac@d3my!
su mrb3n
whoami
cat dat
<...>
Target Terminal [cry0l1t3]
su mrb3n # Password: mrb3n_Ac@d3my!
Privileges Escalation
Target Terminal [mrb3n]
$ id
uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)
$ sudo -l
[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mrb3n may run the following commands on academy:
(ALL) /usr/bin/composer
At GTFOBin there is a way to escalate privileges with sudo using composer
