LinkedinGithub

Academy

Synopsis Academy is an easy difficulty Linux machine that features an Apache server hosting a PHP website. The website is found to be the HTB Academy learning platform. Capturing the user registration request in Burp reveals that we are able to modify the Role ID, which allows us to access an admin portal. This reveals a vhost, that is found to be running on Laravel. Laravel debug mode is enabled, the exposed API Key and vulnerable version of Laravel allow us carry out a deserialization attack that results in Remote Code Execution. Examination of the Laravel .env file for another application reveals a password that is found to work for the cry0l1t3 user, who is a member of the adm group. This allows us to read system logs, and the TTY input audit logs reveals the password for the mrb3n user. mrb3n has been granted permission to execute composer as root using sudo , which we can leverage in order to escalate our privileges

Reconaissance

nmap :

As usual starting by scanning open ports and running services using nmap

nmap -sC -sV -oA nmap/adademy 10.10.10.100

add academy.htb to the /etc/hosts file echo "10.10.10.215 academy.htb" >> /etc/hosts and then open the website in the browser

Enumeration

Directory enumeration using dirsearch : 

dirsearch -u http://academy.htb -x 403

first let's register an account

when performing a simple register we are redirected to the login page and after login to the home page where you can purchase modules but if we go to the directory /admin.php we will find a login page but if we enter the credentials of the account we have registered it will not accept it and this is because the application is using some role authorization mechanism

when registring enter username and password and before submitting intercept request using burp so we can notice that there is HTTP Post parameter called roleid which is set by default to 0

let's try to set it to another value to get another role in the application

let's set it to 1 and send the request

after we registered an account with different role id let's go the login page at /admin.php and login with the manipulated account

and boom we are admin now

in this table there is virtual host dev-staging-01.academy.htb

let's add it to the file /etc/hosts

if we visit this virtual host on the browser we will find that this page is using laravel framework and it has debug mode and there leaked environement variables like the API_KEY

Gain an Initial Foothold

searching for any laravel exploits using searchsploit we find a couple ones looking for each one of them in exploitDB we find that the token unserialize RCE exploit needs a valid API_key to work which we have and also requires the debug mode to be enabled

to exploit this vulnerability in laravel we can use a github exploit

LogoGitHub - aljavier/exploit_laravel_cve-2018-15133: Exploit for Laravel Remote Code Execution with API_KEY (CVE-2018-15133)GitHub

you will find the installation guide in this repository

  • URL : http://dev-staging-01.academy.htb

  • API_KEY : dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=

python3 pwn_laravel.py http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -i

Lateral Movement -> cry0l1t3

enumerating the box we can find a hidden environement variable file in the website files located at /var/www/html/academy/.env which contains cry0l1t3 password

now let's use this password to login as cry0l1t3 (after testing this password against all /etc/passwd users that have /bin/bash we found that this password is cry0l1t3's password)

Lateral Movement ->mrb3n

let's which groups this user belong to

let's find all files and directories owned by the group "adm"

so the adm group owns a lot of log files that means that all members of this group have the right to read the logs, let's read those logs and see if anything interesting appears

after reading the logs manually i couldn't find anything of interest so i used a tool called aureport which is a tool that produces a summary report of system logs

aureport(8) - Linux manual page

  • --tty : Report about tty keystrokes which may include plaintext passwords

now let's ssh as the user mrb3n

Privelege Escalation

performing manual enumration on the box we find that the user mrb3n can run the composer command using sudo

according to gtfobins we can abuse the command composer to get a privilege escalation on the machine

Logocomposer | GTFOBins
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousActiveNextBeep

Last updated

Was this helpful?