HTB Academy [EN]
HTB Academy is an easy box ideal for the beginner.
We have a website running on port 80 where we can find a basic vulnerability in the registration.
After changing the role id parameter at the registration, the admin panel is accessible and gives us more information.
From the admin panel, we find that there is a staging version of the website running on another virtual host.
Then we can find on this virtual host web page that it is running Laravel and we also get the APP_KEY.
After some research, we find a Remote Code Execution(RCE) vulnerability on Laravel when we have the APP_KEY. We can then get a remote shell and find the first user password in the main domain .env file.
After this, we see that the first user is a member of the ADM group, which means he can access logs at /var/log.
In a certain audit log, we can grab the second user password in hex format.
The second user is sudoer and can run composer as root.
A quick search on gtfobins gives us a way to get a shell as root using composer.
Let’s start by a quick scan with nmap
2 low ports are open, the ssh port does not accept anonymous login, but it does not require a key, we will later use it to connect to the users when we get their passwords.
A web server is running on port 80; it is necessary to add the IP address of the box to the /etc/hosts file first to access academy.htb website.
Once this is done we can register a new user and login to the web app, nothing interesting on the web app itself.
By looking into usual paths, the academy.htb/admin.php path is found. But we don’t have the permission to access it.
Let’s run the registration process of a new user through Burp.
Apparently, a roleid parameter is set by default to 0 when registering. So we can try to set it to 1 and forward the request.
We can then connect to the academy.htb/admin.php page.
There is a staging virtual host on dev-staging-01.academy.htb, let’s add it to the /etc/hosts file and access it.
We can also note the two strings: cry0l1t3, mrb3n which may be usernames, for later.
On the staging virtual host, we learn that the website is running Laravel and we have the APP_KEY of the staging website.
Let’s run searchsploit for Laravel
A Remote Command Execution is available but I only found an exploit code using metasploit, so let’s start the metasploit framework console.
Here are the options to run the metasploit script, don’t forget to set the VHOST and the APP_KEY.
After running the exploit, we are www-data.
We can navigate to the /var/www/html/academy folder.
And in the .env file, we can find a password.
We can connect to the user previously found user cry0l1t3 via ssh using this DB_PASSWORD.
The user cannot run sudo but he is a member of the group adm, so it means he has access to the log files in /var/logs.
After exploring the logs for a long time using grep, we can find that a user ran the command su.
By putting the data into cyberchef, we know that it’s encoded in hexadecimal and the value of the data is mrb3n_Ac@d3my!
We can then connect to the mrb3n user with the mrb3n_Ac@d3my! password
The user mrb3n can run composer as root, let’s search for this binary on gtfobins.
By running this command we get the root access and the flag.
If you have any question regarding this box, don’t hesitate to drop a comment down below, I reply all of them !